Hi all,
I've a OpenBSD box (4.2) with a bridge; through it passes a single VLAN.
No problem here.
The bridge config is easy:
$ cat /etc/hostname.em1
up
$ cat /etc/hostname.em0
up
$ cat /etc/bridgename.bridge0
add em1
add em0
-learn em1
-learn em0
stp em1
stp em0
up
Altought, the problem comes when it try to enable PF. I don't know why
but I've the suspicion that it's an VLAN related issue.
My /etc/pf.conf is simple:
# 1. Macros
ext_if="em1"
int_if="em0"
bridge="{" $ext_if $int_if "}"
admin_if="em2"
pfsync_if="em3"
my_net="xxx.xxx.xxx.xxx/xx"
# 2. Tables
table <unfiltered> persist file "/etc/pf_files/unfiltered.pf"
table <special> persist file "/etc/pf_files/special.pf"
table <restricted> persist file "/etc/pf_files/restricted.pf"
table <ssh_brutes> persist
table <mysql_brutes> persist
table <http_brutes> persist
table <smtp_brutes> persist
# 3. Options
set skip on lo
set skip on em0
set skip on em2
set skip on em3
set fingerprints "/etc/pf.os"
set block-policy drop
set optimization aggressive
set limit states 1000000
set limit src-nodes 50000
set limit frags 15000
set loginterface em1
# 4. Scrub traffic
scrub in all
# 5. QUEUEING
# Not used.
# 6. TRANSLATION
# Not used.
# 7. FILTER RULES
# DEFAULT POLICY
block in on $ext_if
# antispoof
antispoof quick for lo
# allow ping/tracert tools
pass quick on $bridge inet proto icmp from any to any
# permit all outbound traffic
pass out quick
# turning away the brutes
block quick from <ssh_brutes>
block quick from <mysql_brutes>
block quick from <http_brutes>
block quick from <smtp_brutes>
block quick from <restricted>
# unfiltered boxes
pass quick on $bridge inet proto { tcp, udp, icmp } from any to
<unfiltered> allow-opts
# allow access special cases
pass quick on $bridge inet proto { tcp, udp } from <special> to any
allow-opts
# www with brute control method
pass quick on $bridge inet proto tcp from any to $my_net port { 80, 443
} keep state \
(max-src-conn 900, max-src-conn-rate 125/1, \
overload <http_brutes> flush global) allow-opts
# DNS
pass quick on $bridge inet proto { tcp, udp } from any to $my_net port 53
# smtp with brutes
pass quick on $bridge inet proto tcp from any to $my_net port { 25, 578}
keep state \
(max-src-conn 450, max-src-conn-rate 80/1, \
overload <smtp_brutes> flush global)
# pop3, pop3s, imap4, imap4s
pass quick on $bridge inet proto tcp from any to $my_net port { 110,
143, 993, 995 }
# FTP passive
anchor "ftpsesame/*" in on $bridge proto tcp from any to $my_net
anchor "ftpsesame/*" out on $bridge proto tcp from any to $my_net
# FTP active
anchor "ftpsesame/*" in on $bridge proto tcp from $my_net to any
anchor "ftpsesame/*" out on $bridge proto tcp from $my_net to any
pass in on $bridge inet proto tcp from any to $my_net port 21
# mysql with brutes control
pass quick on $bridge inet proto tcp from any to $my_net port 3306 keep
state \
(max-src-conn 25, max-src-conn-rate 10/5, \
overload <mysql_brutes> flush global)
# PostgreSQL
pass quick on $bridge inet proto tcp from any to $my_net port 5432
# SSH
pass quick on $bridge inet proto tcp from any to $my_net port 22 keep
state \
(max-src-conn 20, max-src-conn-rate 3/12, \
overload <ssh_brutes> flush global)
# ntp server public server es.pool.ntp.org
pass quick on $bridge inet proto udp from any to xxx.xxx.xxx.xxx port 123
$ ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33168
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:4b:0f:4b
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::215:17ff:fe4b:f4b%em0 prefixlen 64 scopeid 0x1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:15:17:4b:0f:47
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::215:17ff:fe4b:f47%em1 prefixlen 64 scopeid 0x2
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:48:8c:a1:12
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause)
status: active
inet 192.168.1.253 netmask 0xffff0000 broadcast 192.168.255.255
inet6 fe80::230:48ff:fe8c:a112%em2 prefixlen 64 scopeid 0x3
em3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:30:48:8c:a1:13
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::230:48ff:fe8c:a113%em3 prefixlen 64 scopeid 0x4
enc0: flags=0<> mtu 1536
pfsync0: flags=41<UP,RUNNING> mtu 1460
pfsync: syncdev: em3 syncpeer: 224.0.0.240 maxupd: 128
groups: carp pfsync
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33168
groups: pflog
bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge
--
Thanks,
Jordi Espasa Clofent
