Blocking non-IP traffic on an IPFW-Bridge

From: Stephan Eckner (stephan-freebsd-security@eckner.org)
Date: 11/20/02 

Date: Wed, 20 Nov 2002 20:56:37 +0100
From: Stephan Eckner <stephan-freebsd-security@eckner.org>
To: freebsd-security@FreeBSD.org

Hi,

I recently set up a bridging-firewall to protect some servers on my internal
net. The bridge is correctly blocking all IP-traffic. Nevertheless I find
some packets behind the firewall, that seem to have passed the firewall:

tcpdump: listening on bge0
20:36:50.247555 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15
20:36:52.251387 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15
20:36:54.146709 12.00:02:55:9c:26:ce.453 > 12.ff:ff:ff:ff:ff:ff.453:ipx-rip-resp 1004/1.2 13/1.2 99/1.2 1003/2.3 5/2.3 6/2.3[|ipx 248]
20:36:54.246443 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15
20:36:54.412285 CDP v2, ttl=180s DevID '17-3-[2731]' Addr (1): IPv4 10.0.12.243 PortID 'FastEthernet0/4' CAP 0x0a[|cdp]
20:36:56.246483 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:36:57.023039 12.00:01:e6:71:9c:33.452 > 12.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]
20:36:58.248710 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15 20:37:00.247279 802.1d config 8000.00:08:e3:af:5a:00.8010 root 8000.00:04:c1:f2:fb:40 pathcost 4 age 1 max 20 hello 2 fdelay 15

This looks like non-IP traffic to me. As I'm seeing these packets on both
the external interface of the firewall and on the server behind the firewall,
they don't seem to be blocked by my "deny ip from any to any" rule.

Is there any way to block these packets from crossing the bridge?

Stephan 

-- 
Stephan Eckner                                           http://www.eckner.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: bridge-nf
    ... > bridge interface ... ... The bridging firewall worked with the stock RH 7.2 kernel, ... case br0) for communicating with the host acting as the bridge. ... INPUT rules apply to packets entering br0, ...
    (Fedora)
  • Re: DNS Event 5504
    ... > I am receiving invalid packet messages in my DNS Log. ... This has come up on these DNS servers a lotI have been ... That said, it is possible that this is a EDNS issue, if you have a firewall ... UDP packets up to the MTU of your internet link. ...
    (microsoft.public.windows.server.dns)
  • Re: ssh & select() problem on 5.3
    ... The very same thing happens when the firewall is disabled. ... I tried logging from 5.2.1 and 5.3 to different servers behind his ... A tcpdump shows that what actually happens is that packets won't reach ... However this is useless, as the connection is ...
    (freebsd-current)
  • Re: ssh & select() problem on 5.3
    ... The very same thing happens when the firewall is disabled. ... I tried logging from 5.2.1 and 5.3 to different servers behind his ... A tcpdump shows that what actually happens is that packets won't reach ... However this is useless, as the connection is ...
    (freebsd-hackers)
  • Re: Windows 2003 external nslookup times out, internal works
    ... there is nothing to block those packets. ... DNS queries to that machine worked perfectly. ... The same type of firewall also protects the other two dns servers and they ...
    (microsoft.public.windows.server.dns)