FreeBSD bridge + filtering, BIG problem

From: Clément MOULIN (cmoulin_at_simplerezo.com)
Date: 12/01/04

  • Next message: Clément MOULIN: "RE: FreeBSD bridge + filtering, BIG problem" 
    To: <freebsd-pf@freebsd.org>, <freebsd-questions@freebsd.org>, <freebsd-security@freebsd.org>
Date: Wed, 1 Dec 2004 05:51:35 +0100

    Hi,

    I'm afraid about having find a freebsd 5X security issue.

    We have recently upgraded one gateway from 4.10 to 5.3... Following network
    used:
     
    [ISP]--xl1--[FW01]-----xl0--em0--[SR01]
                        |
                        |--fxp0--em0--[SR02]

    On fw01, we have one jail.
     
    So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
    and after upgrade).
    On 4.10, we used IPFilter as firewall and for network traffic accounting.
    Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
    working fine)...

    Thinking this can be a ipfilter issue, and because we are planning to change
    for great OpenBSD pf, we have try to do accounting with pf... but same
    behaviour occurs (tests have be done with big files).

    From/to inet fw01 jail sr01 sr02
    Internet - ok ok KO KO
    Fw01 ok - ok ok ok
    Jail ok ok - ok ok
    Sr01 KO* ok ok - KO
    Sr02 KO* ok ok KO -

    * with pf enabled, scp connexion going "stalled" very quickly (stop between
    100 and 300 Kb of traffic)

    Worst thing, the "default rule" accounting (any to any) does not report
    "unreported" traffic... feels like rules are not processed. So I deciding to
    make another test with pf.

    Adding "block in quick proto tcp from any to [jail_port] port smtp";
    Testing: works fine.
    But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
    from internet, fw01 or sr02, we can connect to the tcp port
    !!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
    IPF!!!!!!!!

    Details
    fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
    nullfs and pf.
    Sr01: FreeBSD 5.2.1, custom kernel
    Sr02: FreeBSD 5.3, GENERIC kernel

    ------------------------------------pf.conf
    set loginterface fxp1

    jail=**IP**
    sr01=**IP**
    sr02=**IP**

    #block in quick proto tcp from any to $sr01 port smtp

    pass quick from any to $jail keep state label 0
    pass quick from $jail to any keep state label 1
    pass quick from any to $sr02 keep state label 6
    pass quick from $sr02 to any keep state label 7
    pass quick from any to $sr01 keep state label 10
    pass quick from $sr01 to any keep state label 11

    pass all
    ------------------------------------

    Seems to be bridge freebsd 5.3 support related...
    Can someone take a look at this? Thanks! 

    --
Clément Moulin
SimpleRezo - Simplifiez-vous le réseau !
Tél.: +33 871 763 102 - Web: http://www.simplerezo.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Clément MOULIN: "RE: FreeBSD bridge + filtering, BIG problem"