Subject: Re: ipf + bridge interfaces
To: NetBSD current-users mailing list <current-users@netbsd.org>
From: Julian Coleman <jdc@coris.org.uk>
List: current-users
Date: 03/31/2005 12:46:54
> I have created the bridge using:
> 
> 	ifconfig bridge0 create
> 	brconfig bridge0 ipf add vlan12 add fxp1
> 
> (which, btw, does NOT work in /etc/ifconfig.bridge0, since vlan12 does not yet 
> exist...  But that's another issue)

Someone else mentioned this.  I had a quick look through the rc.d/network
script and noticed $net_interfaces.  Setting this in rc.conf looks like it
will work (man rc.conf mentions this too), so you could try:

  net_interfaces="fxp0 fxp1 vlan12 bridge0"

Not sure if you need others too - you'll need your full interface list here.
 
> If I look at brconfig, I am told that ipf is enabled.  However, nothing is 
> actually filtered!  I have "block in on fxp1 all" and packets come right 
> through.
> 
> Interestingly enough, the ipf "blocked packet" count seems to increase, but I 
> can telnet to any port on the bridge machine, or anything behind it, from 
> anywhere outside my network.
> 
> So, is anyone else doing ipf filtering on bridge devices?

Yes.  I have a similar set up.  I have 81.2.110.32/27 routed over my DSL line
and use a Sparc with bridge + ipf to do exactly what you're trying to do here.  
I have:

  le0	wired network
  qe0	DSL router
  qe1	wireless link

My ifconfig.bridge0 contains:

  create
  !brconfig $int add qe0 add qe1 add le0 ipf up

and packets get blocked or passed according to my ipf rules.

Can you try adding logging to your rule and see if anything is logged?  I
take it that you're using ipfstat to monitor the blocked packet count?

J

PS.  There is still one (other?) bug that I know of with bridge + ipf.  I'm
running 3_0_BETA from March 22nd and I see corrupted UDP checksums on DNS
replies.  There was a thread about this on tech-net in January (`UDP checksum
trouble in -current') - I'm going to try the patch out this weekend.

PPS.  I don't think many people run bridge + ipf - when I asked previously,
there was a resoudning silence ;-)

-- 
  My other computer also runs NetBSD    /        Sailing at Newbiggin
        http://www.netbsd.org/        /   http://www.newbigginsailingclub.org/