Subject: Re: bridging firewall - status?
To: Hubert Feyrer <hubert@feyrer.de>
From: MLH <mlh@goathill.org>
List: tech-net
Date: 09/01/2004 11:53:47
>
> On Mon, 16 Aug 2004, MLH wrote:
> > What's the status of implementing a transparent bridging firewall
> > on NetBSD 2.0? Last status I see is from Jan 03. The PF site says
> > PF has been ported but I don't see evidence of it.
> >
> > What should I be looking for?
>
> IIRC IPfilter can operate on bridge-devices, from src/doc/CHANGES:
>
> bridge(4), brconfig(8): add ipf support. [perseant 20030216]
>
> I've never used it though.
While the bridge works, ipf doesn't appear to work properly. As
soon as ipfilter is brought up, apparently most tcp ports are
blocked, regardless of the rules (even if there are no rules or
the rules open everything). icmp (tracerout, ping,etc) are passed
unless the rules specifically prevent them.
So tcp ports (ssh, etc) are *always* blocked through the bridge as
long as ipf is running.
What am I missing here?
----------------------
NetBSD 2.0_BETA : Sun Aug 29
$ head ifconfig.fx* ifconfig.bridge0
==> ifconfig.fxp0 <==
up
==> ifconfig.fxp1 <==
up
==> ifconfig.fxp2 <==
inet 66.254.28.67 netmask 255.255.255.248 media autoselect up
==> ifconfig.bridge0 <==
create
!brconfig $int add fxp0 add fxp1 ipf up
-----------------------
$ brconfig -a
bridge0: flags=41<UP,RUNNING>
Configuration:
priority 32768 hellotime 2 fwddelay 15 maxage 20
ipfilter enabled flags 0x1
Interfaces:
fxp1 flags=3<LEARNING,DISCOVER>
port 3 priority 128
fxp0 flags=3<LEARNING,DISCOVER>
port 1 priority 128
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
capabilities=6<TCP4CSUM,UDP4CSUM>
enabled=0
address: xx:xx:xx:xx:xx:xx
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 x::x:x:x:x%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: xx:xx:xx:xx:xx:xx
media: Ethernet autoselect (10baseT)
status: active
inet6 x::x:x:x:x%fxp1 prefixlen 64 scopeid 0x3