[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interesting bridge/ipf problem

To: misc@openbsd.org
Subject: Interesting bridge/ipf problem
From: Wozz <wozz+openbsd@wookie.net>
Date: Fri, 3 Nov 2000 11:36:10 -0700
Content-Disposition: inline
User-Agent: Mutt/1.2.5i

I've got several boxes running bridged IPF configs.  On the internal
interface, i've assigned an IP for management purposes.  The problem I've
run into in the past is how to filter access to that IP statefully.  When a
packet goes out from the box, its source address is from the internal
network (which is not natted btw).  The layer3 route on the box points to
the internal interface, but it appears this is shortcutted by the bridge
code, which immediately sends it out the outside interface.  The problem
is, as there's no OUT rules with bridged IPF, where do I start collecting
state information.  For TCP sessions, I can set state on incoming stuff on
the outside interface, as long as I don't use flags S in the initial state
keeping rule (obviously less than optimal, but at least it works).  For
UDP, I can't keep outgoing state, I'd have to open up the box to all udp
packets (in DNS's case) coming from port 53, which is obviously a bad
thing.  My question is, is there any way around this?  Currently, I have to
use a router on the external side to filter all traffic to the firewall
box, which is not the preferred solution, as the filtering options are
limited by IOS's ACL's (yes, I could use CBAC, but I don't have the router
muscle for that).  Any ideas?  Is there any chance of outbound IPF rules
being made to work on bridges?  Thanks!

\w0zz

Follow-Ups:
- Re: Interesting bridge/ipf problem
  - From: Jason Wright <jason@thought.net>

Prev by Date: Re: broke my OpenSSH how?
Next by Date: logos
Prev by thread: 2.8 config man page
Next by thread: Re: Interesting bridge/ipf problem
Index(es):
- Date
- Thread