[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interesting bridge/ipf problem

To: Wozz <wozz+openbsd@wookie.net>
Subject: Re: Interesting bridge/ipf problem
From: Jason Wright <jason@thought.net>
Date: Tue, 7 Nov 2000 22:52:35 -0500
Cc: misc@openbsd.org
References: <20001103113610.I12089@luvewe.bonch.org>
User-Agent: Mutt/1.1.1i

On Fri, Nov 03, 2000 at 11:36:10AM -0700, Wozz wrote:
> I've got several boxes running bridged IPF configs.  On the internal
> interface, i've assigned an IP for management purposes.  The problem I've
> run into in the past is how to filter access to that IP statefully.  When a
> packet goes out from the box, its source address is from the internal
> network (which is not natted btw).  The layer3 route on the box points to
> the internal interface, but it appears this is shortcutted by the bridge
> code, which immediately sends it out the outside interface.  The problem
> is, as there's no OUT rules with bridged IPF, where do I start collecting
> state information.  For TCP sessions, I can set state on incoming stuff on
> the outside interface, as long as I don't use flags S in the initial state
> keeping rule (obviously less than optimal, but at least it works).  For
> UDP, I can't keep outgoing state, I'd have to open up the box to all udp
> packets (in DNS's case) coming from port 53, which is obviously a bad
> thing.

I believe you are seeing a problem that was fixed post 2.7.  The problem
affects packets originated and sent to a machine acting as a bridge.
Output ipf is applied as normal for packets originated by the bridge, and
the packet will either be output only on the interface with the IP (in
which case there is no problem), or it will be sent to one or more other
interfaces (based on address cache lookup).  The headers will contain
the interface with the IP's MAC address as ethernet source address.

If the return packet does not enter the bridge on the same interface with
the IP, a stateful rule will not match in 2.7 because the interface
the packet was received on was not the one that sent the packet.  In current
(and 2.8), a lookup is done if the packet is for the bridge machine itself,
and the interface is switched to the one that has the matching ethernet
destination address.

Ok, so the "bridge acting as IP host" stuff is a bit funky...

--Jason Wright

References:
- Interesting bridge/ipf problem
  - From: Wozz <wozz+openbsd@wookie.net>

Prev by Date: Re: User ppp: filtering spoofed packets?
Next by Date: Compile dies with /: write failed file system full
Prev by thread: Interesting bridge/ipf problem
Next by thread: logos
Index(es):
- Date
- Thread