Re: bridge changes traffic interface for pf, but not for tcpdump

["W G" <sonyfreek_(_at_)_hotmail_(_dot_)_com>]

I believe that I've responded back to you previously, but it appears that 
you are still having problems with it.  Maybe I got your requirements wrong 
before.

I've only seen what you are attempting to do configured as a separate 
"Management Network", but I'm assuming that you may want to ssh or connect 
to the firewall remotely for management.  In which case, adding a different 
interface to the firewall is the most secure method.  If this isn't what you 
are trying to do, then here are my thoughts on how this could be done, 
although I warn you that I have never attempted to do this.

Your firewall interfaces are running at layer 2 and won't be addressable by 
their IP Addresses because the bridge will try and pass them to the other 
side.  You need to be able to get to something listening to Layer 3, so you 
are going to have to setup a local IP Address that the firewall knows about 
and that can be accessed.  I would try configuring a loopback interface 
(lo0) on the firewall with whatever IP Address you want to use (ex: 
10.10.10.1).  OpenBSD might not allow this, you'll have to see.  Then you 
will have to build rules around this address to allow whatever 
ports/services you want to get to it via lo0.  If this doesn't work, try 
adding the route yourself to the firewall and seeing if that does it.  If 
none of this works, I have no idea how to do it as I have never seen an 
example of this done previously myself.

Good luck,
Sonyfreek

----Original Message Follows----
From: Jim Fron <j-fron_(_dot_)_q_(_dot_)_public_(_at_)_comcast_(_dot_)_net>
To: misc_(_at_)_openbsd_(_dot_)_org, sparc_(_at_)_openbsd_(_dot_)_org
Subject: bridge changes traffic interface for pf, but not for tcpdump
Date: Thu, 24 Feb 2005 20:36:18 -0500
MIME-Version: 1.0 (Apple Message framework v619.2)
Received: from shear.ucar.edu ([192.43.244.163]) by mc3-f32.hotmail.com with 
Microsoft SMTPSVC(6.0.3790.211); Thu, 24 Feb 2005 17:43:44 -0800
Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])by shear.ucar.edu 
(8.13.3/8.13.3) with ESMTP id j1P1avIc019430for <sonyfreek_(_at_)_hotmail_(_dot_)_com>; 
Thu, 24 Feb 2005 18:40:16 -0700 (MST)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net 
[204.127.198.39])by shear.ucar.edu (8.13.3/8.13.3) with ESMTP id 
j1P1aMg8025629; Thu, 24 Feb 2005 18:36:22 -0700 (MST)
Received: from [192.168.1.9] 
(pcp09229947pcs.sanarb01.mi.comcast.net[69.241.239.150])by comcast.net 
(rwcrmhc13) with SMTP id <2005022501362001500l0f6re>; Fri, 25 Feb 2005 
01:36:20 +0000
X-Message-Info: JGTYoYF78jH8KG2SKm9FRxNXUpNB8/NrtSjMQwIkVeg=
References: <08edfd95e7a612dbcd15fbe6075b2667_(_at_)_comcast_(_dot_)_net>
X-Mailer: Apple Mail (2.619.2)
X-Loop: misc_(_at_)_openbsd_(_dot_)_org
Precedence: list
Return-Path: owner-misc+M3310=sonyfreek=hotmail_(_dot_)_com_(_at_)_openbsd_(_dot_)_org
X-OriginalArrivalTime: 25 Feb 2005 01:43:44.0397 (UTC) 
FILETIME=[70E25BD0:01C51ADB]

Okay, here's the deal: when I bridge two interfaces, one of which has an IP 
address, traffic from nodes on one side to the other passes through pf just 
fine, all rules matching properly.  Traffic TO the OpenBSD system itself 
hits pf rules for "in" on "le2," and "out" on "le0" regardless of which 
physical interface the traffic actually appears on.

Perhaps I'm the only person who has ever experienced this, or else, I'm the 
only one who has cared.  I can't find anything by googling, and I've either 
stumped -- or, more likely, bored -- anyone listening.

Thus, it's time for me to hit the source code myself.  I've checked out 
-stable.  I'm ready to go, I just don't know where to start.  With bridge0 
down, traffic matches rules for the proper interfaces, with bridge0 up, pf 
sees it on the wrong interfaces...

Is if_bridge.c the right place to start?  Any other suggestions?


Much appreciated,
JMF