transparent firewall doesn't filter anything

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

transparent firewall doesn't filter anything

Joaquin Fernandez Piqueras
Hi,
I apologize for my English, it's not native my language.

I'm a new BSD user, I have been looking for information about my problem
on internet (google, manuals, ...) and I haven't found the solucion. i
hope you can help me.

I'm installing a transparent (bridge) firewall with OpenBSD.  The
machine has 4 network interfaces, 2 interfeces are copper
intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one
  is SX and the other is LX).
I want to use the fiber interfaces for the bridge firewall and copper
interfaces for firewall administration.

The problem is that the bridge doesn't filter anything. I tried to put
rules that block everything but only filter administration interfaces.
The trafic still go through the bridge.

I've installed OpenBSD4.2, it detects all 4 interfaces
(em0->fiberSX->internal network, em1->fiberLX->Internet, em2 and em3 are
copper administration interfaces). Those are my configuration files:

# more /etc/hostname.em0
up

# more /etc/hostname.em1
up

# more /etc/hostname.em3
inet aaa.bbb.ccc.ddd 255.255.255.128 NONE

# more /etc/bridgename.bridge0
add em0 add em1 up

# more /etc/mygate

At the moment I don't use em2. /etc/mygate is void because
administration connection is using a crossover cable.

Those are my rules. If I remove the last rule, the administration
interface blocks but the traffic still go through the bridge. Anybody
could tell me what I'm doing wrong?

# pfctl -s rules


block drop in all
block drop in quick on em0 all
block drop in quick on em1 all
block drop in quick on bridge0 all
block drop out quick on em0 all
block drop out quick on em1 all
block drop out quick on bridge0 all
pass in quick on em3 all flags S/SA keep state



This is dmesg result:

# dmesg
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
     [hidden email]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16,xTPR
real mem  = 2146795520 (2047MB)
avail mem = 2068230144 (1972MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xffe90,
SMBIOS rev. 2.3 @ 0xf9920 (87 entries)
bios0: vendor Dell Computer Corporation version "A04" date 09/22/2005
bios0: Dell Computer Corporation PowerEdge 1850
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb140/272 (15 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00)
pcibios0: PCI bus #9 is the last bus
bios0: ROM list: 0xc0000/0xb000! 0xcb000/0x1000 0xcc000/0x1000
0xcd000/0x2200 0xec000/0x4000!
acpi at mainbus0 not configured
ipmi0 at mainbus0: version 1.5 interface KCS iobase 0xca8/8 spacing 4
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7520 MCH" rev 0x09
ppb0 at pci0 dev 2 function 0 "Intel MCH PCIE" rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel IOP332 PCIE-PCIX" rev 0x06
pci2 at ppb1 bus 2
em0 at pci2 dev 12 function 0 "Intel PRO/1000MF (82545GM)" rev 0x04: irq
10, address 00:04:23:ad:55:77
ami0 at pci2 dev 14 function 0 "Dell PERC 4e/Di" rev 0x06: irq 7
ami0: Dell 16c, 32b, FW 521S, BIOS vH430, 256MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: <AMI, Host drive #00, > SCSI2 0/direct fixed
sd0: 34680MB, 4421 cyl, 255 head, 63 sec, 512 bytes/sec, 71024640 sec total
scsibus1 at ami0: 16 targets
safte0 at scsibus1 targ 6 lun 0: <PE/PV, 1x2 SCSI BP, 1.0> SCSI2
3/processor fixed
ppb2 at pci1 dev 0 function 2 "Intel IOP332 PCIE-PCIX" rev 0x06
pci3 at ppb2 bus 3
em1 at pci3 dev 11 function 0 "Intel PRO/1000MF (82545GM)" rev 0x04: irq
3, address 00:04:23:c8:75:db
ppb3 at pci0 dev 4 function 0 "Intel MCH PCIE" rev 0x09
pci4 at ppb3 bus 4
ppb4 at pci0 dev 5 function 0 "Intel MCH PCIE" rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci5 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci6 at ppb5 bus 6
em2 at pci6 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq
11, address 00:14:22:21:6a:22
ppb6 at pci5 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci7 at ppb6 bus 7
em3 at pci7 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq
3, address 00:14:22:21:6a:23
ppb7 at pci0 dev 6 function 0 "Intel MCH PCIE" rev 0x09
pci8 at ppb7 bus 8
uhci0 at pci0 dev 29 function 0 "Intel 82801EB/ER USB" rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801EB/ER USB" rev 0x02: irq 10
uhci2 at pci0 dev 29 function 2 "Intel 82801EB/ER USB" rev 0x02: irq 7
ehci0 at pci0 dev 29 function 7 "Intel 82801EB/ER USB2" rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb8 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xc2
pci9 at ppb8 bus 9
vga1 at pci9 dev 13 function 0 "ATI Radeon VE QY" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 82801EB/ER LPC" rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801EB/ER IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0: <TEAC, CD-ROM CD-224E-N, 3.AB> SCSI0
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask efe5 netmask efed ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
uhub4 at uhub0 port 3: Dell product 0xa001, rev 2.00/0.00, addr 2
dkcsum: sd0 matches BIOS drive 0x80
root on sd0a swap on sd0b dump on sd0b


Thanks,

Quimi

Reply | Threaded
Open this post in threaded view
|

Re: transparent firewall doesn't filter anything

Benoit Garcia
On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras
<[hidden email]> wrote:

> Hi,
Hello,

> I'm installing a transparent (bridge) firewall with OpenBSD.  The
> machine has 4 network interfaces, 2 interfeces are copper
> intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one
>  is SX and the other is LX).
> I want to use the fiber interfaces for the bridge firewall and copper
> interfaces for firewall administration.
>
> The problem is that the bridge doesn't filter anything. I tried to put
> rules that block everything but only filter administration interfaces.
> The trafic still go through the bridge.
[...]

> # pfctl -s rules
>
>
> block drop in all
> block drop in quick on em0 all
> block drop in quick on em1 all
> block drop in quick on bridge0 all
> block drop out quick on em0 all
> block drop out quick on em1 all
> block drop out quick on bridge0 all
> pass in quick on em3 all flags S/SA keep state

It seems you've skipped a part of the pf user's guide (
http://www.openbsd.org/faq/pf/index.html ):
"Filter rules are evaluated in sequential order, first to last. Unless
the packet matches a rule containing the quick keyword, the packet
will be evaluated against all filter rules before the final action is
taken. The last rule to match is the "winner" and will dictate what
action to take on the packet."

Reverse the order of your rules and it should work.

--
Regards,
Benoit.

Reply | Threaded
Open this post in threaded view
|

Re: transparent firewall doesn't filter anything

Joaquin Fernandez Piqueras
Hi,

I have tried to reverse the order of the rules:

# pfctl -s rules

pass in quick on em3 all flags S/SA keep state
block drop out quick on bridge0 all
block drop out quick on em1 all
block drop out quick on em0 all
block drop in quick on bridge0 all
block drop in quick on em1 all
block drop in quick on em0 all
block drop in all

I have got the same result, traffic go through the bridge. Any other idea?

Joaquin


En/na Benoit GARCIA ha escrit:

> On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras
> <[hidden email]> wrote:
>
>> Hi,
> Hello,
>
>> I'm installing a transparent (bridge) firewall with OpenBSD.  The
>> machine has 4 network interfaces, 2 interfeces are copper
>> intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one
>>  is SX and the other is LX).
>> I want to use the fiber interfaces for the bridge firewall and copper
>> interfaces for firewall administration.
>>
>> The problem is that the bridge doesn't filter anything. I tried to put
>> rules that block everything but only filter administration interfaces.
>> The trafic still go through the bridge.
> [...]
>> # pfctl -s rules
>>
>>
>> block drop in all
>> block drop in quick on em0 all
>> block drop in quick on em1 all
>> block drop in quick on bridge0 all
>> block drop out quick on em0 all
>> block drop out quick on em1 all
>> block drop out quick on bridge0 all
>> pass in quick on em3 all flags S/SA keep state
>
> It seems you've skipped a part of the pf user's guide (
> http://www.openbsd.org/faq/pf/index.html ):
> "Filter rules are evaluated in sequential order, first to last. Unless
> the packet matches a rule containing the quick keyword, the packet
> will be evaluated against all filter rules before the final action is
> taken. The last rule to match is the "winner" and will dictate what
> action to take on the packet."
>
> Reverse the order of your rules and it should work.

Reply | Threaded
Open this post in threaded view
|

Re: transparent firewall doesn't filter anything

Can Erkin Acar-4
In reply to this post by Joaquin Fernandez Piqueras
Joaquin Fernandez Piqueras wrote:
> The problem is that the bridge doesn't filter anything. I tried to put
> rules that block everything but only filter administration interfaces.
> The trafic still go through the bridge.

Are you perhaps using VLANs on the network you are bridging?
Are you bridging the ports marked as trunk on the switches?

If so, either do not use a trunk port on the switch
or define the respective VLANs on the firewall and use the vlan(4)
interfaces for bridging.

Also look at the "blocknonip" option of bridge(4)

Can

Reply | Threaded
Open this post in threaded view
|

Re: : transparent firewall doesn't filter anything

Raimo Niskanen-7
In reply to this post by Joaquin Fernandez Piqueras
On Fri, Apr 25, 2008 at 11:53:47AM +0200, Joaquin Fernandez Piqueras wrote:

> Hi,
>
> I have tried to reverse the order of the rules:
>
> # pfctl -s rules
>
> pass in quick on em3 all flags S/SA keep state
> block drop out quick on bridge0 all
> block drop out quick on em1 all
> block drop out quick on em0 all
> block drop in quick on bridge0 all
> block drop in quick on em1 all
> block drop in quick on em0 all
> block drop in all
>
> I have got the same result, traffic go through the bridge. Any other idea?
>
> Joaquin

Make it block all and work yourself up from there.

Verify that pf(4) is acually enabled using
pfctl -s info and check Status: Enabled...

The bridge(4) man page hits about only to filter on one
interface since otherwise the packtes gets processed
twice by pf(4).

Try to start with:

#set skip on em0
block all
pass in on em3 all flags S/SA keep state

Which should block everything but em3.
Then set skip on em0 which should open em0.
Then insert filtering on em1 after block all.


>
>
> En/na Benoit GARCIA ha escrit:
> >On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras
> ><[hidden email]> wrote:
> >
> >>Hi,
> >Hello,
> >
> >>I'm installing a transparent (bridge) firewall with OpenBSD.  The
> >>machine has 4 network interfaces, 2 interfeces are copper
> >>intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one
> >> is SX and the other is LX).
> >>I want to use the fiber interfaces for the bridge firewall and copper
> >>interfaces for firewall administration.
> >>
> >>The problem is that the bridge doesn't filter anything. I tried to put
> >>rules that block everything but only filter administration interfaces.
> >>The trafic still go through the bridge.
> >[...]
> >># pfctl -s rules
> >>
> >>
> >>block drop in all
> >>block drop in quick on em0 all
> >>block drop in quick on em1 all
> >>block drop in quick on bridge0 all
> >>block drop out quick on em0 all
> >>block drop out quick on em1 all
> >>block drop out quick on bridge0 all
> >>pass in quick on em3 all flags S/SA keep state
> >
> >It seems you've skipped a part of the pf user's guide (
> >http://www.openbsd.org/faq/pf/index.html ):
> >"Filter rules are evaluated in sequential order, first to last. Unless
> >the packet matches a rule containing the quick keyword, the packet
> >will be evaluated against all filter rules before the final action is
> >taken. The last rule to match is the "winner" and will dictate what
> >action to take on the packet."
> >
> >Reverse the order of your rules and it should work.

--

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Reply | Threaded
Open this post in threaded view
|

Re: transparent firewall doesn't filter anything [Solved]

Joaquin Fernandez Piqueras
In reply to this post by Can Erkin Acar-4
En/na Can Erkin Acar ha escrit:
> Joaquin Fernandez Piqueras wrote:
>> The problem is that the bridge doesn't filter anything. I tried to put
>> rules that block everything but only filter administration interfaces.
>> The trafic still go through the bridge.
>
> Are you perhaps using VLANs on the network you are bridging?

Yes

> Are you bridging the ports marked as trunk on the switches?

Yes

>
> If so, either do not use a trunk port on the switch
> or define the respective VLANs on the firewall and use the vlan(4)
> interfaces for bridging.

My router is encapsulating all traffic through a Vlan.

>
> Also look at the "blocknonip" option of bridge(4)

The "blocknonip" option blocks also ospf traffic between routers and
then the router looks for a new route without crossing the firewall.

>
> Can

Finally you gave me the solution (thanks Can).

I have created 2 Vlans, each associated to a different interface but the
same "vlan tag". Next, I have configured the bridge to use the vlans.
And the firewall now fiters perfectly.

Thanks again,

Quimi