Tim Mullen
2010-Jan-15 22:09 UTC
[crossbow-discuss] Bridging firewall with snv_125 and ipfilter
Has anyone gotten a transparent firewall working? I''m using snv_125 on
an IBM x346 (snv_130
goes into endless boot loops on this hardware). I can create a working bridge
with dladm, but
can''t stop packets, even with "block in quick all". That
stops packets on my management
interface bge0, but not on the bridge. :(
tim at ghost:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.1.1.16 netmask ffffff00 broadcast 10.1.1.255
ether 0:14:5e:23:4f:fd
bge1: flags=1000943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,IPv4> mtu 1500
index 3
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
ether 0:14:5e:23:4f:fc
bge2: flags=1000943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,IPv4> mtu 1500
index 4
inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
ether 0:10:18:19:27:ea
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252
index 1
inet6 ::1/128
tim at ghost:~# dladm show-bridge -l bridge
LINK STATE UPTIME DESROOT
bge1 forwarding 80328 32768/0:14:5e:23:4f:fc
bge2 forwarding 78136 32768/0:14:5e:23:4f:fc
tim at ghost:~# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 routing disabled disabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
online svc:/network/routing/ndp:default
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/route:default
disabled svc:/network/routing/rdisc:default
disabled svc:/network/routing/legacy-routing:ipv6
disabled svc:/network/routing/legacy-routing:ipv4
tim at ghost:~# svcs ipfilter bridge route
STATE STIME FMRI
disabled 18:43:07 svc:/network/routing/route:default
online 18:43:36 svc:/network/bridge:bridge
online 19:19:31 svc:/network/ipfilter:default
Am I missing something here?
--
This message posted from opensolaris.org
James Carlson
2010-Jan-15 22:15 UTC
[crossbow-discuss] Bridging firewall with snv_125 and ipfilter
Tim Mullen wrote:> Has anyone gotten a transparent firewall working? I''m using snv_125 on an IBM x346 (snv_130 > goes into endless boot loops on this hardware). I can create a working bridge with dladm, but > can''t stop packets, even with "block in quick all". That stops packets on my management > interface bge0, but not on the bridge. :(Nit: there''s no reason to plumb up bge1 or bge2 for IP. In this configuration, you''re not using them. Bridging occurs way below IP.> tim at ghost:~# dladm show-bridge -l bridge > LINK STATE UPTIME DESROOT > bge1 forwarding 80328 32768/0:14:5e:23:4f:fc > bge2 forwarding 78136 32768/0:14:5e:23:4f:fcThat part looks fine.> Am I missing something here?Has MAC-layer filtering been implemented yet? Bridging occurs at the MAC layer, not IP. Setting up IP Filter to forward between ports on a bridge would very likely have painful results. -- James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
Tim Mullen
2010-Jan-15 22:41 UTC
[crossbow-discuss] Bridging firewall with snv_125 and ipfilter
> Nit: there''s no reason to plumb up bge1 or bge2 for > IP. In this > configuration, you''re not using them. Bridging > occurs way below IP.Thanks. I unplumbed bge1 and bge2. Looks neater, at least. :) Still no joy, however.> Has MAC-layer filtering been implemented yet?How do I do that? I need to intercept IP.> Bridging occurs at the MAC layer, not IP. Setting up > IP Filter to > forward between ports on a bridge would very likely > have painful results.I''d been following http://www.sci.sdsu.edu/People/Bill/ipf-howto.html#TOC_48 Is this not possible under opensolaris? -- This message posted from opensolaris.org
James Carlson
2010-Jan-16 15:54 UTC
[crossbow-discuss] Bridging firewall with snv_125 and ipfilter
Tim Mullen wrote:>> Has MAC-layer filtering been implemented yet? > > How do I do that? I need to intercept IP.No, you need to intercept raw MAC frames and then process the IP packets inside. The difference isn''t too important administratively, but it''s a crucial architectural difference. The current IP Filter implementation works by establishing hooks in the IP stack. Bridging works with hooks in the MAC layer. The implication is that for bridging the packet is long gone by the time IP Filter ever sees it or could do anything about it. Something like this: | socket | +---+----+ | +---+----+ | UDP | +---+----+ | +---+----+ +-----------+ | IP |<--->| IP Filter | +---+----+ +-----------+ | +---+----+ +----------+ | MAC |<--->| Bridging | +---+----+ +----------+ | +---+----+ | interf |>> Bridging occurs at the MAC layer, not IP. Setting up >> IP Filter to >> forward between ports on a bridge would very likely >> have painful results. > > I''d been following http://www.sci.sdsu.edu/People/Bill/ipf-howto.html#TOC_48 > Is this not possible under opensolaris?Not yet. You need the work done on this project: http://arc.opensolaris.org/caselog/PSARC/2008/249/ The basic idea is to put the same sort of hooks that are currently in IP down into the MAC layer. I don''t know the current state of that work. Things are different on BSD because it doesn''t have a distinct MAC layer like OpenSolaris does. In the BSD world, interfaces are represented using what are nominally IP data structures. It''s "all one thing." -- James Carlson 42.703N 71.076W <carlsonj at workingcode.com>