freebsd security - Nov 2004 - FreeBSD bridge + filtering, BIG problem

Hi,

I'm afraid about having find a freebsd 5X security issue.

We have recently upgraded one gateway from 4.10 to 5.3... Following network
used:
 
[ISP]--xl1--[FW01]-----xl0--em0--[SR01]
                    |
                    |--fxp0--em0--[SR02]

On fw01, we have one jail.
 
So fw01 is configured as a bridge on xl1,xl0,fxp0. Services works (before
and after upgrade).
On 4.10, we used IPFilter as firewall and for network traffic accounting.
Since upgrade, INCOMING traffic accounting does not work anymore (OUTGOING
working fine)...

Thinking this can be a ipfilter issue, and because we are planning to change
for great OpenBSD pf, we have try to do accounting with pf... but same
behaviour occurs (tests have be done with big files).

From/to	inet	fw01	jail	sr01	sr02
Internet	-	ok	ok	KO	KO
Fw01		ok	-	ok	ok	ok
Jail		ok	ok	-	ok	ok
Sr01		KO*	ok	ok	-	KO
Sr02		KO*	ok	ok	KO	-

* with pf enabled, scp connexion going "stalled" very quickly (stop
between
100 and 300 Kb of traffic)


Worst thing, the "default rule" accounting (any to any) does not
report
"unreported" traffic... feels like rules are not processed. So I
deciding to
make another test with pf.

Adding "block in quick proto tcp from any to [jail_port] port smtp";
Testing: works fine.
But we the same rule with the sr01 as destination host, IT DOESN'T WORK:
from internet, fw01 or sr02, we can connect to the tcp port
!!!!!!!!!!!!!!!!! It's not pf related, because, same behaviour occurs with
IPF!!!!!!!!



Details
fw01: running FreeBSD 5.3, GENERIC kernel, with modules = acpi, ipl, bridge,
nullfs and pf.
Sr01: FreeBSD 5.2.1, custom kernel
Sr02: FreeBSD 5.3, GENERIC kernel

------------------------------------pf.conf
set loginterface fxp1

jail=**IP**
sr01=**IP**
sr02=**IP**

#block in quick proto tcp from any to $sr01 port smtp

pass quick from any to $jail keep state label 0
pass quick from $jail to any keep state label 1
pass quick from any to $sr02 keep state label 6
pass quick from $sr02 to any keep state label 7
pass quick from any to $sr01 keep state label 10
pass quick from $sr01 to any keep state label 11

pass all
------------------------------------


Seems to be bridge freebsd 5.3 support related... 
Can someone take a look at this? Thanks!


--
Cl?ment Moulin
SimpleRezo - Simplifiez-vous le r?seau !
T?l.: +33 871 763 102 - Web: http://www.simplerezo.com/

Pyun YongHyeon wrote:
>Both pf and ipf can't create *states* in bridge mode. That restriction
comes from bridge(4). Since pf/ipf couldn't create states it will drop the
packet when it thinks the packet is in out of TCP
window.
>
>If you want to use pf/ipf in bridge mode, don't use stateful inspection.
>One more note: filtering works only for inbound traffics in bridge mode.

If you're right, it SHOULD really be specified in bridge(4), but I'm not
very sure about this, since I see states with pfctl and no packets are
dropped in my case (except maybe in scp from internet to sr01) !

Finally, I have found the main problem. Both for ipf/pf, I have to set
sysctl "net.link.ether.bridge.ipf" to 1... That does'nt exists on
FreeBSD
4X. After that, incoming traffic is filtered (accounting works, blocking
rules too).
We REALLY need to specify this in FreeBSD handbook (sections 14.9 -
firewalls and 24.5.4 - bridging) and Migration Guide of 5X, since it could
be a big security hole.

My last problem is that scping from sr01 to internet that stalled after
144KB exactly (internet to sr01 works) ! This is a pf issue, since it occurs
only when pf is enabled.


--
Clement Moulin
SimpleRezo - Simplifiez-vous le reseau !
Web: http://www.simplerezo.com/