Bridging again

Gergo Szakal bastyaelvtars at gmail.com
Mon Sep 25 17:19:33 PDT 2006


Argh, I tracked down the problem to pf itself.

With this ruleset it works:
------------------------------------------------------------------
int_if=sk0
ext_if=sk1
intnet={xxx.xxx.118.64/26,xxx.1xxx14.118.224/27}
tcp_opts="flags S/SA modulate state"
# Options: tune the behavior of pf, default values are given.
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 35000, frags 15000 }
set loginterface $ext_if
set optimization conservative
set block-policy return
set require-order yes
set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.
scrub all no-df random-id

# Filtering
pass in all
pass out all
------------------------------------------------------------------
Now if I replace the filtering part:
------------------------------------------------------------------
# Filtering
block in all
block out all
pass quick on {lo0,$int_if} all
pass out quick on $ext_if proto tcp from <intnet> to any $tcp_opts
pass out quick on $ext_if proto udp from <intnet> to any keep state
------------------------------------------------------------------
then I can not SSH from a box sitting behind the bridge, while using the 
previous config I can. I thought this config was good. What can be the 
problem?
Oh, and something else: the direction of the state when SSHing from 
behind the bridge is IN!!! On my OpenBSD 3.8 box outbound states' 
directions are obviously Out, and obviously this ruleset is working fine 
on that OBSD bridge. I think this is in connection with the problems I 
just described. Can anyone tell me what the cause of this paradox 
behaviour is?
Thanks in advance.





More information about the Users mailing list