[PF] antispoofing doesn't work properly on bridged interface

[arabesc]

If I enable antispoofing on a bridged interface in PF, it blocks traffic from the interfaces which are included in that bridge.

# uname -imor

FreeBSD 10.0-RELEASE-p9 amd64 GENERIC

rc.conf:

ifconfig_bridge0="inet [i]192.168.0.1/24[/i] addm [b]igb1[/b] addm [b]wlan0[/b] addm wlan1 up"

pf.conf:

int_if="bridge0"
antispoof log for $int_if label "antispoof int"

# pfctl -evvv -f /etc/pf.conf

[b]@7[/b] block drop in log quick on ! bridge0 inet from [i]192.168.0.0/24[/i] to any label "antispoof int"

# tcpdump -n -e -ttt -r /var/log/pflog

00:00:00.000130 rule [b]7[/b]..16777216/0(match): block in on [b]igb1[/b]: [i]192.168.0.12.[/i]17500 > 255.255.255.255.17500: UDP, length 124
00:00:00.000040 rule [b]7[/b]..16777216/0(match): block in on [b]igb1[/b]: [i]192.168.0.12[/i].17500 > 192.168.0.255.17500: UDP, length 124
00:00:00.000084 rule [b]7[/b]..16777216/0(match): block in on [b]wlan0[/b]: [i]192.168.0.19[/i].5353 > 224.0.0.251.5353: 0*- [0q] 6/0/0[|domain]
00:00:03.040507 rule [b]7[/b]..16777216/0(match): block in on [b]wlan0[/b]: [i]192.168.0.19[/i].1900 > 239.255.255.250.1900: UDP, length 283

I consider it a bug.

 

[kpa]

Re: [PF] antispoofing doesn't work properly on bridged inter

I would call it a feature because with bridging you are extending two physical LANs into one bigger logical one by binding together two different physical interfaces (or in some cases even virtual interfaces like VLANs but that's very advanced already). There's no way to avoid the situation where traffic comes in the "wrong way" to an interface because both sides of the bridge are in the same subnet.

 

[arabesc]

Re: [PF] antispoofing doesn't work properly on bridged inter

There's no way to avoid the situation where traffic comes in the "wrong way" to an interface because both sides of the bridge are in the same subnet.

Do we have scenarios which require such a feature for bridges?

 

[kpa]

Re: [PF] antispoofing doesn't work properly on bridged inter

There's no way to avoid the situation where traffic comes in the "wrong way" to an interface because both sides of the bridge are in the same subnet.

Do we have scenarios which requires such a feature for bridges?

What do you mean? The definition of a bridge is that both sides of the bridge are in the same broadcast domain (think arp(8) here). In terms of IP addresses it means both sides use the same addressing scheme, let's say 192.168.1.0/24.

 

[junovitch@]

Re: [PF] antispoofing doesn't work properly on bridged inter

By default packet filter hooks are running for both the bridge and physical interfaces. See below.

sysctl -d -a | grep pfil

net.link.bridge.pfil_onlyip: Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge: Packet filter on the bridge interface
net.link.bridge.pfil_member: Packet filter on the member interface
net.link.bridge.pfil_local_phys: Packet filter on the physical interface for locally destined packets

sysctl -a | grep pfil

net.link.bridge.pfil_onlyip: 1
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_local_phys: 0

Either fix your firewall rules to account for both the physical and logical interfaces or turn off filtering on member interfaces of a bridge.

 

[arabesc]

Re: [PF] antispoofing doesn't work properly on bridged inter

The definition of a bridge is that both sides of the bridge are in the same broadcast domain (think arp(8) here).

And why shouldn't antispoofing work here? Why does PF use underlying interfaces instead of bridges in its decision? It could just check that the underlying interface is a part of the bridge and then skip the blocking rule.

What do you mean?

Are there any situations when we really need such behavior?

 

[arabesc]

Re: [PF] antispoofing doesn't work properly on bridged inter

turn off filtering on member interfaces of a bridge.

Thanks! This is exactly what I need.

 

[junovitch@]

Re: [PF] antispoofing doesn't work properly on bridged inter

Thanks! This is exactly what I need.

Also I forgot to mention that pfil is a generic hook for packet filtering. This is not PF. All firewalls use those hooks and will use the behavior I described above regarding filtering on both the physical and logical interface by default.

 

[arabesc]

Re: [PF] antispoofing doesn't work properly on bridged inter

I have set

sysctl net.link.bridge.pfil_member=0

and it helps actually. But the messages about the blocked traffic on the member interfaces from the 192.168.0.0/24 network continue to appear in the PF log. What could it be? The blocking rule is the same.

 

[Bengie]

Re: [PF] antispoofing doesn't work properly on bridged inter


And why antispoofing shouldn't work here? Why PF uses underlying interfaces instead of bridge in its decision?
It could just check that underlying interface is a part of the bridge and then skip the blocking rule.


Is there any situations when we really need such behavior?

A switch is pretty much a multi-port bridge. Would you expect a switch to do layer 3 based filtering? A bridge is a layer 2 device. Any layer 3 features are a bonus, but they are not "normal". You may be able to get some layer 3 features with a "bridge", you're technically kind of using it improperly, even though it may be more practical. FreeBSD is kind of in a strange hybrid situation where the firewall works with the bridge, possibly making some features a bit unclear.