[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick bridging question

To: Jason Wright <jason@thought.net>
Subject: Re: Quick bridging question
From: Claus <cniesen@gmx.net>
Date: Thu, 01 Mar 2001 16:41:22 -0600
Cc: misc@openbsd.org
References: <5.0.1.4.2.20010301144835.00a3f4f0@pop.gmx.de><5.0.1.4.2.20010301100708.00a4f6e0@pop.gmx.de><20010301163859.A4628@nord-com.net><F119BNlJbSorxTjtRpe00023076@hotmail.com><3A9CF4EC.89053D01@syracusenetworks.com><1214252845.20010301125058@securax.org><20010301163859.A4628@nord-com.net><7018442538.20010301164728@securax.org><5.0.1.4.2.20010301100708.00a4f6e0@pop.gmx.de><20010301140951.B2992@thought.net><5.0.1.4.2.20010301144835.00a3f4f0@pop.gmx.de>

At 04:24 PM 03/01/2001, Jason Wright wrote:
>On Thu, Mar 01, 2001 at 02:56:44PM -0600, Claus wrote:
> > Thanks Jason that help a lot.
> >
> > Now I'm wondering what happens if I ssh to the internal interface (A) from
> > my interface, does that leak to the internet.  And what about when I ssh
> > from the internet to my internal interface (A), does that leak to the 
> local
> > lan?
> >
>No.  This was a bit of a trick to make it work, but the bridge code
>examines incoming frames and those that have a destination address
>that is multicast, broadcast, or matches the MAC address of one of
>the bridge members, it will be passed down to the IP stack of the
>bridge machine and treated as if the bridge was not there.  (Multicast
>and broadcast destination packets will -also- be forwarded to all
>interfaces by the bridge code).  Bottom line, there is no leakage
> >from one side to the other when you are talking IP to the bridge
>machine itself.

Aha, now I understand how things work.  This definitely makes my life a lot 
easier. From all the things that you know you must have written the bridge 
part.  A quick glance in the man pages confirms this.

> > I'm wondering about this because I found out that ipf.rules such as "block
> > in quick on B from any to any" doesn't have any effect since the
> > connections to the internal interface's IP number appear as if they came
> > from the internal interface instead of the external one.
>
>You're seeing the vestiges of a trick in the bridge.  Say you receive a
>packet on (A) with the destination MAC address of (B), the bridge will,
>after finding the destination MAC matches (B), make the packet appear
>to have come in on (B) for the IP stack's processing.  This trick allows
>several things to work with the bridge, and appears to generate least
>surprise behavior in many cases.
>
>--Jason L. Wright

The trick did cause me a problem since my ipf rules where blocking the 
incoming connection on the external port, even for services such as SSH 
that where listening on the internal interface of the fire wall.  So it 
kind of messes with the way ipf would normally work.  Maybe a note should 
be put into the FAQ regarding this.

Again thanks for all the help.  Where should I send the donuts?
   Claus

References:
- Re: Quick bridging question
  - From: Claus <cniesen@gmx.net>
- Quick bridging question
  - From: Claus <cniesen@gmx.net>
- Re: Re[2]: image of a harddrive
  - From: Jan-Uwe Finck <ju.finck@nord-com.net>
- Re[2]: image of a harddrive
  - From: Tom Van de Wiele <tosh@securax.org>
- Re[4]: image of a harddrive
  - From: Tom Van de Wiele <tosh@securax.org>
- Re: Quick bridging question
  - From: Jason Wright <jason@thought.net>
- Re: Quick bridging question
  - From: Jason Wright <jason@thought.net>

Prev by Date: Re: the keep state rule
Next by Date: port info in ipflog missing
Prev by thread: Re: Quick bridging question
Next by thread: Re[6]: image of a harddrive
Index(es):
- Date
- Thread