[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

external interface of a bridge not filtering for itself

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: external interface of a bridge not filtering for itself
From: Darrel <Levitch_(_at_)_mac_(_dot_)_com>
Date: Sun, 23 Oct 2005 08:30:34 -0400
Reply-to: Levitch_(_at_)_mac_(_dot_)_com

Last spring I installed BSD onto a computer.  Okay, so far.  Now I have 
installed BSD onto five computers.  One of them is a OpenBSD 3.8 bridge on an 
old i386.

The Packet Firewall rules all seemed logical, until I made the firewall; i.e, 
bridge.  Even though filtering is set to take place on the external 
interface, ports 13, 22, 37, and 113 appear in a portscan.  Why is this 
happening?

My ruleset is basic, about like:
set skip on { lo $int_if }
scrub in 
block all
antispoof quick for { lo $int_if }
pass in log quick on $eth_if proto { tcp, udp } from \
<dns> to <this> keep state
pass in log quick on $eth_if inet proto udp from \
<ntp> to <this> port 123 keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

I am considering a change to rc.conf.local:
sshd_flags=NO
inetd=NO
Can I disable inetd?
sshd would be convenient to run, to be connection-abled from the local 
network, but not if the port is viewable from outside.  

Is this typical of bridges?  Cracked computer?  Bad rules?

Darrel

Prev by Date: Re: DISKLESS tutorial that need feedback
Next by Date: Re: pxeboot halting...
Previous by thread: Re: pxeboot halting...
Next by thread: Warning: Virus(es) detected in your email
Index(es):
- Date
- Thread

Visit your host, monkey.org