Securing a contactable bridge using pf

[rjon17469]

Hey all,

I could use some help on a project that I'm working on.

I am looking to build a redundant bridging firewall that operates on multiple VLANs. So far I am using OpenBSD with PF and PFsync along with STP to handle the redundancy, and that part is going fine.

The problem comes in when I want to have the firewall(s) operate as DHCP and DNS servers on some VLANs. To provide these network functions, the firewall(s) need to have an IP address on the VLANs which require these services. The issue I am having is how to protect these IP addresses with PF.

So let's say I have a bridge, called bridge0, which is bridging em0 and em1. em0 is on the "private side" of the firewall, so I put an IP address on that interface to provide DHCP and DNS. However, that IP address is now reachable on the "public side" of the firewall, through em1. I have made PF rules to block packets coming in em1 to the IP address on em0, but they don't get hit. Rather, the packets appear, from PF's perspective, to be coming in on em0.

Is there any way around this?

Thank you for your time!

 

[cmetz]

rjon17469, configure local IP addresses on the bridge device (bridge0 if memory serves), NOT on the individual interfaces. Similarly, tell ISC DHCPd to operate on the bridge device.

Be aware that ISC DHCPd uses BPF directly to receive from the network. I don't remember if this is the case on OpenBSD, but on many OSs, that means that ISC DHCPd bypasses firewall rules for its receiving of packets.