Problems with bridging firewall

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Problems with bridging firewall
From: Andrew Hester <Andrew.Hester@mouser.com>
Date: Mon, 3 Aug 2015 15:25:05 +0000
Message-id: <[🔎] 62036C7D34AC114FAAD0B9D10F11EA562BE1C5B7@TXEXMB01.mouser.lan>

I have an issue where my bridging firewall no longer drops traffic. Everything looks like it should be working but I can still access things I shouldn't. I am wondering if my use case is no longer supported.

This system worked well for years. When I updated from Debian 6 to Debian 7 ( It was really the kernel updates) the bridge no longer passed traffic. This is because I had no VLAN configurations, but the traffic crossing the bridge is VLANed. Apparently the bridge used to just pass the traffic anyway. My understanding is that the bridge now operates more like a switch in that if it does not have an interface in that VLAN then it does not forward the traffic. Logical to me. So I reconfigured the bridge to use VLANs and it works well. All traffic is VLANed (no untagged VLANs in use) and the traffic passes through and services work correctly.

The issue is that even with very specific firewall rules, the traffic is not dropped (or there is a duplicate flow) because I am able to access thing that I should not be able to. The firewall rules (with DROP) target are incrementing in conjunction with the traffic I generate, but yet I can still access things. I tried to change the target to different things, but they are not working either. I tried changing the target to TRACE, but that did not generate any output - even though the counters for the rule incremented. I make use of CLASSIFY, and that is not working, and I tried MARK instead and it doesn't work.

When the drop rule for my specific IP increments (only when I access a server) and I can still browse a webserver, then that tells me that either:

The traffic is not dropped even though iptables matched it to a drop rule
Or the packet is dropped but there are multiple packets. But I have not seen this in a packet capture.

So is a bridge with VLANs and iptables supported? Under what circumstances would iptables match traffic to a DROP target but not drop the traffic? Under what circumstances would the bridge circumvent iptables?

net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0

When I turn off net.bridge.bridge-nf-call-iptables, the iptables rules no longer increment. Turn them on and the rules increment again as expected.

bridge name bridge id STP enabled interfaces
bra0 8000.001b21b18c10 yes eth0.1
eth1.1
bra100 8000.001b21b18c10 yes eth0.100
eth1.100
bra102 8000.001b21b18c10 yes eth0.102
eth1.102
brb0 8000.001b21b18c14 yes eth2.1
eth3.1
brb100 8000.001b21b18c14 yes eth2.100
eth3.100
brb102 8000.001b21b18c14 yes eth2.102
eth3.102

Thanks,
Andy

Reply to:

Prev by Date: jessie crashes (icedove? graphics card driver?) + crappy fonts
Next by Date: Fwd: sound stopped working after upgrade
Previous by thread: jessie crashes (icedove? graphics card driver?) + crappy fonts
Next by thread: Re: Re: Bizarre issue: USB 3 disconnecting and dying
Index(es):
- Date
- Thread