Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable pf bridge filtering #281

Open
einsibjarni opened this issue Dec 19, 2023 · 3 comments
Open

How to disable pf bridge filtering #281

einsibjarni opened this issue Dec 19, 2023 · 3 comments

Comments

@einsibjarni
Copy link

I have an ansible playbook that deploys hosts running nomad + pot + pot task driver.

The pots I deploy are using public-bridge dual stack. Pf is enabled and my current pf.conf is generated from a template in ansible, and it blocks everything not strictly allowed. As-is, it blocks traffic from jails on the bridge interface, and IPv6 rtsol/rtadv packets.

I can't disable bridge filtering in sysctl.conf, because there has to be a bridge created before I can apply the sysctl changes.

Anybody have experience with this? Should I disable filtering in a pot hook or create a dummy bridge at boot? Or should I leave filtering enabled and add the rules I need in a sensible way?
@grembo
Copy link
Collaborator

grembo commented Dec 19, 2023

@einsibjarni you have various options.

  1. Personally, I would always prefer to use IP based pf.conf rules (so not messing with bridge filtering settings)
  2. If you want to be able to tune bridge sysctls using /etc/sysctl.conf, it should be sufficient to load the bridge driver on boot through /etc/rc.conf (sysrc kld_list+=if_bridge)
  3. If you want to make better pf.conf rules (e.g., include "antispoof" based on the interface), you can pre-create pot's bridge in rc.conf. I only ever did this for IPv4 though, for which it would look something like:
sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="inet 10.192.0.1/10"

Replace the IP with what you're using as POT_GATEWAY.

For IPv6 the selection is done by finding if the external pot interface is part of it (so it's a bit more complex). I have no experience using it, but I would assume it's something like:

sysrc cloned_interfaces+="bridge0"
sysrc ifconfig_bridge0="addm em0"
sysrc ifconfig_bridge0_aliases="inet 10.192.0.1/10 inet6 ???"

em0 is POT_EXTIF in this case. Not sure which IPv6 address you would configure on the bridge (if any).

Note that this is all from the top of my head, so take it with a grain of salt ;)

@einsibjarni
Copy link
Author

@grembo did you have #282 ready to go? :)
It really helps in this situation, so we can pre-create the bridge interfaces and configure rules in pf beforehand

@grembo
Copy link
Collaborator

grembo commented Dec 20, 2023

@grembo did you have #282 ready to go? :) It really helps in this situation, so we can pre-create the bridge interfaces and configure rules in pf beforehand

No, but when I created the example for you I checked the code and was unhappy about how it's done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grembo @einsibjarni