Bug 19488

Summary: Bug in 4.0-STABLE (acting as a Bridging firewall)
Product: Base System Reporter: ted <ted>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-RELEASE   
Hardware: Any   
OS: Any   

Description ted 2000-06-24 15:10:01 UTC 
FreeBSD 4.0-RELEASE upgrading to FreeBSD 4.0-STABLE (6-22)
        Firewall using Dummynet (problem still occurs even with no rules)
 
        Dell 550Mhz with 128MB RAM and 2 ethernet cards
                xl0: <3Com 3c905B-TX Fast Etherlink XL>
                xl1: <3Com 3c905B-TX Fast Etherlink XL>
 
Applicable Kernel config options:
 
        options         TCP_DROP_SYNFIN
        options         TCP_RESTRICT_RST
 
        options         IPFIREWALL
        options         IPFIREWALL_VERBOSE
        options         IPFIREWALL_DEFAULT_TO_ACCEPT
 
        options         IPSTEALTH
        options         BRIDGE
        options         DUMMYNET
 
        options         NMBCLUSTERS=16384startup options:
 
        bridging_enable="YES"
        bridging_fw_enable="YES"
        portmap_enable="NO"
        firewall_enable="YES"
        firewall_script="/usr/local/etc/firewall/rc.firewall"
        drop_synfin_enable="YES"                                    
                               excerpt from /etc/rc.network (I added some options):
 
        case ${drop_synfin_enable} in
        [Yy][Ee][Ss])
                echo -n ' DROP_SYNFIN=YES'
                sysctl -w net.inet.tcp.drop_synfin=1 >/dev/null
                ;;
        esac
 
        case ${bridging_enable} in
        [Yy][Ee][Ss])
                echo -n ' BRIDGING=YES'
                sysctl -w net.link.ether.bridge=1 >/dev/null
                ;;
        esac
 
        case ${bridging_fw_enable} in
        [Yy][Ee][Ss])
                echo -n ' BRIDGING_FW=YES'
                sysctl -w net.link.ether.bridge_ipfw=1 >/dev/null
                ;;
        esac                        
Following upgrade, Loss of reliable RIP updates via firewall from WAN
gateway to LAN routing switch.
 
WAN gateway RIP stats confirmed outgoing packets sent.
 
Sniffer connected via switch mirror ports on either side of firewall.
On WAN side of firewall, set to filter for WAN router IP address,
confirmed subnet broadcast packets (RIP packets) in transit.
 
Sniffer on LAN side of firewall confirmed very few of those getting
through.
 
Physically patched around firewall and normal operation returned.
 
Reverted to old kernel on firewall, put it back in line, and normal
operation was maintained.
 
(Did not happen to notice whether the opposite was also true, that LAN
RIP packets failed to get through to WAN router.)

Fix: 

Revert to kernel made on FreeBSD-4.0-RELEASE system.
How-To-Repeat: Build kernel on 4.0-STABLE (as of 6-22)
Comment 1 Luigi Rizzo freebsd_committer freebsd_triage 2001-02-11 23:17:01 UTC 
State Changed
From-To: open->closed

bridging has been fixed recently.