After upgrade, firewall rules for bridged interfaces not wor

eliast · September 12, 2007, 8:08pm

Hy all! I've upgraded a site, wich uses a 6port bridge and a 2port bridge, bridging ethernet interfaces only. One bridge for servers, and one bridge for network access. I was using 2.9, but because a hw upgrade I was in a neddd to support 2 CPUs and gigabit ethernet cards that had no support in 2.9. after I did the upgrade to 3.0rc4 my firewall rules were did not match.
I want to filter the traffic between the bridge ports. In 2.9 it was working fine. In 3.0 I turned on the USe ip firewall at the bridge section, but only the rules in the INPUT table started to work. In the FORWARD table I can match only for bridge interfaces,

In the firewall section, I'm using Advanced -> Out/in bridge port to match the needed bridge port, but it is not working any more. Packets simply does not match. I tried to LOG the packets, but in the log I can see only the bridge interface, not the physical one. As soon as I set any match based on the physical bridge port, packets simply does not match. My question is: Are there any differences btw 2.9 and 3.0 on this feature? Or is it a sw bug? Or what the hell to do to make my old rules working...

/interface bridge> print
1 R name="LAN" mtu=1500 arp=enabled mac-address=***************
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m

/interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST

0 eth4-NK_WWW NET 0x80 10
1 eth5-PORTAL NET 0x80 10
2 eth8-ELEARNING NET 0x80 10
3 eth1-in LAN 0x80 10
4 eth9-out NET 0x80 10
5 eth3-HIVATAL NET 0x80 10
6 eth2-ESERVICE NET 0x80 10
7 eth6-NK_MAIL NET 0x80 10

an example rule that is not working:

69 ;;; NK MAIL -> INTERNET
chain=forward action=accept connection-state=new src-address=******** in-interface=NET out-interface=NET dst-port=80 protocol=tcp in-bridge-port=eth6-NK_MAIL out-bridge-port=eth9-out

thank you in advance!

macgaiver · September 13, 2007, 10:40am

/interface bridge settings set use-ip-firewall=yes

by default it is “no”

eliast · September 13, 2007, 10:55am

If you check my reply, you can see, that I have enabled it.

interface bridge settings> print
use-ip-firewall: yes
use-ip-firewall-for-vlan: no

macgaiver · September 13, 2007, 11:04am

chain=forward action=accept connection-state=new src-address=******** in-interface=NET out-interface=NET dst-port=80 protocol=tcp in-bridge-port=eth6-NK_MAIL out-bridge-port=eth9-out

You need to try rule with much less options - try to localize the problem. At this point it can be anything.

What about “chain=forward action=accept in-bridge-port=eth6-NK_MAIL” - does it works?

eliast · September 13, 2007, 11:27am

Ok. Let’s start to play again:

23 ;;; LOG ENTRY
chain=forward action=log dst-address=IP dst-port=2222
protocol=tcp log-prefix=“LOG-”

If I telnet to this port with the given IP, it is working. I can see tha packet:
log entry says: in:NET, out:NET, proto TCP, etc… I’ve added the interface matching:

23 ;;; LOG ENTRY
chain=forward action=log dst-address=IP dst-port=2222
protocol=tcp out-bridge-port=eth6-NK_MAIL log-prefix=“LOG-”

Woila, no match… I’m going crazy…

Anyway I have tried all other interfaces too at out-bridge-port, maybe when upgrading the order has been changed, but no match.

any ideas?

eliast · September 13, 2007, 11:30am

If I setup the rule like this:

23 ;;; LOG ENTRY
chain=forward action=log dst-address=IP in-interface=NET
out-interface=NET dst-port=2222 protocol=tcp log-prefix=“LOG-”

so not dealing with bridge ports in the advanced menu, but only using standard interface names and matching the BRIDGE name, it IS working.

If I try this with physical bridge interface:

23 ;;; LOG ENTRY
chain=forward action=log dst-address=IP
out-interface=eth6-NK_MAIL dst-port=2222 protocol=tcp log-prefix=“LOG-”

no match again.

macgaiver · October 2, 2007, 7:54am

i think it should be:

23 ;;; LOG ENTRY
chain=forward action=log dst-address=IP
out-bridge-port=eth6-NK_MAIL dst-port=2222 protocol=tcp log-prefix=“LOG-”

eliast · October 2, 2007, 10:13am

Ok. retry.

0 ;;; LOG ENTRY
chain=forward action=log dst-address=IP dst-port=2222
protocol=tcp out-bridge-port=eth6-NK_MAIL log-prefix=“SSHLOG-”

No match.

akukula · October 2, 2007, 2:17pm

Where’s the bridge “NET”??

Regards,
Andrzej

eliast · October 2, 2007, 4:06pm

here, I've just not copied it in:

/interface bridge print
Flags: X - disabled, R - running
0 R name="NET" mtu=1500 arp=enabled mac-address=00:0C:42:02:2D:59 protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

1 R name="LAN" mtu=1500 arp=enabled mac-address=00:0C:42:02:2D:58 protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST

0 eth4-NK_WWW NET 0x80 10
1 eth5-PORTAL NET 0x80 10
2 eth8-ELEARNING NET 0x80 10
3 eth1-in LAN 0x80 10
4 eth9-out NET 0x80 10
5 eth6-NK_MAIL NET 0x80 10
6 eth3-HIVATAL NET 0x80 10
7 eth2-ESERVICE NET 0x80 10

eliast · October 2, 2007, 4:31pm

Anyway in the input table filtering based on bride port is working. but in forward table it is not. I belive it is a bug.

akukula · October 2, 2007, 4:57pm

I’ve got 3.0rc5 and my rules looks like this:
0 chain=forward out-bridge=bridge1 action=accept in-bridge=bridge1 mac-protocol=ip dst-address=aaa.bbb.ccc.ddd/32 dst-port=80
ip-protocol=tcp

The only significant difference is in “protocol” and “ip-protocol”, maybe try revising your rules or upgrading to rc5.

Regards,
Andrzej

eliast · October 2, 2007, 5:18pm

I’m already running rc5.

Hm. I do not have “out-bridge” in the options. I have only out/in-bridge-port and out/in-interface.

Are you using the “/ip firewall filter” section?

Is there a possible incompatibility btw 2.9 and 3.0 of processing the rules? I’m using the standard ip->firewall and not the bridge->filters option to firewall on the bridge.

Is this a subject to change in 3.0?

akukula · October 2, 2007, 7:30pm

And what about:
chain=forward action=log dst-address=IP dst-port=2222
protocol=tcp out-interface=NET out-bridge-port=eth6-NK_MAIL log-prefix=“LOG-”

I’d also try Tools-Packet Sniffer with interface set to “all” - for me it shows the bridge input interface (e.g. ether1) then the bridge (bridge1) then the bridge output interface (ether2), so I can see how the packet flows through the router.

Regards,
Andrzej

eliast · October 2, 2007, 10:20pm

hmm… By using the Packet Sniffer, I can see packet coming to eth9-out and then NET bridge, but ccannot see the output interface. Other interresting thing, I’ve tried to filter the incming if or bridge port. With ncoming if and br the rule was working, but not with output…