Packet Filter
A Devilish Typo
Yesterday, I made an interesting typo. It was something like this:
pass out on $ExtIf keep state block in on $ExtIf block return in on $ExtIf from any to $bob pass in on $ExtIf proto tcp from any to $bob port 80 keep state block return in on $ExtIf from any to $joe pass in on $ExtIf proto tcp from any to $joe port 80 keep state pass block return in on $ExtIf from any to $frank pass in on $ExtIf proto tcp from any to $frank port 80 keep state
As you might guess, the lonely pass with nothing else was the typo.
The symptom that alerted us to the problem was really weird: $frank could no longer surf the web.
Why would a pass entry stop a host from surfing the web? Basically, because it is after the main rule, it overrides it. I also comes after all the rules relating to $bob and $joe, so it overrides them, allowing all trafic in and out for those hosts. For $frank, the blank pass overrides the normal outbound rule but doesn't override the inbound rule. Because the normal outbound rule estabishes state and the new typo pass does not, the outbound packets have no state (for all hosts) but because $frank's specific rules come after the pass , only they forbid the stateless return packets.
Flush that Bridge
After switching firewalls, it's a good idea to flush the bridge's cache. I should have all the mac addresses static in the bridge config, but if I forget one or two, flushing the bridge is a good idea.
# brconfig bridge0 flush