Security issue : Bridge is permissive on reboot

dyonis0s · September 11, 2019, 10:48:38 AM

Hello everyone, I made some security testing on OPNsense 19.1.

I've configured it with two interfaces in bridge mode. The firewall is placed inside Hyper-V.
On the one hand, the first interface is conected to VM with hping in flood mode. On the other, on the second interface, I've a VM with wireshark. The firewall is configured to block every packets.

I observed that on reboot of the firewall, it become permissive for about 0 to 1 second on startup.

Is that an issue that you already known ?

bartjsmit · September 11, 2019, 10:59:16 AM

Does this also happen with OPNsense in router mode?

Bart...

dyonis0s · September 11, 2019, 11:13:09 AM

I didn't test in routing mode

bartjsmit · September 11, 2019, 06:01:32 PM

It's worth testing to see if the permissive period is due to the bridge coming up before the firewall, or something innate to OPNsense.

Do you have net.link.bridge.pfil_bridge set to 1 under System, Settings, Tunables?

Bart...

dyonis0s · September 17, 2019, 02:43:11 PM

Sorry for the latency.
Indeed this variable was set to 1.

Security issue : Bridge is permissive on reboot

dyonis0s

September 11, 2019, 10:48:38 AM

bartjsmit

September 11, 2019, 10:59:16 AM #1

dyonis0s

September 11, 2019, 11:13:09 AM #2

bartjsmit

September 11, 2019, 06:01:32 PM #3

dyonis0s

September 17, 2019, 02:43:11 PM #4