On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras <[EMAIL PROTECTED]> wrote:
> Hi, Hello, > I'm installing a transparent (bridge) firewall with OpenBSD. The > machine has 4 network interfaces, 2 interfeces are copper > intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one > is SX and the other is LX). > I want to use the fiber interfaces for the bridge firewall and copper > interfaces for firewall administration. > > The problem is that the bridge doesn't filter anything. I tried to put > rules that block everything but only filter administration interfaces. > The trafic still go through the bridge. [...] > # pfctl -s rules > > > block drop in all > block drop in quick on em0 all > block drop in quick on em1 all > block drop in quick on bridge0 all > block drop out quick on em0 all > block drop out quick on em1 all > block drop out quick on bridge0 all > pass in quick on em3 all flags S/SA keep state It seems you've skipped a part of the pf user's guide ( http://www.openbsd.org/faq/pf/index.html ): "Filter rules are evaluated in sequential order, first to last. Unless the packet matches a rule containing the quick keyword, the packet will be evaluated against all filter rules before the final action is taken. The last rule to match is the "winner" and will dictate what action to take on the packet." Reverse the order of your rules and it should work. -- Regards, Benoit.
