On Fri, Apr 25, 2008 at 11:53:47AM +0200, Joaquin Fernandez Piqueras wrote: > Hi, > > I have tried to reverse the order of the rules: > > # pfctl -s rules > > pass in quick on em3 all flags S/SA keep state > block drop out quick on bridge0 all > block drop out quick on em1 all > block drop out quick on em0 all > block drop in quick on bridge0 all > block drop in quick on em1 all > block drop in quick on em0 all > block drop in all > > I have got the same result, traffic go through the bridge. Any other idea? > > Joaquin
Make it block all and work yourself up from there. Verify that pf(4) is acually enabled using pfctl -s info and check Status: Enabled... The bridge(4) man page hits about only to filter on one interface since otherwise the packtes gets processed twice by pf(4). Try to start with: #set skip on em0 block all pass in on em3 all flags S/SA keep state Which should block everything but em3. Then set skip on em0 which should open em0. Then insert filtering on em1 after block all. > > > En/na Benoit GARCIA ha escrit: > >On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras > ><[EMAIL PROTECTED]> wrote: > > > >>Hi, > >Hello, > > > >>I'm installing a transparent (bridge) firewall with OpenBSD. The > >>machine has 4 network interfaces, 2 interfeces are copper > >>intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one > >> is SX and the other is LX). > >>I want to use the fiber interfaces for the bridge firewall and copper > >>interfaces for firewall administration. > >> > >>The problem is that the bridge doesn't filter anything. I tried to put > >>rules that block everything but only filter administration interfaces. > >>The trafic still go through the bridge. > >[...] > >># pfctl -s rules > >> > >> > >>block drop in all > >>block drop in quick on em0 all > >>block drop in quick on em1 all > >>block drop in quick on bridge0 all > >>block drop out quick on em0 all > >>block drop out quick on em1 all > >>block drop out quick on bridge0 all > >>pass in quick on em3 all flags S/SA keep state > > > >It seems you've skipped a part of the pf user's guide ( > >http://www.openbsd.org/faq/pf/index.html ): > >"Filter rules are evaluated in sequential order, first to last. Unless > >the packet matches a rule containing the quick keyword, the packet > >will be evaluated against all filter rules before the final action is > >taken. The last rule to match is the "winner" and will dictate what > >action to take on the packet." > > > >Reverse the order of your rules and it should work. -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
