On 2021-03-11, da...@hajes.org <da...@hajes.org> wrote: > Thanks for info Claudio. > > Unfortunately, I have read only "Networking FAQ" > https://www.openbsd.org/faq/faq6.html and there is no info about it. > > It would be great to update this page for dummies because just very few > read reference manuals line by line ;-) Most follow guides. I personally > write everything on my web like for children.
If you're not prepared to read manpages then OpenBSD is the wrong OS for you. > My logic behind filtering was simple...bridge/vether handles all and > physical interfaces are in promiscuous mode. I have filtering for > vether0 but didn't imagine DHCP is still at physical interface level. > > pf.conf updated: > > set skip on em1-3 This logic does not match how PF+bridge(4) works. > Only thing that still puzzles me where to filter...bridge0 or vether0. > > If I understand correctly, vether0 should be the interface for filtering > because it has got IP address assigned. Physical interfaces and bridge > should be treated as loopback...in other words, not filtered at all. >From bridge(4): NOTES Bridged packets pass through pf(4) filters once as input on the receiving interface and once as output on all interfaces on which they are forwarded. In order to pass through the bridge packets must pass any in rules on the input and any out rules on the output interface. Packets may be blocked either entering or leaving the bridge.
