Hi,
I have tried to reverse the order of the rules:
# pfctl -s rules
pass in quick on em3 all flags S/SA keep state
block drop out quick on bridge0 all
block drop out quick on em1 all
block drop out quick on em0 all
block drop in quick on bridge0 all
block drop in quick on em1 all
block drop in quick on em0 all
block drop in all
I have got the same result, traffic go through the bridge. Any other idea?
Joaquin
En/na Benoit GARCIA ha escrit:
On Thu, Apr 24, 2008 at 4:52 PM, Joaquin Fernandez Piqueras
<[EMAIL PROTECTED]> wrote:
Hi,
Hello,
I'm installing a transparent (bridge) firewall with OpenBSD. The
machine has 4 network interfaces, 2 interfeces are copper
intel/Pro1000MT and the other two are optical fiber Intel/Pro1000MF (one
is SX and the other is LX).
I want to use the fiber interfaces for the bridge firewall and copper
interfaces for firewall administration.
The problem is that the bridge doesn't filter anything. I tried to put
rules that block everything but only filter administration interfaces.
The trafic still go through the bridge.
[...]
# pfctl -s rules
block drop in all
block drop in quick on em0 all
block drop in quick on em1 all
block drop in quick on bridge0 all
block drop out quick on em0 all
block drop out quick on em1 all
block drop out quick on bridge0 all
pass in quick on em3 all flags S/SA keep state
It seems you've skipped a part of the pf user's guide (
http://www.openbsd.org/faq/pf/index.html ):
"Filter rules are evaluated in sequential order, first to last. Unless
the packet matches a rule containing the quick keyword, the packet
will be evaluated against all filter rules before the final action is
taken. The last rule to match is the "winner" and will dictate what
action to take on the packet."
Reverse the order of your rules and it should work.
