Filtering bridge - how to decide which of the bridge's interfaces a packet arrived on?

Andrew Thompson thompsa at
Tue Oct 2 02:16:12 PDT 2007

On Tue, Oct 02, 2007 at 11:01:27AM +0300, Tobias Ernst wrote:
> Dear members of this list,
> Recently, it was stated here by Andrew Thompson that
> > anything that is destined for the
> > local host is tapped off early and handled specially. 
> This referred to the fact that packets passing through a bridging
> firewall can be filtered on the individual inbound/outbound interfaces,
> but packets destined for the bridging firewall (that has assigned an ip
> address to the bridge interface) can only be filtered on the bridge
> interface.
> I have now run into a problem with this. I am setting up a routing
> firewall with several DMZ, but for various reasons the DMZ use the same
> IP range as the internal net. I.e., the DMZ are bridged to the internal
> net, and the entire IP subnet is then routed to the external world.
> However, the above rules do not match packets sent from a machine with
> an illegal IP in the DMZ and destined for the firewall, because those
> packets only appear on bridge0. However, when I filter the packets on
> bridge0, I have no idea whether they arrived on the DMZ interface or on
> the internal interface.
> Is there any other possibility of finding out which member of a bridge
> an inbound packet has arrived on?

Yes, a new option was added to HEAD that allows this (pfil_local_phys),
it adds an additional packet filter call on the member interface for
local packets.

> P.S.: FreeBSD 6.2-RELEASE

Its not in 6.2 unfortunately but will be MFC'd in time for 6.3


More information about the freebsd-pf mailing list