Questions about filtering bridges

Gilberto Villani Brito linux at
Mon Sep 17 13:08:19 PDT 2007

On 16/09/2007, Richard Coleman <rcoleman at> wrote:
> I'm setting up a filtering bridge and have a couple questions.
> Hopefully someone here can help.  I've looked at all the docs online
> (and lots of Google searches) but there isn't much recent info on
> filtering bridges.
> The setup is pretty simple: fxp0 is external and fxp1 is internal.
> # rc.conf
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm fxp0 addm fxp1 up"
> ifconfig_fxp0="up"
> ifconfig_fxp1="up"
> Question 1: In the Handbook section on bridging, it says that if you
> need to setup an ip address, you should put it on the bridge interface
> (bridge0).  But in the OpenBSD docs on filtering bridges, they say to
> put it on the inside interface.  What are the consequences of doing it
> either way?
> Questions 2: If I use the following pf.conf (should block everything
> inbound, but allow everything outbound), I notice I'm still able to ssh
> into the bridging firewall itself.  Why isn't that blocked?  I'm
> guessing it's a consequence of the fact that I put an ip address on the
> bridging interface, but I'm not sure.  What am I missing?
> # pf.conf
> # interfaces
> ext_if="fxp0"
> int_if="fxp1"
> # options
> set skip on lo0
> set block-policy drop
> # normalization
> scrub in on $ext_if all
> scrub out on $ext_if random-id
> # external interface, inbound
> # default is to block all inbound on external interface
> block in log on $ext_if all
> # external interface, outbound
> block out log on $ext_if all
> pass out on $ext_if proto tcp all flags S/SA keep state
> pass out on $ext_if proto { udp, icmp } all keep state
> # internal interface, inbound
> pass in on $int_if all
> # internal interface, outbound
> pass out on $int_if all
> Richard Coleman
> rcoleman at
> _______________________________________________
> freebsd-pf at mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at"

Hi Richard;
The first question I don't know, but the second I know.
You are blocking everything:
block in log on $ext_if all
block out log on $ext_if all
But here:
pass out on $ext_if proto tcp all flags S/SA keep state
pass out on $ext_if proto { udp, icmp } all keep state
All the traffic going out are allowed and PF read all rules unless you
use quick to stop.
See here:

Gilberto Villani Brito
System Administrator
Londrina - PR

More information about the freebsd-pf mailing list