Questions about filtering bridges

Andrew Thompson thompsa at
Mon Sep 17 13:43:21 PDT 2007

On Mon, Sep 17, 2007 at 04:38:33PM -0400, Richard Coleman wrote:
> Andrew Thompson wrote:
> >On Sun, Sep 16, 2007 at 10:36:41PM -0400, Richard Coleman wrote:
> >  
> >>Question 1: In the Handbook section on bridging, it says that if you 
> >>need to setup an ip address, you should put it on the bridge interface 
> >>(bridge0).  But in the OpenBSD docs on filtering bridges, they say to 
> >>put it on the inside interface.  What are the consequences of doing it 
> >>either way?
> >>    
> >
> >OpenBSD does not support adding an IP address to a bridge interface so
> >they do not have a choice here. Assigning the IP to the bridge is the
> >correct way do to it as it is the central piece of the setup.
> >
> >  
> >>Questions 2: If I use the following pf.conf (should block everything 
> >>inbound, but allow everything outbound), I notice I'm still able to ssh 
> >>into the bridging firewall itself.  Why isn't that blocked?  I'm 
> >>guessing it's a consequence of the fact that I put an ip address on the 
> >>bridging interface, but I'm not sure.  What am I missing?
> >>
> >>    
> >
> >This is because the _bridge_ is the interface that the packet arrives
> >on. Think if the bridge as a fully functioning interface, what you need
> >is:
> >
> >bridge_if="bridge0"
> >block in log on $bridge_if all
> >
> >
> >regards,
> >Andrew
> >  
> I was confused because the if_bridge(4) man page (for 6.2) says that 
> traffic always passes first through the originating interface (which I 
> took to be the external physical interface), then passes through the 
> bridge interface, and then through all appropriate outbound interfaces.  
> So I assumed a block rules for the first physical interface would 
> prevent the packet from every reaching the bridge interface.
> Given that wording, I was confused why you would ever need to filter on 
> the bridge interface itself.

I see where the confusion comes in then. That particular section refers
to the bridge forwarding packets, anything that is destined for the
local host is tapped off early and handled specially. I welcome any
wording changes on the man page.


More information about the freebsd-pf mailing list