packet filter problem on transparent firewall using bridge and pf

ProAce proace at
Wed Jun 20 09:27:58 UTC 2012

I have some trouble with pf on freebsd bridge.

Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )

Bridge Network:
bridge0 IP: ( freebsd's ip )
default gw: ( in untrust area )
server: ~ 200 ( in trust area )

pf.conf on freebsd
   block in all
   block out all
   pass in quick on lo0 all
   pass out quick on lo0 all
   pass in quick on bridge0 from to any
   pass out quick on bridge0 from to any
   pass in quick on bridge0 from $client1 to
   pass in quick on bridge0 from $client1 to $serv1

When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( ) successfully
4. gw connect to freebsd ( ) successfully

If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?

The following is some description of the bridge topology.

Freebsd and server are vmware guest in the vmware ESXi.

The ESXi has two virtual switchs,
   vSw1: connect to untrust
   vSw2: interconnect with freebsd and servers

freebsd has tow vNICs,
   em0: connect to vSw1
   em1: connect to vSw2.

servers has only one vNIC,
   em0: connect to vSw2

freebsd's rc.conf
   ifconfig_bridge0="inet netmask addm em0 addm em1 up"

freebsd's sysctl 0 0 0 0 1 1 0 1

More information about the freebsd-questions mailing list