[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-discussion
Subject:    Re: [pfSense-discussion] can't filter on transparent bridge
From:       "Chris Buechler" <cbuechler () gmail ! com>
Date:       2008-09-13 17:02:48
Message-ID: d64aa1760809131002mb5cf84i3ea8aea14b56f626 () mail ! gmail ! com
[Download RAW message or body]

On Sat, Sep 13, 2008 at 8:46 AM, Eugen Leitl <eugen@leitl.org> wrote:
>
> I can't get an 1.2.1-RC1 full with two NICs (VIA mini ITX) to filter traffic
> using http://pfsense.trendchiller.com/transparent_firewall.pdf
>
> No rules either in WAN or LAN, to the bridge must block
> everything -- but doesn't. No change when I define explict
> blocking rules for everything.
>

There are some default rules on LAN, like the anti-lockout rule that
could be passing the traffic. You can disable that on the Advanced
page. That's the only one I can think of offhand that would pass
traffic, though LAN is a bit special in 1.2x and there could be
something else I'm not thinking of offhand.

Note the "enable filtering bridge" checkbox does nothing in 1.2.1 and
should have done nothing in 1.2. In 1.2, turning that on actually can
create some weird problems with filtering in some circumstances.
That's a hold over from the way m0n0wall does things, and should have
been removed when we switched to if_bridge. If you're running bridging
on 1.2, I recommend leaving that disabled. It adds rules to the bridge
itself, when the bridge should never have rules. The member interfaces
get rules added, and you want to filter on both the member interfaces
and not the bridge itself.
[prev in list] [next in list] [prev in thread] [next in thread]