Bridging and Firewall Rules

Filtering with bridged interfaces functions similar to routed interfaces, but there are some configuration choices to alter exactly how the filtering behaves.

Apply Firewall Rules on Bridges or Interfaces

By default, firewall rules are applied on each member interface of the bridge on an inbound basis, like any other routed interface.

It is possible to decide whether the filtering happens on the bridge member interfaces, or on the bridge interface itself. This is controlled by two System Tunables values on System > Advanced on the System Tunables tab, as seen in Figure Bridge Filtering Tunables. The net.link.bridge.pfil_member tunable controls whether or not the firewall will honor rules on the bridge member interfaces. By default, this is on (1). The net.link.bridge.pfil_bridge tunable controls whether or not the firewall will honor rules on the bridge interface itself. By default, this is off (0). At least one of these must be set to 1.

../_images/bridge-filter-tunables.png

Bridge Filtering Tunables

When filtering on the bridge interface itself, traffic will hit the rules as it enters from any member interface. The rules are still considered “inbound” like any other interface rules, but they work more like an interface group since the same rules apply to each member interface.

Firewall Rule Macros

Only one interface of a bridge will have an IP address set, the others will have none. For these interfaces, their firewall macros such as OPT1 address and OPT1 net are undefined because the interface has no address and thus no subnet.

If filtering is performed on bridge members, keep this fact in mind when crafting rules and explicitly list the subnet or use the macros for the interface where the IP address resides.

Ethernet Rules on Bridge Interfaces

Applying Ethernet (Layer 2) Rules on a bridge requires changing a System Tunables value at System > Advanced on the System Tunables tab.

The net.link.bridge.ipfw tunable controls whether or not the firewall will honor Ethernet rules on a bridge interface itself. Though the tunable name mentions IPFW, it controls all link-level packet filtering hooks on bridges.

By default, this tunable is off (0). To enable Ethernet rule filtering on bridge interfaces, this must be set to 1.