Hello We have a 5.6-stable box doing transparent filtering with pf.
blog log all is default on ruleset. The bridge is composed of fxp0 and vether0 on int net 192.168.192/23 and xl0 (internet). While doing normal work pflog0 shows this: 06:19:08.497855 rule 17/(match) block in on vether0: 192.168.193.41.3138 > 77.234.44.65.80: tcp 0 (DF) 06:19:08.546275 rule 17/(match) block in on fxp0: 192.168.193.28.59751 > 77.234.44.76.443: tcp 0 (DF) 06:19:08.582708 rule 17/(match) block in on fxp0: 192.168.192.146.61276 > 23.202.94.13.80: tcp 0 (DF) 06:19:08.869587 rule 17/(match) block in on vether0: 192.168.193.12.2103 > 77.234.44.77.443: tcp 0 (DF) 06:19:08.872942 rule 17/(match) block in on vether0: 192.168.193.12.2104 > 77.234.42.76.443: tcp 0 (DF) 06:19:09.000769 rule 17/(match) block in on vether0: 192.168.193.41.3138 > 77.234.44.65.80: tcp 0 (DF) 06:19:09.046083 rule 17/(match) block in on fxp0: 192.168.193.28.59751 > 77.234.44.76.443: tcp 0 (DF) vether0 is 192.168.192.119 ie in the same net as fxp0 and def gw for the net. There are no static rules for any of those destination sites. Why is it that blocked packets appear sometimes on fxp0 and sometimes on vether0? Thanks
