Good day! I hope someone could clarify if the following behavior is expected in a bridge configuration I have following rules added in hostname.bridge0
------------------------------------------------------- #this will result out to be blocked rule block in on vic0 rule block out on vic0 rule pass out on vic0 #this will result out to be passed #rule block in on vic0 #rule pass out on vic0 #rule block out on vic0 -------------------------------------------------------- As you see in comments the uncommented section will block out traffic and second section will let it pass it. Somehow these rules behaves like rules added to pf but with 'quick' keyword. So I deduce that a catch all policy must be added last and not first like in pf In manpage of ifconfig I see this: "Rules are processed in the order in which they were added to the interface" So I believe it makes sense the behavior but I just want to confirm with you this behavior as I read in a book(Building Firewalls With OpenBSD And PF) the opposite: "rule block out on ne1 rule pass out on ne1 src 00:00:00:00:00:01 rule pass out on ne1 src 00:00:00:00:00:02 rule pass out on ne1 src 00:00:00:00:00:03 Please note that the last matching rule wins, hence the global block or pass rule should be listed before more specific rules." I would like to understand if the book has a mistake or I do something wrong. Thank you.
