On Tue, Jul 26, 2022 at 11:18:06AM +0300, Cristian Danila wrote:
> Good day!
> I hope someone could clarify if the following behavior is
> expected in a bridge configuration
> I have following rules added in hostname.bridge0
>
> -------------------------------------------------------
> #this will result out to be blocked
> rule block in on vic0
> rule block out on vic0
> rule pass out on vic0
>
> #this will result out to be passed
> #rule block in on vic0
> #rule pass out on vic0
> #rule block out on vic0
> --------------------------------------------------------
> As you see in comments the uncommented section will block out
> traffic and second section will let it pass it. Somehow these
> rules behaves like rules added to pf but with 'quick' keyword.
> So I deduce that a catch all policy must be added last and not
> first like in pf
>
> In manpage of ifconfig I see this:
> "Rules are processed in the order in which they were added to
> the interface"
> So I believe it makes sense the behavior but I just want to
> confirm with you this behavior as I read in a book(Building
> Firewalls With OpenBSD And PF) the opposite:
>
> "rule block out on ne1
> rule pass out on ne1 src 00:00:00:00:00:01
> rule pass out on ne1 src 00:00:00:00:00:02
> rule pass out on ne1 src 00:00:00:00:00:03
> Please note that the last matching rule wins, hence the
> global block or pass rule should be listed before more
> specific rules."
>
> I would like to understand if the book has a mistake or I do
> something wrong.
The manpage actually has a bit more:
Rules are processed in the order in which they were added to the
interface. The first rule matched takes the action ...
So the book got this wrong. bridge(4) uses a first match logic unlike
pf(4) where last match is the default.
--
:wq Claudio
