Thank you for info, I was confused by the book. Happy to see this is the intended behavior. Kind regards, Claudiu
On Tue, Jul 26, 2022, 11:36 Claudio Jeker <cje...@diehard.n-r-g.com> wrote: > On Tue, Jul 26, 2022 at 11:18:06AM +0300, Cristian Danila wrote: > > Good day! > > I hope someone could clarify if the following behavior is > > expected in a bridge configuration > > I have following rules added in hostname.bridge0 > > > > ------------------------------------------------------- > > #this will result out to be blocked > > rule block in on vic0 > > rule block out on vic0 > > rule pass out on vic0 > > > > #this will result out to be passed > > #rule block in on vic0 > > #rule pass out on vic0 > > #rule block out on vic0 > > -------------------------------------------------------- > > As you see in comments the uncommented section will block out > > traffic and second section will let it pass it. Somehow these > > rules behaves like rules added to pf but with 'quick' keyword. > > So I deduce that a catch all policy must be added last and not > > first like in pf > > > > In manpage of ifconfig I see this: > > "Rules are processed in the order in which they were added to > > the interface" > > So I believe it makes sense the behavior but I just want to > > confirm with you this behavior as I read in a book(Building > > Firewalls With OpenBSD And PF) the opposite: > > > > "rule block out on ne1 > > rule pass out on ne1 src 00:00:00:00:00:01 > > rule pass out on ne1 src 00:00:00:00:00:02 > > rule pass out on ne1 src 00:00:00:00:00:03 > > Please note that the last matching rule wins, hence the > > global block or pass rule should be listed before more > > specific rules." > > > > I would like to understand if the book has a mistake or I do > > something wrong. > > The manpage actually has a bit more: > Rules are processed in the order in which they were added to > the > interface. The first rule matched takes the action ... > > So the book got this wrong. bridge(4) uses a first match logic unlike > pf(4) where last match is the default. > > -- > :wq Claudio > >
