On Sat, Sep 13, 2008 at 8:46 AM, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > I can't get an 1.2.1-RC1 full with two NICs (VIA mini ITX) to filter traffic > using http://pfsense.trendchiller.com/transparent_firewall.pdf > > No rules either in WAN or LAN, to the bridge must block > everything -- but doesn't. No change when I define explict > blocking rules for everything. >
There are some default rules on LAN, like the anti-lockout rule that could be passing the traffic. You can disable that on the Advanced page. That's the only one I can think of offhand that would pass traffic, though LAN is a bit special in 1.2x and there could be something else I'm not thinking of offhand. Note the "enable filtering bridge" checkbox does nothing in 1.2.1 and should have done nothing in 1.2. In 1.2, turning that on actually can create some weird problems with filtering in some circumstances. That's a hold over from the way m0n0wall does things, and should have been removed when we switched to if_bridge. If you're running bridging on 1.2, I recommend leaving that disabled. It adds rules to the bridge itself, when the bridge should never have rules. The member interfaces get rules added, and you want to filter on both the member interfaces and not the bridge itself.