PF A simple pf rule?

[Emrion]

Hi,

I'm not a specialist of firewalls and especially pf, but this should be simple, yet I can't make it.

I want to block some TCP paquets coming from a VM thru a tap when their destination is 192.168.5.c (a bare metal machine), port X on my private network. To do that I use pf on my router. This router holds the VM, the virtual bridge0 and the physical interface ix0.

(VM 192.168.5.a)-tap0->[bridge0]-ix0->...(192.168.5.c)
|.........Router 192.168.5.b.........|

I thought this rule would work, but no, it blocks nothing:
block in quick proto tcp from any to 192.168.5.c port X

knowing that when I want to block a port Y on my router for the VM, the following rule works perfectly:
block in quick proto tcp from any to 192.168.5.b port Y

Any idea?

 

[Emrion]

Could it be the light? Cannot test for the moment...

bridge(4)

net.link.bridge.pfil_member Set to 1 to enable filtering on the incom-
ing and outgoing member interfaces, set to 0 to disable it.

net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.

 

[Emrion]

sysctl net.link.bridge.pfil_member=1 did the trick.

Without that, there is no pfil hook in the interface members of the bridge. I wonder why it's the default, but it is.

I'm surprised that no one answered to this question which was actually simple.

 

[gotnull]

I'm surprised that no one answered to this question which was actually simple.

Now that you bring the solution it makes totally sense, but when I've read your question yesterday it didn't ring a bell at all.
Good catch!

 

[ShelLuser]

I'm surprised that no one answered to this question which was actually simple.

Well, I can't speak for any others but when I read your post I assumed to be dealing with a PF related issue, but as I read further it became clear to me that the issue was more about bridging rather than packet filtering. And my experienced with bridges are dated, not to mention that I only dealt with trusted networks; so there was no need for specific filtering on my end.

 

[Emrion]

trusted networks

Something I gave up to believe the day my son brings to my private network a malware, and a tenacious one. But, that's not the point.

Here, these rules block ports I intentionally left open on internet with pfsense. Only when I send a specially crafted packet, a specific rule is deactivated (anchor flushed in pf) to let me use a service thru that port. After use of the said service, another specially crafted packet is sent to command the reload of the pf rules and then close all ports.