From owner-freebsd-questions@FreeBSD.ORG  Wed Jun 20 09:27:58 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 932F4106566B
	for <freebsd-questions@freebsd.org>;
	Wed, 20 Jun 2012 09:27:58 +0000 (UTC)
	(envelope-from proace@gmail.com)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com
	[209.85.213.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 5162A8FC19
	for <freebsd-questions@freebsd.org>;
	Wed, 20 Jun 2012 09:27:58 +0000 (UTC)
Received: by yenl8 with SMTP id l8so6465732yen.13
	for <freebsd-questions@freebsd.org>;
	Wed, 20 Jun 2012 02:27:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=ftnj6WDHhjOnmkDvlLWAXqcrhQ+WXXsH09FbF8XYhyY=;
	b=B/i2inGRVLKWEBa3jiNB3zOUHazLaOEuIrDxbjsR/XpeI6Ye7iZ/uKcDZDgytthe2t
	637OF7A5dZsHoz36aGyUC0xHTyJA/e9cnWMD2RmCA4wHb7rNPp2lFoTvoS3F48+KVxyi
	UjEAtAcdcP0FUC09yJbx80SSqiHUCGYOrwN7qFjXmxYB5+Pz7KN9yXl7SgaS6AzmvylY
	3lSL+B/YxUWHaX4iPhEuur+2fWKNvyTKZLW+c4b7uDPVOpUXekFVpl6UhIqVn8OheCaz
	vpZQqDZV/fXLFWQF5tz61yyhc3h/NfRF15L6t/OodFsNAeZMQOBwFaS4mIqwZ/e5EBrd
	KRlQ==
MIME-Version: 1.0
Received: by 10.236.109.229 with SMTP id s65mr27030055yhg.10.1340184477895;
	Wed, 20 Jun 2012 02:27:57 -0700 (PDT)
Received: by 10.147.78.20 with HTTP; Wed, 20 Jun 2012 02:27:57 -0700 (PDT)
Date: Wed, 20 Jun 2012 17:27:57 +0800
Message-ID: <CAL0-vtvJ6Q5-OTZrvcFSggNbo7ouzeyYUQODF7ktstTSq3o3XQ@mail.gmail.com>
From: ProAce <proace@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: packet filter problem on transparent firewall using bridge and pf
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2012 09:27:58 -0000

I have some trouble with pf on freebsd bridge.

Network topology:
( untrust ) -- { em0 , bridge0 , em1 } -- ( trust )

Bridge Network: 10.1.1.0/24
bridge0 IP: 10.1.1.1 ( freebsd's ip )
default gw: 10.1.1.254 ( in untrust area )
server: 10.1.1.101 ~ 200 ( in trust area )

pf.conf on freebsd
   serv1="10.1.1.101"
   client1="10.1.6.73"
   block in all
   block out all
   pass in quick on lo0 all
   pass out quick on lo0 all
   pass in quick on bridge0 from 10.1.1.0/24 to any
   pass out quick on bridge0 from 10.1.1.0/24 to any
   pass in quick on bridge0 from $client1 to 10.1.1.1
   pass in quick on bridge0 from $client1 to $serv1

When I turn on the pf, I test some connection status.
1. client1 cannot connect to serv1.
2. gw cannot connect to serv1
3. client1 connect to freebsd ( 10.1.1.1 ) successfully
4. gw connect to freebsd ( 10.1.1.1 ) successfully

If I turn off the pf, all conneciton test are success.
What's wrong with the pf rules?



The following is some description of the bridge topology.

Freebsd and server are vmware guest in the vmware ESXi.

The ESXi has two virtual switchs,
   vSw1: connect to untrust
   vSw2: interconnect with freebsd and servers

freebsd has tow vNICs,
   em0: connect to vSw1
   em1: connect to vSw2.

servers has only one vNIC,
   em0: connect to vSw2

freebsd's rc.conf
   cloned_interfaces="bridge0"
   ifconfig_bridge0="inet 10.1.1.1 netmask 255.255.255.0 addm em0 addm em1 up"
   ifconfig_em0="up"
   ifconfig_em1="up"
   pf_enable="YES"
   pf_rules="/etc/pf.conf"

freebsd's sysctl
   net.link.bridge.ipfw: 0
   net.link.bridge.inherit_mac: 0
   net.link.bridge.log_stp: 0
   net.link.bridge.pfil_local_phys: 0
   net.link.bridge.pfil_member: 1
   net.link.bridge.pfil_bridge: 1
   net.link.bridge.ipfw_arp: 0
   net.link.bridge.pfil_onlyip: 1