From owner-freebsd-net@freebsd.org  Tue Mar 31 09:38:46 2020
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 0F4AD27DC99
 for <freebsd-net@mailman.nyi.freebsd.org>;
 Tue, 31 Mar 2020 09:38:46 +0000 (UTC)
 (envelope-from peter.blok@bsd4all.org)
Received: from smtpq5.tb.mail.iss.as9143.net (smtpq5.tb.mail.iss.as9143.net
 [212.54.42.168])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48s45N305Bz3CT8
 for <freebsd-net@freebsd.org>; Tue, 31 Mar 2020 09:38:28 +0000 (UTC)
 (envelope-from peter.blok@bsd4all.org)
Received: from [212.54.42.135] (helo=smtp11.tb.mail.iss.as9143.net)
 by smtpq5.tb.mail.iss.as9143.net with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1)
 (envelope-from <peter.blok@bsd4all.org>) id 1jJD4Y-0004s3-T3
 for freebsd-net@freebsd.org; Tue, 31 Mar 2020 11:20:38 +0200
Received: from 94-209-85-88.cable.dynamic.v4.ziggo.nl ([94.209.85.88]
 helo=wan0.bsd4all.org)
 by smtp11.tb.mail.iss.as9143.net with esmtp (Exim 4.90_1)
 (envelope-from <peter.blok@bsd4all.org>) id 1jJD4Y-00076E-PH
 for freebsd-net@freebsd.org; Tue, 31 Mar 2020 11:20:38 +0200
Received: from newnas.bsd4all.local (localhost [127.0.0.1])
 by wan0.bsd4all.org (Postfix) with ESMTP id 5A0C630F
 for <freebsd-net@freebsd.org>; Tue, 31 Mar 2020 11:20:38 +0200 (CEST)
X-Virus-Scanned: amavisd-new at bsd4all.org
Received: from wan0.bsd4all.org ([127.0.0.1])
 by newnas.bsd4all.local (newnas.bsd4all.org [127.0.0.1]) (amavisd-new,
 port 10024) with ESMTP id 6yPo__0d8Gru for <freebsd-net@freebsd.org>;
 Tue, 31 Mar 2020 11:20:37 +0200 (CEST)
Received: from [192.168.1.65] (unknown [192.168.1.65])
 by wan0.bsd4all.org (Postfix) with ESMTPSA id C22104A
 for <freebsd-net@freebsd.org>; Tue, 31 Mar 2020 11:20:37 +0200 (CEST)
From: peter.blok@bsd4all.org
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.14\))
Subject: pf firewall on bridge member
Message-Id: <AF349C37-C963-434B-90AE-A99D34688BDD@bsd4all.org>
Date: Tue, 31 Mar 2020 11:20:36 +0200
To: freebsd-net <freebsd-net@freebsd.org>
X-Mailer: Apple Mail (2.3445.104.14)
X-SourceIP: 94.209.85.88
X-Ziggo-spambar: /
X-Ziggo-spamscore: 0.0
X-Ziggo-spamreport: CMAE Analysis: v=2.3 cv=du1A92o4 c=1 sm=1 tr=0
 a=LYXyOGYQqFYBMgK+Y6iqTg==:17 a=IkcTkHD0fZMA:10 a=SS2py6AdgQ4A:10
 a=GQf_IVWucoGWTk9wNg8A:9 a=QEXdDO2ut3YA:10
X-Ziggo-Spam-Status: No
X-Spam-Status: No
X-Spam-Flag: No
X-Rspamd-Queue-Id: 48s45N305Bz3CT8
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of peter.blok@bsd4all.org designates
 212.54.42.168 as permitted sender) smtp.mailfrom=peter.blok@bsd4all.org
X-Spamd-Result: default: False [-3.09 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[];
 R_SPF_ALLOW(-0.20)[+a:smtp.ziggo.nl/16];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
 DMARC_NA(0.00)[bsd4all.org]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE(-1.19)[ipnet: 212.54.32.0/20(-3.86), asn: 33915(-2.11), country:
 NL(0.03)]; TO_DN_ALL(0.00)[]; FROM_NO_DN(0.00)[];
 MV_CASE(0.50)[]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[];
 RCVD_IN_DNSWL_LOW(-0.10)[168.42.54.212.list.dnswl.org : 127.0.5.1];
 ASN(0.00)[asn:33915, ipnet:212.54.32.0/20, country:NL];
 MID_RHS_MATCH_FROM(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[88.85.209.94.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2020 09:38:46 -0000

I have difficulty filtering one member of a bridge using pf firewall

net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0

Two segments are bridged, segment 'home' and segment =E2=80=98safe'. The =
idea for segment =E2=80=99safe=E2=80=99 is to only allow access to the =
outside world with certain rules, but NO access to segment =E2=80=98home=E2=
=80=99

Hosts on segment =E2=80=98home=E2=80=99 are allowed to initiate a =
connection to hosts on segment =E2=80=99safe=E2=80=99

When I do an ifconfig safe down, the connection from a host on =
=E2=80=98home=E2=80=99 to safe is severed, so there is no alternative =
way to get there.

But any rule on the interface corresponding with zone =E2=80=99safe=E2=80=99=
 does not work.

Both members are vlan interfaces. I have tried to disable any hardware =
vlan capabilities, nut no effect

I=E2=80=99m running recent 12-STABLE

I need to have both segments on the same IP segment. If someone has =
other ideas to do it differently

Peter