The way I understand NetBSD bridges is that they act as "level 2" switches. The DomU systems I wish to isolate from eachother are attached to the same bridge, bridge0. Packet to the rest of the world go through tap0 as it is also attached to bridge0. This view explains why the 'block tap0' rule in ineffective; the bridge0 switch will naturally pass packets directly from 10.0.0.2 to 10.0.0.5. But 'block all' should, er, block it all. This is the essence of the issue, I think. Two approaches: Don't bridge; put each domU on it's own interface and nat them individually. tell pf to filter in bridge mode. I know I have done this with ipfilter; IIRC there was an extra kernel option.
Attachment:
pgp4hnMfVb70_.pgp
Description: PGP signature