> 
> > 
> > On Mon, 16 Aug 2004, MLH wrote:
> > > What's the status of implementing a transparent bridging firewall
> > > on NetBSD 2.0? Last status I see is from Jan 03. The PF site says
> > > PF has been ported but I don't see evidence of it.
> > >
> > > What should I be looking for?
> > 
> > IIRC IPfilter can operate on bridge-devices, from src/doc/CHANGES:
> > 
> >         bridge(4), brconfig(8): add ipf support.  [perseant 20030216]
> > 
> > I've never used it though.
> 
> While the bridge works, ipf doesn't appear to work properly.  As
> soon as ipfilter is brought up, apparently most tcp ports are
> blocked, regardless of the rules (even if there are no rules or
> the rules open everything). icmp (tracerout, ping,etc) are passed
> unless the rules specifically prevent them.
> 
> So tcp ports (ssh, etc) are *always* blocked through the bridge as
> long as ipf is running.
> 
> What am I missing here?

Ha. What I was missing is that I was using two Intel PRO/100S nics :
fxp0 at pci0 dev 11 function 0: i82550 Ethernet, rev 12
fxp1 at pci0 dev 12 function 0: i82550 Ethernet, rev 12
which to all appearances work great until they are connected in a
bridge with another nic. At that point, they apparently cease to
pass tcp packets. This is regardless of whether ipfilter is running.
Just creating the bridge results in blocking (at least) tcp packets.

I tried a few more nics and none experienced this behavior, including
this Intel nic:
fxp0 at pci0 dev 14 function 0: Intel i82557 Ethernet, rev 2
which works.

Is this known behavior?

Note: the intel nics which don't work correctly were reprogrammed
the first time I brought NetBSD up with them in the machine.