Hey guys, I've currently got an inline bridge setup where traffic flows like so: Code: em0 --> bridge0 --> em1 I'm using ipfw to only allow certain traffic through, but tcpdump shows incoming traffic that I explicitly deny in ipfw making it to the bridge0 interface and then being blocked. I was under the impression, the traffic would be blocked at em0. I've got a custom program that uses libpcap listening on the bridge0 interface and I would rather not have to deal with the blocked traffic. Are there any sysctl knobs I can tweak such that traffic doesn't hit bridge0 before being evaluated against the firewall ruleset? Here are my relevant sysctl settings: Code: net.link.bridge.ipfw: 1 (I'm using Dummynet as well) net.link.bridge.inherit_mac: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.pfil_member: 0 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 Thanks in advance!