PF Filtering on bridge with PF

[abishai]

Hello, I have bridge with em0 and tap0.
tap0 is bhyve guest, em0 has alias for jails.

The problem is that with pf traffic is not flowing from bhyve guest to services within jails.

bridge0 and tap0 are set to skip.
Here is firewall rules:

block drop log all
pass in all flags S/SA keep state
pass out all flags S/SA keep state
pass in on em0 inet proto tcp from any to 10.0.1.0/24 port = ssh flags S/SA keep state

blocl log all is receiving traffic from bhyve to jails. I suspect, this is because state is not created for this traffic?
Here is pflog data

21:21:54.991205 rule 0..16777216/0(match): block out on em0: 10.0.1.5.80 > 10.0.1.8.49183: Flags [S.], seq 1326587568, ack 3166846400, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
21:21:57.988899 rule 0..16777216/0(match): block out on em0: 10.0.1.5.80 > 10.0.1.8.49183: Flags [S.], seq 1326587568, ack 3166846400, win 65535, options [mss 1460,nop,wscale 6,sackOK,eol], length 0
21:22:03.987861 rule 0..16777216/0(match): block out on em0: 10.0.1.5.80 > 10.0.1.8.49183: Flags [S.], seq 677084363, ack 3166846400, win 65535, options [mss 1460,sackOK,eol], length 0

What I'm missing? Should I create rules with no state or other solution exists?

 

[gustopn]

To me the firewall rules look like you are passing trough everything.
Do you have ip forwarding enabled? Because you are trying to forward packets from a tap interface (and the guests do not know about your em interface and it's aliases).
Basically putting it in a bridge is not a good idea. Why did you do it?
You can not filter on a bridge with PF. Filtering on a bridge is only possible over the bridge itself. And on FreeBSD the syntax of filtering on a bridge is according to ipfw.
On OpenBSD only you have a bridge driver that uses the syntax of pf on filtering on bridge. Check out the man pages of bridge() for details on filtering on
a bridge, but that is not what you want in this case.