FreeBSD 14 Firewall Passes ALL traffic!

[Dan Lists]

We have a transparent (bridged) firewall that we have been using since around 2015, maybe earlier.

After upgrading to FreeBSD 14 the firewall passes all traffic across the bridge!  That is obviously VERY bad.

The firewall does block traffic to the server itself, but not traffic passing on the bridge interface.

I've tested the exact same rules on FreeBSD 12 and 13 and they work fine.  I verified that the rules are the same, as well and the loaded kernel modules.  I tried 14.0, 14.2, and 14.3 and all of them pass all traffic on the bridge interface.

I looked at the release notes and I did not see anything that would cause this.

I am at a loss on how to debug this.

Please Help!

Thanks

[Souji Thenria]

On 8. Aug 2025, at 18:13, Dan Lists <list...@gmail.com> wrote:



Hi Dan,

I hope this mail is not that badly formatted since I’m writing it on my phone. 

There was a change. There is also a post in the FreeBSD forum [0]. Based on that you need to set sysctl net.link.bridge.pfil_bridge=1. 

Regards,

Souji

[0] https://forums.freebsd.org/threads/pf-rule-not-working-after-upgrade-to-14-0.93874/

[Dan Lists]

Sorry, I should have mentioned that I've tried setting that and it still doesn't work.

I've tried some random things, and the problem seems to be using 'via <interface>'.

I have  outside em1 <--> bridge0 <--> em2 outside.

I have rules like  "ipfw add deny log tcp from any to IP in via em1".  The idea is that I can block incoming traffic but allow outbound connections with state.  If I remove "in via em1" or change it to "[in] via bridge0" it blocks incoming traffic but does not allow outbound traffic from IP.

 

[Dan Lists]

Just found some weird log entries:

Aug  8 11:37:18 hostname kernel: bridge0: mac address 00:11:22:33:44:55 vlan 50 moved from em2 to em1
Aug  8 11:37:18 hostname kernel: bridge0: mac address 00:11:22:33:44:55 vlan 50 moved from em1 to em2

Doesn't seem related, but it is weird.

[Souji Thenria]

I'm not familiar with ipfw. However, if I understand you correctly, your
firewall is not acting on the bridge interface itself, but rather on
both "real" interfaces. I feel like this should be fairly
straightforward.

Maybe you can post your firewall rules here, and someone with more
experience with ipfw can help.

--
Souji Thenria
Website: www.souji-thenria.net

[Dan Lists]

A stripped down version of the rules is attached.   I have been using essentially the same rules since FreeBSD 10, maybe 15+ years.  I have tried the exact same rule set on FreeBSD 12, 13, and 14.

With FreeBSD 14, anywhere in the world can connect to 12.34.56.78 on port 443.  If I change 'in via em1' to 'recv em1' it blocks incoming traffic but does not allow outbound traffic with state.

This is a change from previous behavior.  I'm not sure if it was intended or a consequence of some other change.  I'd like some help figuring out how to solve the problem.

Thanks again.

[Dan Lists]

Gmail doesn't want to display the rules file without downloading.   I figure others have that issue too.   Here are the lines copied.

 #!/bin/sh

alias ipfw="ipfw -q"

# Set the maximum number of dynamic rules
sysctl net.inet.ip.fw.dyn_max=65536 > /dev/null
sysctl net.inet.ip.fw.dyn_buckets=4096 > /dev/null

# Flush the old rules
$ipfw -f flush

# This brakes IPv6!
sysctl net.inet.ip.fw.one_pass=0 > /dev/null
$ipfw add 100 reass ip4 from any to any in

$ipfw add allow tcp from 'table(staff_ips)' to me 22 in
$ipfw add allow tcp from me 22 to 'table(staff_ips)' out

$ipfw add 39999 check-state

$ipfw add allow tcp from 'table(staff_ips)' to 12.34.56.78 443 in  via em1
$ipfw add allow tcp from 12.34.56.78 443 to 'table(staff_ips)' out via em1

# Deny most traffic inbound on em1
$ipfw add deny $logall all from not me to not me in via em1

# Allow everyting behind firewall to ping out by default
$ipfw add allow icmp from not me to not me out via em1 keep-state

# Allow all traffic on 'inside' interface and the bridge
$ipfw add allow all from not me to not me via em2
$ipfw add allow all from not me to not me via bridge0

# Block multicast without logging
$ipfw add deny ip4 from any to 224.0.0.0/8

# Block (windows) probes without logging
$ipfw add deny udp from any to any 137-139

# Allow essential icmp messages
$ipfw add 60000 allow icmp from any to any out
$ipfw add 60100 allow icmp from any to any in icmptypes 0   // echo-reply
$ipfw add 60200 allow icmp from any to any in icmptypes 3   // destination unreachable
$ipfw add 60300 allow icmp from any to any in icmptypes 11  // time exceeded

# Allow essential icmp6 messages
$ipfw add 61000 allow ipv6-icmp from any to any out
$ipfw add 61100 allow ipv6-icmp from fe80::/10 to any in
$ipfw add 61200 allow ipv6-icmp from any to ff02::/32 in
$ipfw add 61300 allow ipv6-icmp from any to any in icmp6types 1   // destination unreachable
$ipfw add 61400 allow ipv6-icmp from any to any in icmp6types 2   // packet too big
$ipfw add 61500 allow ipv6-icmp from any to any in icmp6types 3   // time exceeded
$ipfw add 61600 allow ipv6-icmp from any to any in icmp6types 4   // parameter problem
$ipfw add 61700 allow ipv6-icmp from any to any in icmp6types 129 // echo-reply
$ipfw add 61800 allow ipv6-icmp from any to any in icmp6types 133,134,135,136

# Allow everything out with state
$ipfw add 63000 allow tcp from any to any out setup keep-state
$ipfw add 63100 allow udp from any to any out keep-state
$ipfw add 63200 allow ip  from any to any out

$ipfw add 65520 deny icmp from any to any in icmptypes 8 // echo request
$ipfw add 65521 deny ipv6-icmp from any to any in icmp6types 128 // echo request
$ipfw add 65522 deny udp  from any to any 33434-33534 in // traceroute
$ipfw add 65523 deny ip from any to 255.255.255.255
$ipfw add 65530 deny log ip from any to any