11.5. Bridge Firewall Rules (Forward)ΒΆ

Bridge Firewall Rules are a special case of Firewall Rules. When you create a bridge interface a new Bridges Tab will be shown in the Firewall Rules page.

Firewall Bridge Rules

The main difference between a normal firewall rule and the bridge firewall rule is that you filter in the bridge itself. The bridge can have traffic that does not go to the host and is by default simply forwarded (green path in figure below). Bridge fowarding is done in a special path that is not the same as the normal forwarding in VT AIR. Bridge Firewall Rules only apply to traffic that is beeing forwarded.

The Global rules do not apply for bridge traffic unless you created a VLAN Interface on top of the bridge (blue path in figure below). A bridge can have multiple VLANs though and with Bridge Firewall Rules you can also match traffic that is not in a VLAN Interface.

You need to either select the bridge interface itself or brigde member interfaces as Input and Output Interface for this rule.

Firewall Bridge Rules

In HA Setups you need to make sure that the interface names are the same on both ends or exclude the rules from hasync or the sync will fail.

The settings are equivalent to normal firewall rules but they do not have advanced settings like limiter or routing table since routing is done in L2. Please have a look at Firewall Rules (Forward and Input) for a detailed explanation.

In the top right corner of the overview page you can search for rules. As search value you can use protocol, source, destination, IP address, port or description.