When I use this IP Firewall rule:
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
it doesn’t work correctly!
When I cut “connection-state=new”, then work fine !
It’s BUG?
it’s not a bug. with ‘connection-state=new’ you accept only connection establishing. next connection packets are not affected by that rule. try adding ‘chain=forward action=accept connection-state=established in-interface=W1 out-bridge-port=DMZ’
) I try say something else )
hmm, traffic:
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=accept connection-state=established
not same as:
chain=forward action=accept in-interface=W1 out-bridge-port=DMZ
!!! This is bug, I think so.
it’s not a bug, it’s your misunderstanding. rules above are not the same. although they work identically, in first case you may use something like this:
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=reject connection-state=new in-interface=W1 out-bridge-port=DMZ src-address-list=“enemies”
chain=forward action=accept connection-state=established
want more comments - post your firewall rules here
yes )
look:
I need filter traffic from interface W1 (ethernet) to Bridge on port DMZ (I need enable all).
When I enable all traffic using rule:
…
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
…
chain=forward action=accept connection-state=established
chain=forward action=drop
firewall still block some traffic from interface W1 to Bridge port DMZ. WHY???
After I use this rule:
chain=forward action=accept in-interface=W1 out-bridge-port=DMZ
… ROS doesn’t block any traffic => traffic is OK.
omg… what is ‘…’? either make
…
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward > action=accept connection-state=established
…
or post your ‘…’ rules
p.s. you may try using something like
chain=forward action=accept connection-state=established
chain=forward action=log connection-state=established in-interface=W1 out-bridge-port=DMZ
I try it!
… on ROS 2.9.xx work fine !
I use these rules on more firewalls 2.9.xx and bridge filtering work fine. On ROS 3.x I have problem. Some packets catch on this rule, but some not.
I try your example as first think, last week. I find out, that some traffic like as “not new connection state”, and “not established”! I think so.
When I use:
chain=forward action=accept connection-state=new in-interface=Bridge out-inteface=Bridge
… filtering work fine !
… or when I use src.address or dst.address filtering instead bridge port filtering … filtering work fine.
… but bridge port filtering … problem 
Look:
is ‘interface bridge settings set use-ip-firewall=yes’?
YES! I have set it.
… use-ip-firewall=yes
I know this set.
Some rules used bridge port work fine, but some not.
Example:
When I use combination bridge port W1 (eth) and DMZ (bridge port) rule not work !
or LAN (bridge port) and CoWW (bridge port) not work wery well.
Hmm. It’s mystics )
When I use filtering combination every bridge port :
Lan - DMZ - accept (cons.state=new)
Lan - CoWW - accept (cons.state=new)
Lan - Coww2 - accept (cons.state=new)
..
DMZ - Lan - accept (cons.state=new)
DMZ - … - accept (cons.state=new)
…
finaly I use rule
Bridge - Bridge - accept (cons.state=new)
… counter of this rule count some traffic ! Why? This traffic must be zero and partial traffic must be catched on partial rules. I think so.
IF DMZ and W1 are bridged then you must use
in-bridge-port and out-bridge port instead of in-interface and out-interface
W1,W2 is not bridget port.
Rule no. 36 is test rule not correct, I know.
Bridge contain: DMZ, Lan, CoWW, CoWW2 interfaces.