>На bridge этот фаерволинг раздельно возможен, на ng_bridge - нет. Вы то упоминаете if_bridge, то ng_bridge. Остановитесь таки на чем-нибудь!
А вы читали ман к if_bridge? Цитирую:
PACKET FILTERING
Packet filtering can be used with any firewall package that hooks in via
the pfil(9) framework. When filtering is enabled, bridged packets will
pass through the filter inbound on the originating interface, on the
bridge interface and outbound on the appropriate interfaces. Either
stage can be disabled. The filtering behaviour can be controlled using
sysctl(8):
net.link.bridge.pfil_onlyip Controls the handling of non-IP packets
which are not passed to pfil(9). Set to 1
to only allow IP packets to pass (subject to
firewall rules), set to 0 to unconditionally
pass all non-IP Ethernet frames.
net.link.bridge.pfil_member Set to 1 to enable filtering on the incoming
and outgoing member interfaces, set to 0 to
disable it.
net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge
interface, set to 0 to disable it.
net.link.bridge.ipfw Set to 1 to enable layer2 filtering with
ipfirewall(4), set to 0 to disable it. This
needs to be enabled for dummynet(4) support.
When ipfw is enabled, pfil_bridge and
pfil_member will be disabled so that IPFW is
not run twice; these can be re-enabled if
desired.
Вы действительно считаете, что если собираются убирать поддержку bridge(4) в пользу if_bridge(4) не предусмотрели аналогичного функционала?
Как я и утверждал ранее Ваш вариант относится к "древний бриджинг, совершенно нефункциональный и неудобный"