From f99b86beab2723abd48ccf159303b8da3fa711fb Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Thu, 26 Mar 2026 10:39:59 +0100 Subject: [PATCH] doc/userguide: document L2 firewall handling of ARP --- doc/userguide/firewall/firewall-design.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/doc/userguide/firewall/firewall-design.rst b/doc/userguide/firewall/firewall-design.rst index 228e13b7da..7644653e0f 100644 --- a/doc/userguide/firewall/firewall-design.rst +++ b/doc/userguide/firewall/firewall-design.rst @@ -263,3 +263,23 @@ One can optionally, also load firewall rules exclusively from commandline using Firewall rules are available in the file ``firewall.json`` as a part of the output of :ref:`engine analysis`. + +Bridge vs router +================ + +The firewall mode can be used with capture methods in bridge and router mode. When using +the bridge mode, the default drop policy will also apply to non-IP protocols, like ARP. + +For ARP to work, a rule to accept it is required: + +:: + + accept:packet arp:all any any -> any any (sid:200;) + +Other ethernet types can be accepted by using generic ethernet rules, with the ``ether.hdr`` keyword. + +The example below accepts ARP again, using this mechanism. + +:: + + accept:packet ether:all any any -> any any (ether.hdr; content:"|08 06|"; offset:12; depth:2; sid:1;)