When I use this IP Firewall rule:

chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ

it doesn't work correctly!

When I cut "connection-state=new", then work fine !
It's BUG?

When I use this IP Firewall rule:

chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ

it doesn't work correctly!

When I cut "connection-state=new", then work fine !
It's BUG?

it's not a bug. with 'connection-state=new' you accept only connection establishing. next connection packets are not affected by that rule. try adding 'chain=forward action=accept connection-state=established in-interface=W1 out-bridge-port=DMZ'

) I try say something else )

hmm, traffic:

chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=accept connection-state=established

not same as:

chain=forward action=accept in-interface=W1 out-bridge-port=DMZ

!!! This is bug, I think so.

) I try say something else )

hmm, traffic:

chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=accept connection-state=established

not same as:

chain=forward action=accept in-interface=W1 out-bridge-port=DMZ

!!! This is bug, I think so.

it's not a bug, it's your misunderstanding. rules above are not the same. although they work identically, in first case you may use something like this:

chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=reject connection-state=new in-interface=W1 out-bridge-port=DMZ src-address-list="enemies"
chain=forward action=accept connection-state=established

want more comments - post your firewall rules here

yes )

look:

I need filter traffic from interface W1 (ethernet) to Bridge on port DMZ (I need enable all).
When I enable all traffic using rule:

...
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
...
chain=forward action=accept connection-state=established
chain=forward action=drop

firewall still block some traffic from interface W1 to Bridge port DMZ. WHY????

After I use this rule:
chain=forward action=accept in-interface=W1 out-bridge-port=DMZ

... ROS doesn't block any traffic => traffic is OK.

...
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
...
chain=forward action=accept connection-state=established
chain=forward action=drop

firewall still block some traffic from interface W1 to Bridge port DMZ. WHY????

After I use this rule:
chain=forward action=accept in-interface=W1 out-bridge-port=DMZ

... ROS doesn't block any traffic => traffic is OK.

omg... what is '...'? either make

...
chain=forward action=accept connection-state=new in-interface=W1 out-bridge-port=DMZ
chain=forward action=accept connection-state=established
...

or post your '...' rules

p.s. you may try using something like
chain=forward action=accept connection-state=established
chain=forward action=log connection-state=established in-interface=W1 out-bridge-port=DMZ

I try it!

... on ROS 2.9.xx work fine !

I use these rules on more firewalls 2.9.xx and bridge filtering work fine. On ROS 3.x I have problem. Some packets catch on this rule, but some not.

I try your example as first think, last week. I find out, that some traffic like as "not new connection state", and "not established"! I think so.

When I use:

chain=forward action=accept connection-state=new in-interface=Bridge out-inteface=Bridge
... filtering work fine !

... or when I use src.address or dst.address filtering instead bridge port filtering ... filtering work fine.

... but bridge port filtering ... problem

Look:

is 'interface bridge settings set use-ip-firewall=yes'?

YES! I have set it.

... use-ip-firewall=yes

I know this set.
Some rules used bridge port work fine, but some not.

Example:

When I use combination bridge port W1 (eth) and DMZ (bridge port) rule not work !
or LAN (bridge port) and CoWW (bridge port) not work wery well.

Hmm. It's mystics )
When I use filtering combination every bridge port :

Lan - DMZ - accept (cons.state=new)
Lan - CoWW - accept (cons.state=new)
Lan - Coww2 - accept (cons.state=new)
..
DMZ - Lan - accept (cons.state=new)
DMZ - ... - accept (cons.state=new)
....

finaly I use rule
Bridge - Bridge - accept (cons.state=new)

... counter of this rule count some traffic ! Why? This traffic must be zero and partial traffic must be catched on partial rules. I think so.

IF DMZ and W1 are bridged then you must use
in-bridge-port and out-bridge port instead of in-interface and out-interface

W1,W2 is not bridget port.
Rule no. 36 is test rule not correct, I know.

Bridge contain: DMZ, Lan, CoWW, CoWW2 interfaces.