> > so, yes, bad idea ;) > > So what packages do you want to block exactly? > > -A PVEFW-FORWARD -o vmbr+ -m physdev --physdev-is-bridged -j RETURN But I guess that does not work due to physdev match limitation :-/