The recently removed option in System->Advanced says:
Enable filtering bridge
This setting no longer exists as it is unnecessary. Filtering occurs on the member interfaces of the bridge and cannot be disabled.
The operative word there is interfaceS - i.e. plural. My question is… Why can I only add filter rules (which work) to block traffic from certain hosts on the optional interface that forms the far side of the bridge from the WAN interface, where the packets come in on. That's to say if I have WAN and OPT1 bridged, why do firewall rules for inbound packets only work when they're assigned to OPT1 and not WAN?
This means that, if I want to block a source address from sending packets to both the other side of the bridge and the pfsense box itself, I need to add 2 duplicate rules on 2 different interfaces.
Am I missing something here or is this illogical?