Just to make sure I understand the filtering bridge completely, what I've done is setup a bridge between my OPT1 card and my WAN card to create a DMZ so I don't have to redo my DMZ addressing. If I leave the bridge filtering off does that mean that my DMZ is wide open from the outside?
Or will my DMZ be protected by pf at all setup in this way? Assuming the router in front of pf will completely ignore pf in this configuration since it will be directly attached.
Guess I also wonder if I need to (or am allowed to) bridge the other way. Assign a public address to my OPT1 card and bridge the WAN to that? Little hazy on how the bridging all works in the grand scheme of things.
Without filtering bridge traffic between the bridged interfaces is allowed without filtering (and only between the bridged interfaces). In your setup you most likely want the filtering activated and only allow needed ports and protocols. See http://pfsense.trendchiller.com/transparent_firewall.pdf for some details.
So just by virtue of being bridged, the traffic will route thru pf? Guess they've got to in the end because that's how it will physically be wired up. When I have my DMZ machines connected to the OPT1 interface is pf doing some sort of proxy arp for the machines on the bridged interface?