I tend to filter on the interface closest to the users ('LAN side', so to speak) or on the bridge interface itself (for those who can't get off the fence ..). Filtering on the external interface ('WAN' side) is used for keeping the rest of the world out. That way, the bridge has a nice wall around all sides, with not much going on inside.
On a router it depends on whether there are services running on the router itself which the users may need (DNS, mail, DHCP, etc.).
|