Hello all,
The question may sound weird, but here is my situation:
I have a (Linux) PBX (FreePBX) that I want to protect with an OpenBSD firewall
since I am not familiar with Linux' builtin firewall and also I would like to
separate things.
I also would like to avoid routing / NAT on the firewall, which leads me to
using a transparent filtering bridge.
When experimenting with such a setup on my rented VMWare ESXi host, I
immediately got an abuse email from my hoster, complaining the use of
unauthorised MAC addresses.
The reason is:
When I order an additional IP address for my PBX VM, I am provided a defined
MAC address which I have to configure on the VM. I am not allowed to use any
other MAC.
My setup:
+--------------------------+ +--------------------------+
+----------------+
| PBX (using provided MAC) |----| OpenBSD filtering bridge |---| hoster's
router|
+--------------------------+ +--------------------------+
+----------------+
| |
| |
VMX1 VMX0 with 'alien' MAC
address
The challenge: How do I prevent my firewall's VMX0 interface from sending any
packet using any other than the provided MAC address.
Things that I already considered:
- When acting as a bridge, packets from PBX should be forwarded with original
MAC
- IP forwarding is disabled, net.inet.ip.forwarding=0
- VMX0 and VMX1 are only configured as UP (no IP address)
- The bridge is configured as:
up
add vmx0
add vmx1
blocknonip vmx0
blocknonip vmx1
-autoedge vmx0
-autoedge vmx1
-edge vmx0
-edge vmx1
- /etc/pf.conf:
set skip on lo
block drop out quick log on vmx0 from self to any
block drop in quick log on vmx0 from any to self
block drop log
pass # No filtering done ATM
Anything else that needs to be considered?
PS: If you consider this whole setup insane, I am open for better solutions :-)
Thanks for any help,
Heinrich
