Re: ipfw firewalling for bhyve host, bypassing bhyve guests
On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote: You don't need L2 for this. The firewall pattern when your bare metal host has an address in the vlan you use for guests is: Allow the specific things you want the bare metal host to do; Deny all else involving the bare metal host; Allow all else involving the guest subnet. Maybe that's what I'm doing wrong. I'm not using a vlan. For firewalling on freebsd (guests), I've previously used pf. For firewalling the host, a firewall device has previously been put between the host and the internet. I'd like the host box to pppoe directly. The guests use a mixture of public and private IPs. The reason I'm asking about this is because I have found that with pf, if I have a rule blocking everything to the host but allowing ssh, everything gets blocked to host & guests combined because with a bhyve guest the tap interfaces are bridged with the real hardware, and so, for lack of a better term, have more or less the same identity. But the MAC address will be different. That's why I was looking at layer2 and ipfw. --
ipfw firewalling for bhyve host, bypassing bhyve guests
You don't need L2 for this. The firewall pattern when your bare metal host has an address in the vlan you use for guests is: Allow the specific things you want the bare metal host to do; Deny all else involving the bare metal host; Allow all else involving the guest subnet. p vixie On Oct 15, 2023 07:14, void wrote: Hello, My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to them unprocessed, as these each have pf and their own firewall policies. The host running an up-to-date 13-stable. I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3 so that is why i want to use ipfw on the bhyve host. So we have bridge0 with igb0 tap0 and tap1 as members. In this example, igb0 has a mac address of 11:11:11:11:11:11 tap0 has 22:22:22:22:22:22 tap1 has 33:33:33:33:33:33 How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs? Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24 22:22:22:22:22:22 passing unhindered, unprocessed. Possible? --
ipfw firewalling for bhyve host, bypassing bhyve guests
Hello, My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to them unprocessed, as these each have pf and their own firewall policies. The host running an up-to-date 13-stable. I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3 so that is why i want to use ipfw on the bhyve host. So we have bridge0 with igb0 tap0 and tap1 as members. In this example, igb0 has a mac address of 11:11:11:11:11:11 tap0 has 22:22:22:22:22:22 tap1 has 33:33:33:33:33:33 How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs? Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24 22:22:22:22:22:22 passing unhindered, unprocessed. Possible? --