Date: Sun, 16 Apr 2023 01:20:22 +0200 From: Tomek CEDRO <tomek@cedro.info> To: freebsd-doc@freebsd.org, FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: bhyve and firewall / bridge filtering Message-ID: <CAFYkXjnHnThmJwf5cWJ20W5f%2ByAHy4LJVfuvfnWcZgfGzmNokg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello world :-) I think that Handbook could be updated with small but important information on how to best unfilter networking on a bhyve host where firewall is in place. This is not that obvious at first and the simplest idea to test is to disable host firewall. That helps but also leaves host machine vulnerable. I have found a solution on the FreeBSD Forums [1] and proposed "vm" man page update [2]. If anyone experienced could verify is this is the best solution, please let me know, this could be also added to the Handbook :-) Thanks :-) Tomek === If a host that runs virtual machine has active firewall then bridge filtering needs to be disabled by adding following lines to loader.conf(5) or sysctl.conf(5): net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=0 You can also disable bridge packet filtering at runtime with sysctl(8): # sysctl net.link.bridge.ipfw=0 # sysctl net.link.bridge.pfil_bridge=0 # sysctl net.link.bridge.pfil_member=0 === [1] https://forums.freebsd.org/threads/bhyve-and-firewall-on-host.75089/ [2] https://github.com/churchers/vm-bhyve/pull/510 -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYkXjnHnThmJwf5cWJ20W5f%2ByAHy4LJVfuvfnWcZgfGzmNokg>