From nobody Sat Apr 15 23:20:22 2023 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PzTnf51zBz45GwG for ; Sat, 15 Apr 2023 23:20:38 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PzTnd6Tjbz3QBw for ; Sat, 15 Apr 2023 23:20:37 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=NejcDHiU; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::b2e) smtp.mailfrom=tomek@cedro.info; dmarc=none Received: by mail-yb1-xb2e.google.com with SMTP id l5so1580892ybe.7 for ; Sat, 15 Apr 2023 16:20:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1681600836; x=1684192836; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NXVrA236Dq22GhcyQVyghvHUWKG8c2e0DE6SNBgt/yw=; b=NejcDHiUDQuXvb4c/gc7hbl4EHJVlrUAVNsrY0ZbqCKNCcelKtZ3oFTTZeHtTtGjhJ +i59Z4W1rimjMPanCH6PaNI79KgWk8wSXu5ggC1VPK3vXbctl7x6IuOuk2K+3DTdMGt7 LDxLZTXTkXoiULurIj4W2QvJwyD89VvqDwyc6V3xPdk+LP1KI5Jr19WD95xOThLyBBkX KQ9TNXBN11sLqvxZleRFk4utzcJ4DVBYHSox2Z2eGdxDt5z7Kp43eePNZpfrneixoN18 oA+14wyyf1ll70n6E04sqZ8ZYIrx0Ek8rUrjrgYH3Z3DfYP85OtTEmu31dZwAyBT39BY Yy2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681600836; x=1684192836; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=NXVrA236Dq22GhcyQVyghvHUWKG8c2e0DE6SNBgt/yw=; b=BbJZw7Kp20yTVwrssmnuI2zOvQBzs/fyzSP+pWFBzI7AHFmA0fOxkparTp4bFhGMuW b+obmIW7GBsCwjKY9juFyFElkk/gUyqY4ifjDNOIIseu9ROKrd4aiioBYjSP0Nd+8A0q bdyAXT6G7XwBdx9/11Gz5hNx/4xUjcQRgt6hk1VKZLNeF2fKmF4cywVLATBbWJ871aoz 2H6zyEoQElqbyl2eA6RpP8h6FdfaC4Yg1qlNNvOXHKMrZqlcckctvvkujww0Fe+KQ5Kx gnNJH365pa64YBbM6reHkCkCkkY/UytYmuHvGnYo0OXFpKBCzkx2XBFduTl9uOhSRYrl Aeqw== X-Gm-Message-State: AAQBX9cdlxpcQSRCP9tCfPy6T0djbVeray/80DauVYGojjP4bNWYdi64 rO+JWepb49JLS2nZmDTV62ECfg== X-Google-Smtp-Source: AKy350Z8Gg9alpKzAmIs2gvhDEs4y+ByQbTEYl8kuYWvHd22wRPo0/3sPMh6aLdfK2j8rXbhheIdRw== X-Received: by 2002:a25:468b:0:b0:b8f:3eda:a54b with SMTP id t133-20020a25468b000000b00b8f3edaa54bmr9289591yba.32.1681600836612; Sat, 15 Apr 2023 16:20:36 -0700 (PDT) Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com. [209.85.219.179]) by smtp.gmail.com with ESMTPSA id d71-20020a25cd4a000000b00b8f5b3b7115sm1938932ybf.60.2023.04.15.16.20.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 15 Apr 2023 16:20:36 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id v9so1860312ybm.0; Sat, 15 Apr 2023 16:20:36 -0700 (PDT) X-Received: by 2002:a25:cc54:0:b0:b92:3962:13d4 with SMTP id l81-20020a25cc54000000b00b92396213d4mr1210677ybf.11.1681600835892; Sat, 15 Apr 2023 16:20:35 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 From: Tomek CEDRO Date: Sun, 16 Apr 2023 01:20:22 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: bhyve and firewall / bridge filtering To: freebsd-doc@freebsd.org, FreeBSD Questions Mailing List Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[209.85.219.179:received,2607:f8b0:4864:20::b2e:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[cedro.info]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4PzTnd6Tjbz3QBw X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Hello world :-) I think that Handbook could be updated with small but important information on how to best unfilter networking on a bhyve host where firewall is in place. This is not that obvious at first and the simplest idea to test is to disable host firewall. That helps but also leaves host machine vulnerable. I have found a solution on the FreeBSD Forums [1] and proposed "vm" man page update [2]. If anyone experienced could verify is this is the best solution, please let me know, this could be also added to the Handbook :-) Thanks :-) Tomek === If a host that runs virtual machine has active firewall then bridge filtering needs to be disabled by adding following lines to loader.conf(5) or sysctl.conf(5): net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=0 You can also disable bridge packet filtering at runtime with sysctl(8): # sysctl net.link.bridge.ipfw=0 # sysctl net.link.bridge.pfil_bridge=0 # sysctl net.link.bridge.pfil_member=0 === [1] https://forums.freebsd.org/threads/bhyve-and-firewall-on-host.75089/ [2] https://github.com/churchers/vm-bhyve/pull/510 -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info