Date: Tue, 17 Oct 2023 18:28:02 +0200 From: "Patrick M. Hausen" <hausen@punkt.de> To: void <void@f-m.fm> Cc: freebsd-virtualization@freebsd.org Subject: Re: Running a webserver inside a bhyve host and exposing it to the world via PF Message-ID: <E2FDAAF5-D9A6-439E-B78B-316BFDB8803B@punkt.de> In-Reply-To: <ZS6iz_6vF8RWpOAp@int21h> References: <CAAdA2WNzTb6Fvk=Z%2BtAx376mBRztgxY_M75aXBzDFN1bb9yOuQ@mail.gmail.com> <ZS6iz_6vF8RWpOAp@int21h>
index | next in thread | previous in thread | raw e-mail
Hi all, > Am 17.10.2023 um 17:05 schrieb void <void@f-m.fm>: > I thought the only way to differentiate and filter based on these interfaces > is with layer 2. PF is layer-3 only. So it is my understanding that > PF won't work as required/expected on the host. Because, to PF, it's the > same interface. You can always create a bridge interface without a physical interface as member, place an IP address on that on the host and use that one as a default gateway for all your VMs and/or jails. You need to enable forwarding for the host and route that subnet within your infrastructure, but then you can filter incoming connections just fine and if you run a lot of VMs or jails on dozens of hosts they do not end up all in the same broadcast domain. Also even with your setup filtering should be possible. I recommend you look at these two tunables: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=0 HTH, Patrick -- punkt.de GmbH Patrick M. Hausen .infrastructure Sophienstr. 187 76185 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Geschäftsführer: Daniel Lienert, Fabian Steinhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E2FDAAF5-D9A6-439E-B78B-316BFDB8803B>