From nobody Tue Oct 17 16:28:02 2023 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S8ztc6c7gz4xj0F for ; Tue, 17 Oct 2023 16:28:24 +0000 (UTC) (envelope-from hausen@punkt.de) Received: from mail.punkt.de (mail.punkt.de [IPv6:2a00:b580:8000:11:1c6b:7032:35e9:5616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S8ztc4FMzz4MQx for ; Tue, 17 Oct 2023 16:28:24 +0000 (UTC) (envelope-from hausen@punkt.de) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (unknown [IPv6:2003:a:d59:3800:d104:4c21:2ab4:9848]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.punkt.de (Postfix) with ESMTPSA id 777D95CE84; Tue, 17 Oct 2023 18:28:15 +0200 (CEST) Content-Type: text/plain; charset=utf-8 List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-virtualization@freebsd.org X-BeenThere: freebsd-virtualization@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\)) Subject: Re: Running a webserver inside a bhyve host and exposing it to the world via PF From: "Patrick M. Hausen" In-Reply-To: Date: Tue, 17 Oct 2023 18:28:02 +0200 Cc: freebsd-virtualization@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: To: void X-Mailer: Apple Mail (2.3731.700.6) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16188, ipnet:2a00:b580::/32, country:DE] X-Rspamd-Queue-Id: 4S8ztc4FMzz4MQx Hi all, > Am 17.10.2023 um 17:05 schrieb void : > I thought the only way to differentiate and filter based on these = interfaces > is with layer 2. PF is layer-3 only. So it is my understanding that > PF won't work as required/expected on the host. Because, to PF, it's = the > same interface. You can always create a bridge interface without a physical interface as = member, place an IP address on that on the host and use that one as a default = gateway for all your VMs and/or jails. You need to enable forwarding for the host and route that subnet within = your infrastructure, but then you can filter incoming connections just fine = and if you run a lot of VMs or jails on dozens of hosts they do not end up all in = the same broadcast domain. Also even with your setup filtering should be possible. I recommend you = look at these two tunables: net.link.bridge.pfil_bridge=3D1 net.link.bridge.pfil_member=3D0 HTH, Patrick --=20 punkt.de GmbH Patrick M. Hausen .infrastructure Sophienstr. 187 76185 Karlsruhe Tel. +49 721 9109500 https://infrastructure.punkt.de info@punkt.de AG Mannheim 108285 Gesch=C3=A4ftsf=C3=BChrer: Daniel Lienert, Fabian Stein