Date: Sun, 15 Oct 2023 19:18:24 +0100 From: void <void@f-m.fm> To: freebsd-net@freebsd.org Subject: Re: ipfw firewalling for bhyve host, bypassing bhyve guests Message-ID: <ZSws8H21ULuQcD0y@int21h> In-Reply-To: <4a9fd232-e6be-432c-96c1-2ffb80ec09b8@redbarn.org> References: <ZSvzp5xOFAinfGHb@int21h> <4a9fd232-e6be-432c-96c1-2ffb80ec09b8@redbarn.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote: >You don't need L2 for this. The firewall pattern when your bare metal >host has an address in the vlan you use for guests is: > >Allow the specific things you want the bare metal host to do; > >Deny all else involving the bare metal host; > >Allow all else involving the guest subnet. Maybe that's what I'm doing wrong. I'm not using a vlan. For firewalling on freebsd (guests), I've previously used pf. For firewalling the host, a firewall device has previously been put between the host and the internet. I'd like the host box to pppoe directly. The guests use a mixture of public and private IPs. The reason I'm asking about this is because I have found that with pf, if I have a rule blocking everything to the host but allowing ssh, everything gets blocked to host & guests combined because with a bhyve guest the tap interfaces are bridged with the real hardware, and so, for lack of a better term, have more or less the same identity. But the MAC address will be different. That's why I was looking at layer2 and ipfw. --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZSws8H21ULuQcD0y>