Date: Tue, 13 Oct 2020 20:26:23 +0300 From: Oleksandr Kryvulia <shuriku@shurik.kiev.ua> To: freebsd-pf@freebsd.org Subject: Re: pf and tap(4) interfaces Message-ID: <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> In-Reply-To: <20201013160738.GD30207@rpi4.gilescoppice.lan> References: <20201013160738.GD30207@rpi4.gilescoppice.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 13.10.20 19:07, tech-lists wrote: > Hi, > > Is it possible to have a ruleset allowing unfiltered access to a tap > interface, but filtered on the real interface it's bridged to? > > Let's say there are these: > > ext_if="ix0" # real external ip, on a /29 int_if="igb0" # internal ip > 10.0.0.2/8 > tap_if="tap0" # this services a vm on this machine, also with a real ip > > bridge0 has ix0 and tap0 as members > > tap0 needs unfiltered access. it has its own firewall. > ix0 wants to block everything apart from ssh. > > This doesn't work (it blocks everything apart from ssh to the vm as > well): > > [snip] > block all > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > pass in quick on $tap_if inet proto tcp from any to ($tap_if) > > thanks, External traffic to your tap interface arrives through ix0. So you need to change a third rule: block all pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in quick on $ext_if inet proto tcp from any to ($tap_if) Also check net.link.bridge.pfil_member=1 As for me I prefer to haveĀ all IPs and filter it on bridge interface and not on members.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41851719-8e17-d5d6-4abb-0c4221df70ef>