From owner-freebsd-hackers@FreeBSD.ORG Sat Aug 12 16:36:38 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 65A8316A4DF for ; Sat, 12 Aug 2006 16:36:38 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id D300443D6B for ; Sat, 12 Aug 2006 16:36:32 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by nf-out-0910.google.com with SMTP id g2so1448446nfe for ; Sat, 12 Aug 2006 09:36:31 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mPfCeyBcDFoVoBA4CtCSvYzZr1BBdp1woMFJZdixpeaAl6uiYY161qHMIRLAGxdVNj5dwrZ3AVR+BmZzgQxJR4/1SpwDyVgFxGMYJETz95sS0VkjTAS/kkY1AqdMCLCs6JY7kjz2X/eh5RfKrxpQkzKRAiCEEAJ6j5DqpptmzEs= Received: by 10.78.193.19 with SMTP id q19mr2615928huf; Sat, 12 Aug 2006 09:36:30 -0700 (PDT) Received: by 10.78.43.9 with HTTP; Sat, 12 Aug 2006 09:36:30 -0700 (PDT) Message-ID: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com> Date: Sat, 12 Aug 2006 17:36:30 +0100 From: "mal content" To: freebsd-hackers@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Packet filtering on tap interfaces X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Aug 2006 16:36:38 -0000 Hello, this is a simplified re-phrasing of a question posted to questions@. It didn't get any answers over there because I think people took one look at it and switched off. A cut down version follows... How does one do packet filtering on tap interfaces? I'm using qemu and I'm going to be loading some untrusted OS images so I'd like complete filtering of packets to and from the qemu process. I was given a partial solution by somebody before, but I couldn't get it to work. I'm currently: 1. Using bridge.sh[1] to bridge between tap0 and my real fxp0 interface. 2. Trying to log or filter packets on tap0. My current pf.conf looks like this: nic0 = "fxp0" host_ip = "192.168.2.5" pass in log all pass out log all Which should surely filter everything. However, I can use the network on the guest OS (going through tap0) without ever triggering the pf logging. Why is this happening? Even when explicity specifying: pass in log all on tap0 pass out log all on tap0 I still don't see any logs. Can tap interfaces reliably be filtered? MC [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/netgraph/ether.bridge