Date: Sun, 23 Mar 2025 14:07:53 +0000 From: void <void@f-m.fm> To: freebsd-net@freebsd.org Subject: ipfw layer2+3 firewalling question Message-ID: <Z-AVufGjmc777H-U@int21h>
next in thread | raw e-mail | index | archive | help
Hi, (originally posted on the forums) My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to and from them unprocessed, as these each have pf and their own firewall policies. The host running recent -current. I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3, and to filter on bridge or tap requires layer2, so that is why i want to use ipfw on the bhyve host. So we have bridge0 with igb0 tap0 and tap1 as members. In this example, igb0 has a mac address of 11:11:11:11:11:11 tap0 has 22:22:22:22:22:22 tap1 has 33:33:33:33:33:33 How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs? Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24, and define that rule with the regular layer3 syntax. and then want 22:22:22:22:22:22 passing unhindered, unprocessed. Possible? Looking for a worked example but can't seem to find one Could it be like "$cmd add allow all from any to any via tap0" or "$cmd add allow all from any to any via 22:22:22:22:22:22" or something else? There are a number of ipfw sysctls. Like net.link.bridge.ipfw net.link.bridge.allow_llz_overlap net.link.bridge.pfil_local_phys net.link.bridge.pfil_member net.link.bridge.ipfw_arp net.link.bridge.pfil_bridge net.link.bridge.pfil_onlyip Are any of these needed in my context? I need to allow based on tap, not the bridge (I guess). The bridge has the real interface (igb0) as a member as well. So I think that would preclude me from using the above sysctls. Is this correct? --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Z-AVufGjmc777H-U>