Date: Wed, 14 Oct 2020 02:37:40 +0100 From: tech-lists <tech-lists@zyxst.net> To: freebsd-pf@freebsd.org Subject: Re: pf and tap(4) interfaces Message-ID: <20201014013740.GA69661@rpi4.gilescoppice.lan> In-Reply-To: <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> References: <20201013160738.GD30207@rpi4.gilescoppice.lan> <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Hello, On Tue, Oct 13, 2020 at 08:26:23PM +0300, Oleksandr Kryvulia wrote: >> >> [snip] >> block all >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >> pass in quick on $tap_if inet proto tcp from any to ($tap_if) >> >> thanks, > >External traffic to your tap interface arrives through ix0. So you need >to change a third rule: > >block all >pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >pass in quick on $ext_if inet proto tcp from any to ($tap_if) > >Also check net.link.bridge.pfil_member=1 Unfortunately this suggestion didn't work for me, but thanks for suggesting. It ends up blocking everything to the vm. I should also have mentioned my full context originally: What I have in this instance is a freebsd host running a freebsd vm through bhyve. Both the host and the vm have real ips. The vm wants full access as it has its own pf within itself. The host wants ssh open and no more. I can lock down the ssh server on the host with sshd_config plus some additions to sysctl.conf, without involving pf at all. I just wondered if I can do it with pf on the host. I'm surprised there's no mention of this type of config in the handbook. I would have thought it was common? I've also tried set skip on $tap_if to no effect, in that if I apply this (but have the allow only ssh to $ext_if), then I can't access the vm on the vm's open ports. Clearly I'm doing something wrong. >As for me I prefer to have all IPs and filter it on bridge interface and >not on members. How do you do that? It's probably (if I understand correctly) not for me because I'm using bhyve, and $ext_if and $tap_if are both members and they need different access. But I'd be interested how you're filtering on the bridge interface. -- J. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAl+GVlsACgkQs8o7QhFz NAWc+Q/8D/rwjrPS90qb6Qc2y5ybUC+La2Hnbge5xr5NgwJHk+oRaG6EkxhcHCND CmeyZ+btvEN8v3c0wAnAUYN8Fj7qroN14/odUcHLNes8Wro268DqMQVd/0Jvd+5Y PWO7sI8bcjzl4ePCO9ibftNX4gzH2fuphK5cTmvflpsdstp2+LVhTezJGHJS/b0g 4+mKHlv5kb8tCMZwc3jkgfCoY5wVcmtfprYJp/A36SEUkwz7Y9dLnuFAezHj9hcJ h1HjWMvxccfZM4qccyK4jFOPfyes97CYAeZq8zVO5Hn0feEbpf42SaFG6SdGWa2i RJgt3NZY8q/gg2guDHYoi5eGMY4hcD/rrQMOKbhu/5ijWfp3NrvZDMHNGZ3AIHbk 8p/RdKVXl5ycV5acb5xU0RpupLZaaC7K7xlZbcSK3y7XEKIUpnlyQJdp/6XJWTeA JisEND17iSkL/0Itqsl6Ch5lK/rq5p9/BUyFdDKHEGrreyJ6jEr7tMTwxHeXsVWq UgpSSQ8CvxFINj2Mqggfw2/OCiAUpNFJf+0M4hsyKY6kshdIMCloKtTCOxKo4QWG wI2e5vzc408ghAVZAVmALCEtr7Jt1VBgeyyQypBN7Kz5HYnfKbmWurIWy3lAXzJd dnRAno7O/adx4w+wcYDTu4U94wP+WWv2zOxowPdXvv6nv2DiKr4= =CsxS -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201014013740.GA69661>