From owner-freebsd-pf@freebsd.org Wed Oct 14 01:37:45 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 01BE54286BB for ; Wed, 14 Oct 2020 01:37:45 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C9w5g6cHDz4WXt for ; Wed, 14 Oct 2020 01:37:43 +0000 (UTC) (envelope-from tech-lists@zyxst.net) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 08B175C0109 for ; Tue, 13 Oct 2020 21:37:43 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Tue, 13 Oct 2020 21:37:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zyxst.net; h= date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm3; bh=frL1ORrJjd0xt7JA5aRlrZUZS/m yEPn3OyXM+Syis7Y=; b=JpMEGAF5D0bfN7LGs1+1kFdtRAVHC8vXJRxFPu2oMRd fuBV7qe7b7jUEvJb1uGZncU1WzxMdzLX/2b9eRNPR9bwklwQmoAtp3E/kRNrYz6x 7R7yuyHtKK/HjOrl81J+nXbqOLYBNJ7XY0jy/9nPJ9JcBduQycwwQ7M2cGKGieWT x65KsKPgcxkG1OgoEJjULHgHbOKsYPani4lcXLjGrUotlXc9EK1bf5MMTfHEz3oo vw3kHBN58ZwYQCVdjgFTRC4hUAg5Yr+9MSuPVvIT2RFoPWNa0W0+x29afUCp3NTN lguoP3p7MH7L2xbBZ9unxs3DU0xMiVPiljCTSWwHcIQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=frL1OR rJjd0xt7JA5aRlrZUZS/myEPn3OyXM+Syis7Y=; b=TiaqfahvMWBCO9MqSyRxtO rPzvz0DHuSMO74vqozKhELnkAzTvVyfPj4VkKkejk5GpYJlDtfkMuIU+atyqAMY8 Bct5v+bBupsfKNZEP9s2BViDZaCsXS0oDLLut6nuraP8KFvJbGGEM1vh3Yq+zybX ehuIXNFqoiFj5AKR+/AgOFdEbZ6hH+zAVbzaDxheY9cwBxvscIcbiE3GK5C9t/F0 ce47z9Ldy4tJAWnv2BVGUy7pSLXT9iKmhNjA/PvopBd9YxRNcT4+v4h3wJVPZQKP HKonDJd/MfnYXF1keCs3CxZfJOz7WpAgggosn7vUjJykOBcfwSvuCNlPShuRe/Sw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedriedtgdeglecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtderre dttddunecuhfhrohhmpehtvggthhdqlhhishhtshcuoehtvggthhdqlhhishhtshesiiih gihsthdrnhgvtheqnecuggftrfgrthhtvghrnhepveffueejgfeghfefkedutedvhedthe dugfffieegfeevfeehgedvvddtheffleejnecukfhppeekvddrjedtrdeluddruddtvden ucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehtvggthh dqlhhishhtshesiiihgihsthdrnhgvth X-ME-Proxy: Received: from rpi4.gilescoppice.lan (axs-0-ipv4.zyxst.net [82.70.91.102]) by mail.messagingengine.com (Postfix) with ESMTPA id 67225306467E for ; Tue, 13 Oct 2020 21:37:42 -0400 (EDT) Date: Wed, 14 Oct 2020 02:37:40 +0100 From: tech-lists To: freebsd-pf@freebsd.org Subject: Re: pf and tap(4) interfaces Message-ID: <20201014013740.GA69661@rpi4.gilescoppice.lan> Mail-Followup-To: freebsd-pf@freebsd.org References: <20201013160738.GD30207@rpi4.gilescoppice.lan> <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> X-Rspamd-Queue-Id: 4C9w5g6cHDz4WXt X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=zyxst.net header.s=fm3 header.b=JpMEGAF5; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=Tiaqfahv; dmarc=none; spf=pass (mx1.freebsd.org: domain of tech-lists@zyxst.net designates 66.111.4.27 as permitted sender) smtp.mailfrom=tech-lists@zyxst.net X-Spamd-Result: default: False [-5.03 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[zyxst.net:s=fm3,messagingengine.com:s=fm1]; NEURAL_HAM_MEDIUM(-1.03)[-1.026]; FROM_HAS_DN(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[66.111.4.27:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.04)[-1.040]; RCVD_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[zyxst.net]; DKIM_TRACE(0.00)[zyxst.net:+,messagingengine.com:+]; NEURAL_HAM_SHORT(-0.26)[-0.264]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; MAILMAN_DEST(0.00)[freebsd-pf]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.27:from] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Oct 2020 01:37:45 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Tue, Oct 13, 2020 at 08:26:23PM +0300, Oleksandr Kryvulia wrote: >> >> [snip] >> block all >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >> pass in quick on $tap_if inet proto tcp from any to ($tap_if) >> >> thanks, > >External traffic to your tap interface arrives through ix0. So you need >to change a third rule: > >block all >pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >pass in quick on $ext_if inet proto tcp from any to ($tap_if) > >Also check net.link.bridge.pfil_member=3D1 Unfortunately this suggestion didn't work for me, but thanks for suggesting. It ends up blocking everything to the vm.=20 I should also have mentioned my full context originally:=20 What I have in this instance is a freebsd host running a freebsd=20 vm through bhyve. Both the host and the vm have real ips.=20 The vm wants full access as it has its own pf within itself.=20 The host wants ssh open and no more. I can lock down the ssh server on the host with sshd_config plus some additions to sysctl.conf, without involving pf at all. I just wondered if I can do it with pf on the=20 host. I'm surprised there's no mention of this type of config in=20 the handbook. I would have thought it was common? I've also tried set skip on $tap_if to no effect, in that if I apply this (but have the allow only ssh to $ext_if), then I can't access the vm on the vm's open ports. Clearly I'm doing something wrong. >As for me I prefer to have=A0 all IPs and filter it on bridge interface and >not on members. How do you do that? It's probably (if I understand correctly) not for me because I'm using bhyve, and $ext_if and $tap_if are both members and they need different access. But I'd be interested how you're filtering on the bridge interface. --=20 J. --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAl+GVlsACgkQs8o7QhFz NAWc+Q/8D/rwjrPS90qb6Qc2y5ybUC+La2Hnbge5xr5NgwJHk+oRaG6EkxhcHCND CmeyZ+btvEN8v3c0wAnAUYN8Fj7qroN14/odUcHLNes8Wro268DqMQVd/0Jvd+5Y PWO7sI8bcjzl4ePCO9ibftNX4gzH2fuphK5cTmvflpsdstp2+LVhTezJGHJS/b0g 4+mKHlv5kb8tCMZwc3jkgfCoY5wVcmtfprYJp/A36SEUkwz7Y9dLnuFAezHj9hcJ h1HjWMvxccfZM4qccyK4jFOPfyes97CYAeZq8zVO5Hn0feEbpf42SaFG6SdGWa2i RJgt3NZY8q/gg2guDHYoi5eGMY4hcD/rrQMOKbhu/5ijWfp3NrvZDMHNGZ3AIHbk 8p/RdKVXl5ycV5acb5xU0RpupLZaaC7K7xlZbcSK3y7XEKIUpnlyQJdp/6XJWTeA JisEND17iSkL/0Itqsl6Ch5lK/rq5p9/BUyFdDKHEGrreyJ6jEr7tMTwxHeXsVWq UgpSSQ8CvxFINj2Mqggfw2/OCiAUpNFJf+0M4hsyKY6kshdIMCloKtTCOxKo4QWG wI2e5vzc408ghAVZAVmALCEtr7Jt1VBgeyyQypBN7Kz5HYnfKbmWurIWy3lAXzJd dnRAno7O/adx4w+wcYDTu4U94wP+WWv2zOxowPdXvv6nv2DiKr4= =CsxS -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--