Date: Wed, 14 Oct 2020 09:55:19 +0300 From: Oleksandr Kryvulia <shuriku@shurik.kiev.ua> To: freebsd-pf@freebsd.org Subject: Re: pf and tap(4) interfaces Message-ID: <785bef6b-3500-7f54-3d25-a0700e0b9678@shurik.kiev.ua> In-Reply-To: <20201014013740.GA69661@rpi4.gilescoppice.lan> References: <20201013160738.GD30207@rpi4.gilescoppice.lan> <41851719-8e17-d5d6-4abb-0c4221df70ef@shurik.kiev.ua> <20201014013740.GA69661@rpi4.gilescoppice.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 14.10.20 04:37, tech-lists wrote: > > Hello, > > On Tue, Oct 13, 2020 at 08:26:23PM +0300, Oleksandr Kryvulia wrote: >>> >>> [snip] >>> block all >>> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >>> pass in quick on $tap_if inet proto tcp from any to ($tap_if) >>> >>> thanks, >> >> External traffic to your tap interface arrives through ix0. So you need >> to change a third rule: >> >> block all >> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 >> pass in quick on $ext_if inet proto tcp from any to ($tap_if) >> >> Also check net.link.bridge.pfil_member=1 > > Unfortunately this suggestion didn't work for me, but thanks for > suggesting. It ends up blocking everything to the vm. > I should also have mentioned my full context originally: What I have > in this instance is a freebsd host running a freebsd vm through bhyve. > Both the host and the vm have real ips. The vm wants full access as it > has its own pf within itself. > The host wants ssh open and no more. I can lock down the ssh server on > the host with sshd_config plus some additions to sysctl.conf, without > involving pf at all. I just wondered if I can do it with pf on the > host. I'm surprised there's no mention of this type of config in the > handbook. I would have thought it was common? > > I've also tried > set skip on $tap_if > > to no effect, in that if I apply this (but have the allow only ssh to > $ext_if), then I can't access the vm on the vm's open ports. Clearly I'm > doing something wrong. > >> As for me I prefer to haveĀ all IPs and filter it on bridge interface >> and >> not on members. > > How do you do that? It's probably (if I understand correctly) not for me > because I'm using bhyve, and $ext_if and $tap_if are both members and > they need different access. But I'd be interested how you're filtering > on the bridge interface. > Your VM IP is assigned on VM's internal interface, not on tap0. This rule may does not make any sense: pass in quick on $ext_if inet proto tcp from any to ($tap_if) Try to try to specify real VM IP instead of interface name: pass in quick on $ext_if inet proto tcp from any to a.b.c.d In my setup for example, ifconfig bridge0 create addm ix0 addm tap0 ifconfig bridge0 a.b.c.d/24 (your external ip) Assign your VM ip (1.2.3.4) on VM internel interface (not on tap0). Set in /etc/sysctl.conf and apply it: net.link.bridge.pfil_bridge=1 net.link.bridge.pfil_member=1 net.link.bridge.pfil_local_phys=1 Your pf rules will look like this: ext_if="bridge0" vm_ip="1.2.3.4" block all pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in quick on $ext_if inet proto tcp from any to $vm_ip or pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 block in quick on $ext_if inet proto tcp from any to ($ext_if) pass in quick on $ext_if
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?785bef6b-3500-7f54-3d25-a0700e0b9678>