Date: Tue, 13 Oct 2020 17:07:38 +0100 From: tech-lists <tech-lists@zyxst.net> To: freebsd-pf@freebsd.org Subject: pf and tap(4) interfaces Message-ID: <20201013160738.GD30207@rpi4.gilescoppice.lan>
next in thread | raw e-mail | index | archive | help
--OROCMA9jn6tkzFBc Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Is it possible to have a ruleset allowing unfiltered access to a tap interface, but filtered on the real interface it's bridged to? Let's say there are these: ext_if=3D"ix0" # real external ip, on a /29=20 int_if=3D"igb0" # internal ip 10.0.0.2/8 tap_if=3D"tap0" # this services a vm on this machine, also with a real ip bridge0 has ix0 and tap0 as members tap0 needs unfiltered access. it has its own firewall. ix0 wants to block everything apart from ssh. This doesn't work (it blocks everything apart from ssh to the vm as well): [snip] block all pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in quick on $tap_if inet proto tcp from any to ($tap_if) thanks, --=20 J. --OROCMA9jn6tkzFBc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE8n3tWhxW11Ccvv9/s8o7QhFzNAUFAl+F0MEACgkQs8o7QhFz NAVylhAAj+Xyug+6+kJGzdE+7Df+hOBoryXIHoFk2REDIXPgEUx1nZACfDY5FFv9 J+esUISzz6tdAeBCP0ODGISwZ0Gk4p5AjR3G0zF7bGt0W4iUvOfAKec9NduVMjS+ ZLFHSFhQtORpIlPfIzv7edJLK9lkhsczJ7H4rxnGRfRBych7KFb/3JfksFVbSdoQ UybS9b/282oOHFJZa8TWvDj4j17WQg/7a+TRyPRItoZ47I1tdOVRWCPEW4Yo4C6b H8bs/irY3C/bopXfEpz28wi6HpflzdntpWpYp/ClSNHT+TnU8McpH8uNhaPmvPmO d9V2oVUmYJ9oHbdfRL+IEWw2I7eQtB/Wy6W99CZK3NPEzIGCZ783/Gg5qAAimp7G 6NjTqvdJ4/RQDimWXr5TboFbDiTYZ1XoCrLBVlw86/WiGBJnAJsCE7GkxUP8rFst RVOFJoYtR0BhRn/Cqe3ZZl8XeKFmzwVQL3GTQKHWhOarXyWo+2OkrMFHNtae5pC/ M+/dx8Nn1ssjikaQ8KPlQl8cVcRrTtw9hN7EgH02vcLOTQUX4D01eBHsx2h5qoMS Buw7vw3eg0PDdDz6Snbs4gAQVSOMbe0EfX8i/TGiC+KuOMU++VtZCxbexYcnafE3 lyeoDEPmuaEDZeDTxtHYNm2mZKVtWiDgKt7wYGPuc6h1udKhOso= =eU3l -----END PGP SIGNATURE----- --OROCMA9jn6tkzFBc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201013160738.GD30207>