Date: Sun, 15 Oct 2023 10:46:57 -0700 From: Paul Vixie <paul@redbarn.org> To: freebsd-net@freebsd.org, void <void@f-m.fm> Subject: ipfw firewalling for bhyve host, bypassing bhyve guests Message-ID: <4a9fd232-e6be-432c-96c1-2ffb80ec09b8@redbarn.org> In-Reply-To: <ZSvzp5xOFAinfGHb@int21h> References: <ZSvzp5xOFAinfGHb@int21h>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
You don't need L2 for this. The firewall pattern when your bare metal host has an address in the vlan you use for guests is:
Allow the specific things you want the bare metal host to do;
Deny all else involving the bare metal host;
Allow all else involving the guest subnet.
p vixie
On Oct 15, 2023 07:14, void <void@f-m.fm> wrote:
Hello,
My objective is to protect services on a bhyve host, while allowing traffic
to the bhyve guests to pass to them unprocessed, as these each have pf and
their own firewall policies. The host running an up-to-date 13-stable.
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes
layer 3 so that is why i want to use ipfw on the bhyve host.
So we have bridge0 with igb0 tap0 and tap1 as members.
In this example, igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply
no more rules to frames matching those MACs?
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22
apart from 10.0.0.0/24
22:22:22:22:22:22 passing unhindered, unprocessed.
Possible?
--
[-- Attachment #2 --]
<html>
<head></head>
<body>
<div dir="ltr">
You don't need L2 for this. The firewall pattern when your bare metal host has an address in the vlan you use for guests is:
</div><br>
<div dir="ltr">
Allow the specific things you want the bare metal host to do;
</div><br>
<div dir="ltr">
Deny all else involving the bare metal host;
</div><br>
<div dir="ltr">
Allow all else involving the guest subnet.
</div><br>
<div dir="ltr">
p vixie
</div><br>
<div class="bx-html">
<div class="bx-body">
<div class="quote">
On Oct 15, 2023 07:14, void <void@f-m.fm> wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p dir="ltr">Hello, <br><br>
My objective is to protect services on a bhyve host, while allowing traffic <br>
to the bhyve guests to pass to them unprocessed, as these each have pf and <br>
their own firewall policies. The host running an up-to-date 13-stable. <br><br>
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes <br>
layer 3 so that is why i want to use ipfw on the bhyve host. <br><br>
So we have bridge0 with igb0 tap0 and tap1 as members. <br>
In this example, igb0 has a mac address of 11:11:11:11:11:11 <br>
tap0 has 22:22:22:22:22:22 <br>
tap1 has 33:33:33:33:33:33 <br><br>
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply <br>
no more rules to frames matching those MACs? <br><br>
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 <br>
apart from 10.0.0.0/24 <br><br>
22:22:22:22:22:22 passing unhindered, unprocessed. <br><br>
Possible? <br><br>
-- <br><br></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4a9fd232-e6be-432c-96c1-2ffb80ec09b8>