[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-net
Subject: ipfw firewalling for bhyve host, bypassing bhyve guests
From: Paul Vixie <paul () redbarn ! org>
Date: 2023-10-15 17:46:57
Message-ID: 4a9fd232-e6be-432c-96c1-2ffb80ec09b8 () redbarn ! org
[Download RAW message or body]
[Attachment #2 (text/plain)]
You don't need L2 for this. The firewall pattern when your bare metal host has an address in \
the vlan you use for guests is:
Allow the specific things you want the bare metal host to do;
Deny all else involving the bare metal host;
Allow all else involving the guest subnet.
p vixie
On Oct 15, 2023 07:14, void <void@f-m.fm> wrote:
Hello,
My objective is to protect services on a bhyve host, while allowing traffic
to the bhyve guests to pass to them unprocessed, as these each have pf and
their own firewall policies. The host running an up-to-date 13-stable.
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes
layer 3 so that is why i want to use ipfw on the bhyve host.
So we have bridge0 with igb0 tap0 and tap1 as members.
In this example, igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply
no more rules to frames matching those MACs?
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22
apart from 10.0.0.0/24
22:22:22:22:22:22 passing unhindered, unprocessed.
Possible?
--
[Attachment #3 (text/html)]
<html>
<head></head>
<body>
<div dir="ltr">
You don't need L2 for this. The firewall pattern when your bare metal host has an address in \
the vlan you use for guests is: </div><br>
<div dir="ltr">
Allow the specific things you want the bare metal host to do;
</div><br>
<div dir="ltr">
Deny all else involving the bare metal host;
</div><br>
<div dir="ltr">
Allow all else involving the guest subnet.
</div><br>
<div dir="ltr">
p vixie
</div><br>
<div class="bx-html">
<div class="bx-body">
<div class="quote">
On Oct 15, 2023 07:14, void <void@f-m.fm> wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <p dir="ltr">Hello, <br><br>
My objective is to protect services on a bhyve host, while allowing traffic <br>
to the bhyve guests to pass to them unprocessed, as these each have pf and <br>
their own firewall policies. The host running an up-to-date 13-stable. <br><br>
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes <br>
layer 3 so that is why i want to use ipfw on the bhyve host. <br><br>
So we have bridge0 with igb0 tap0 and tap1 as members. <br>
In this example, igb0 has a mac address of 11:11:11:11:11:11 <br>
tap0 has 22:22:22:22:22:22 <br>
tap1 has 33:33:33:33:33:33 <br><br>
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply <br>
no more rules to frames matching those MACs? <br><br>
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 <br>
apart from 10.0.0.0/24 <br><br>
22:22:22:22:22:22 passing unhindered, unprocessed. <br><br>
Possible? <br><br>
-- <br><br></p>
</blockquote>
</div>
</div>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic