On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote:
You don't need L2 for this. The firewall pattern when your bare metal
host has an address in the vlan you use for guests is:
Allow the specific things you want the bare metal host to do;
Deny all else involving the bare metal host;
Allow all else involving the guest subnet.
Maybe that's what I'm doing wrong. I'm not using a vlan.
For firewalling on freebsd (guests), I've previously used pf.
For firewalling the host, a firewall device has previously
been put between the host and the internet. I'd like the
host box to pppoe directly.
The guests use a mixture of public and private IPs.
The reason I'm asking about this is because I have found that with pf,
if I have a rule blocking everything to the host but allowing ssh,
everything gets blocked to host & guests combined because with a bhyve guest
the tap interfaces are bridged with the real hardware, and so, for lack
of a better term, have more or less the same identity.
But the MAC address will be different. That's why I was looking at layer2
and ipfw.
--