Hi,
(originally posted on the forums)
My objective is to protect services on a bhyve host, while allowing traffic
to the bhyve guests to pass to and from them unprocessed, as these each have pf and
their own firewall policies. The host running recent -current.
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes
layer 3, and to filter on bridge or tap requires layer2, so that is why i want
to use ipfw on the bhyve host.
So we have bridge0 with igb0 tap0 and tap1 as members.
In this example,
igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no
more rules to frames matching those MACs?
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from
10.0.0.0/24, and define that rule with the regular layer3 syntax.
and then want 22:22:22:22:22:22 passing unhindered, unprocessed.
Possible? Looking for a worked example but can't seem to find one
Could it be like "$cmd add allow all from any to any via tap0"
or "$cmd add allow all from any to any via 22:22:22:22:22:22"
or something else?
There are a number of ipfw sysctls. Like
net.link.bridge.ipfw
net.link.bridge.allow_llz_overlap
net.link.bridge.pfil_local_phys
net.link.bridge.pfil_member
net.link.bridge.ipfw_arp
net.link.bridge.pfil_bridge
net.link.bridge.pfil_onlyip
Are any of these needed in my context?
I need to allow based on tap, not the bridge (I guess).
The bridge has the real interface (igb0) as a member as well.
So I think that would preclude me from using the above sysctls.
Is this correct?
--
