Op 23-03-2025 om 15:07 schreef void:
Hi,
(originally posted on the forums)
My objective is to protect services on a bhyve host, while allowing traffic to
the bhyve guests to pass to and from them unprocessed, as these each have pf
and their own firewall policies. The host running recent -current.
I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes
layer 3, and to filter on bridge or tap requires layer2, so that is why i want
to use ipfw on the bhyve host.
So we have bridge0 with igb0 tap0 and tap1 as members.
In this example, igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33
How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply
no more rules to frames matching those MACs?
Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from
10.0.0.0/24, and define that rule with the regular layer3 syntax.
and then want 22:22:22:22:22:22 passing unhindered, unprocessed.
Possible? Looking for a worked example but can't seem to find one
Could it be like "$cmd add allow all from any to any via tap0"
or "$cmd add allow all from any to any via 22:22:22:22:22:22"
or something else?
There are a number of ipfw sysctls. Like
net.link.bridge.ipfw
net.link.bridge.allow_llz_overlap
net.link.bridge.pfil_local_phys
net.link.bridge.pfil_member
net.link.bridge.ipfw_arp
net.link.bridge.pfil_bridge
net.link.bridge.pfil_onlyip
Are any of these needed in my context?
I need to allow based on tap, not the bridge (I guess).
The bridge has the real interface (igb0) as a member as well. So I think that
would preclude me from using the above sysctls.
Is this correct?
I assume that in your setup igb0 is the host interface as well as bridge
member. That makes the setup a bit hard to reason about. IMHO you now have a
virtual setup which you wouldn't be able to replace with physical hardware. To
mimic a physical setup you could add another epair interface to act as the host
interface and leave igb0 as a bridge member only.
igb0 ---+--- tap0 -- vmnet
|
+--- tap1 -- vmnet
|
+-- epair0a -- epair0b (this is where the host should listen on)
And instead of putting the host IP address on igb0 you should put this on
epair0b.
By default the ipfw firewall will then see the IP traffic of epair0b. As all
the other interfaces only pass ethernet traffic around.
Something like this in /etc/rc.conf should do the trick.
cloned_interfaces="bridge0 epair0 tap0 tap1"
ifconfig_bridge0="addm igb0 addm epair0a addm tap0 addm tap1"
ifconfig_igb0="up"
ifconfig_epair0a="up"
ifconfig_epair0b="SYNCDHCP" # or some other inet config
NB: this
https://wiki.freebsd.org/SummerOfCodeIdeas#Implement_a_new_VLAN_filtering_software_bridge
also explains about the problem of having members with configured IP addresses
in bridges.
I might have misinterpreted your question. If so please provide more details of
your setup.
Regards,
Ronald.
