Hi, Is it possible to have a ruleset allowing unfiltered access to a tap interface, but filtered on the real interface it's bridged to?
Let's say there are these:ext_if="ix0" # real external ip, on a /29 int_if="igb0" # internal ip 10.0.0.2/8
tap_if="tap0" # this services a vm on this machine, also with a real ip bridge0 has ix0 and tap0 as members tap0 needs unfiltered access. it has its own firewall. ix0 wants to block everything apart from ssh. This doesn't work (it blocks everything apart from ssh to the vm as well): [snip] block all pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in quick on $tap_if inet proto tcp from any to ($tap_if) thanks, -- J.
signature.asc
Description: PGP signature
