On 13.10.20 19:07, tech-lists wrote: > Hi, > > Is it possible to have a ruleset allowing unfiltered access to a tap > interface, but filtered on the real interface it's bridged to? > > Let's say there are these: > > ext_if="ix0" # real external ip, on a /29 int_if="igb0" # internal ip > 10.0.0.2/8 > tap_if="tap0" # this services a vm on this machine, also with a real ip > > bridge0 has ix0 and tap0 as members > > tap0 needs unfiltered access. it has its own firewall. > ix0 wants to block everything apart from ssh. > > This doesn't work (it blocks everything apart from ssh to the vm as > well): > > [snip] > block all > pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 > pass in quick on $tap_if inet proto tcp from any to ($tap_if) > > thanks,
External traffic to your tap interface arrives through ix0. So you need to change a third rule: block all pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 pass in quick on $ext_if inet proto tcp from any to ($tap_if) Also check net.link.bridge.pfil_member=1 As for me I prefer to haveĀ all IPs and filter it on bridge interface and not on members. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
