Hi, On Sun, Oct 31, 2021 at 04:23:58PM +0100, Sebastian Benoit wrote:
Maybe you could describe a bit more what you are trying to do.
I'm trying to protect, with pf, a freebsd host running bhyve guests. The guests use tap interfaces. They are in the same network as the host (butwith different IPs) and the IPs are routable. They're all web servers, accessible from the internet.
So for example I'd like to block all on the host and just allow port 22. I don't want pf to process the tap interfaces at all, as all of the
guests run their own firewalls.So far on freebsd with their pf, I've been unable to do this. I was wondering if the pf on openbsd can, as it has evolved significantly from when it was incorporated into FreeBSD. A way around my problem may be to have openbsd as a guest in a bhyve instance, as pci passthru is now available in that circumstance.
But first I need to find whether it is possible to allow traffic on say tap0 but block all traffic apart from ssh on igb0 (for example).I understand that bridge and tap are "special" interfaces, in that they are not simply clones. And yet they are like clones, in that rules affecting the hardware interface also seem to affect the tap interface,
from what I've so far seen. All I'm really asking at this stage is "is this possible". I'm asking that because I've looked in the pf section of the manual and have notfound an example (yet) close enough to my enquiry. I think here it'd be better to ask firstly in an entirely OpenBSD 7.0 context. Like, OpenBSD has vmm now, its equivalent to bhyve. If you
wanted to allow port 22 to the host *only* but allow all traffic to the guest, on another IP, can it be done in OpenBSD 7.0 pf on the host? -- J.
signature.asc
Description: PGP signature
