Re: ipfw firewalling for bhyve host, bypassing bhyve guests

In reply to: Paul Vixie : "ipfw firewalling for bhyve host, bypassing bhyve guests"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: void <void_at_f-m.fm>
Date: Sun, 15 Oct 2023 18:18:24 UTC

On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote:
>You don't need L2 for this. The firewall pattern when your bare metal 
>host has an address in the vlan you use for guests is:
>
>Allow the specific things you want the bare metal host to do;
>
>Deny all else involving the bare metal host;
>
>Allow all else involving the guest subnet.

Maybe that's what I'm doing wrong. I'm not using a vlan.

For firewalling on freebsd (guests), I've previously used pf.

For firewalling the host, a firewall device has previously
been put between the host and the internet. I'd like the
host box to pppoe directly.

The guests use a mixture of public and private IPs.

The reason I'm asking about this is because I have found that with pf,
if I have a rule blocking everything to the host but allowing ssh,
everything gets blocked to host & guests combined because with a bhyve guest
the tap interfaces are bridged with the real hardware, and so, for lack
of a better term, have more or less the same identity.

But the MAC address will be different. That's why I was looking at layer2
and ipfw.

--