Re: ipfw firewalling for bhyve host, bypassing bhyve guests
- In reply to: Paul Vixie : "ipfw firewalling for bhyve host, bypassing bhyve guests"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 15 Oct 2023 18:18:24 UTC
On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote: >You don't need L2 for this. The firewall pattern when your bare metal >host has an address in the vlan you use for guests is: > >Allow the specific things you want the bare metal host to do; > >Deny all else involving the bare metal host; > >Allow all else involving the guest subnet. Maybe that's what I'm doing wrong. I'm not using a vlan. For firewalling on freebsd (guests), I've previously used pf. For firewalling the host, a firewall device has previously been put between the host and the internet. I'd like the host box to pppoe directly. The guests use a mixture of public and private IPs. The reason I'm asking about this is because I have found that with pf, if I have a rule blocking everything to the host but allowing ssh, everything gets blocked to host & guests combined because with a bhyve guest the tap interfaces are bridged with the real hardware, and so, for lack of a better term, have more or less the same identity. But the MAC address will be different. That's why I was looking at layer2 and ipfw. --