From nobody Sun Oct 15 18:18:24 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S7pQY66fjz4xFT7 for ; Sun, 15 Oct 2023 18:18:29 +0000 (UTC) (envelope-from void@f-m.fm) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S7pQX4M0Wz4cBh for ; Sun, 15 Oct 2023 18:18:28 +0000 (UTC) (envelope-from void@f-m.fm) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=f-m.fm header.s=fm3 header.b=Q2jLNOoF; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=qCTiRXtq; spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.25 as permitted sender) smtp.mailfrom=void@f-m.fm; dmarc=pass (policy=none) header.from=f-m.fm Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 91C245C0275 for ; Sun, 15 Oct 2023 14:18:27 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sun, 15 Oct 2023 14:18:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1697393907; x=1697480307; bh=FQ im7thRpeYkIuzECI0UBG7BuJacLHAWsELnRCibPE0=; b=Q2jLNOoFVnHQDvbfgJ p3X+8fK/zJd+gwWdg69mUxrPcWE9hiWp0YAM9/5OtUM6tYBOjDNRqmzoOo/t/D6Y d7KW7H8AS/0p6Ti9qzUcRKEIuf59IfQUcEqJxmhGQRwlMGkclekZL6O5tVhyqMbs W6taTK68Zc+Lo34TFCphpL0kDG1ATekauGqwnixEXqT7LxXGLUctVCVu1JZP3Gp1 xpYQKwOrmidfCiQ0jfetH3dCrVXOS0aYIyomNkUVXjXzuQrRfw3M966pSSm7h3we 0pylw9Aze9whFIlqWIRnaCWfVgWxs3NVm4Acb78FD3RKw+q7MgqPXUUVvrQx/ezK cmdw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1697393907; x=1697480307; bh=FQim7thRpeYkI uzECI0UBG7BuJacLHAWsELnRCibPE0=; b=qCTiRXtqRqYRN/5hm3/66qCQ3GqmE nF8pN2HUir6tBAVLnkpySff+VLIIQoDNR2/FpeNlf8OGg6zefg3sIm20zeAbLKAV NGq4oCMMsU5qnnv6H6X9og/D3SjON6NhShNaVqP1eIoJHAmD7edFIN7zhN4uMwD2 Uvtf16ntdaNb3rvdku4+C0exkUosOPSt4OS8aFga4F1dtAirX/SqjCO9Bpyo05if iPv2gljhqm0RsbKSKgu8zEmPN50t4KrIr4/Ww8Rvc3py0McdFpwbUBkHOMNd97rQ xDdBL39mCltJUuAOydZLRyes6UrdeDzcMzN6bcIFl+heW4aYOStt7ZYhA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrieekgdduudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujgesthdtre dttddtvdenucfhrhhomhepvhhoihguuceovhhoihgusehfqdhmrdhfmheqnecuggftrfgr thhtvghrnhepkeeluddvlefhieelfefggffhffektdehleelgfdugfdvgeekjeejuddthe ehgfeunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep vhhoihgusehfqdhmrdhfmh X-ME-Proxy: Feedback-ID: i2541463c:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 15 Oct 2023 14:18:27 -0400 (EDT) Date: Sun, 15 Oct 2023 19:18:24 +0100 From: void To: freebsd-net@freebsd.org Subject: Re: ipfw firewalling for bhyve host, bypassing bhyve guests Message-ID: References: <4a9fd232-e6be-432c-96c1-2ffb80ec09b8@redbarn.org> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <4a9fd232-e6be-432c-96c1-2ffb80ec09b8@redbarn.org> X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.66 / 15.00]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.957]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none]; R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25]; MIME_GOOD(-0.10)[text/plain]; RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.25:from]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[f-m.fm]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[f-m.fm]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4S7pQX4M0Wz4cBh On Sun, Oct 15, 2023 at 10:46:57AM -0700, Paul Vixie wrote: >You don't need L2 for this. The firewall pattern when your bare metal >host has an address in the vlan you use for guests is: > >Allow the specific things you want the bare metal host to do; > >Deny all else involving the bare metal host; > >Allow all else involving the guest subnet. Maybe that's what I'm doing wrong. I'm not using a vlan. For firewalling on freebsd (guests), I've previously used pf. For firewalling the host, a firewall device has previously been put between the host and the internet. I'd like the host box to pppoe directly. The guests use a mixture of public and private IPs. The reason I'm asking about this is because I have found that with pf, if I have a rule blocking everything to the host but allowing ssh, everything gets blocked to host & guests combined because with a bhyve guest the tap interfaces are bridged with the real hardware, and so, for lack of a better term, have more or less the same identity. But the MAC address will be different. That's why I was looking at layer2 and ipfw. --