Packet filtering on tap interfaces
Max Laier
max at love2party.net
Sat Aug 12 17:35:37 UTC 2006
On Saturday 12 August 2006 18:36, mal content wrote:
> Hello, this is a simplified re-phrasing of a question posted to
> questions at . It didn't get any answers over there because I
> think people took one look at it and switched off. A cut down
> version follows...
>
> How does one do packet filtering on tap interfaces? I'm using
> qemu and I'm going to be loading some untrusted OS images
> so I'd like complete filtering of packets to and from the qemu
> process.
>
> I was given a partial solution by somebody before, but I couldn't
> get it to work.
>
> I'm currently:
>
> 1. Using bridge.sh[1] to bridge between tap0 and my real fxp0
> interface.
>
> 2. Trying to log or filter packets on tap0.
>
> My current pf.conf looks like this:
>
> nic0 = "fxp0"
> host_ip = "192.168.2.5"
> pass in log all
> pass out log all
>
> Which should surely filter everything. However, I can use the
> network on the guest OS (going through tap0) without ever
> triggering the pf logging. Why is this happening? Even when
> explicity specifying:
>
> pass in log all on tap0
> pass out log all on tap0
>
> I still don't see any logs.
>
> Can tap interfaces reliably be filtered?
This is because the packets never make it to the IP-Layer (where our
packet filters normally hook into). You can try to use if_bridge(4) to
bridge tap0 and fxp0. if_bridge(4) offers extensive means of packet
filtering described in the man page in great detail.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20060812/0dae7609/attachment.pgp
More information about the freebsd-hackers
mailing list