pf and tap(4) interfaces
Oleksandr Kryvulia
shuriku at shurik.kiev.ua
Tue Oct 13 17:26:39 UTC 2020
On 13.10.20 19:07, tech-lists wrote:
> Hi,
>
> Is it possible to have a ruleset allowing unfiltered access to a tap
> interface, but filtered on the real interface it's bridged to?
>
> Let's say there are these:
>
> ext_if="ix0" # real external ip, on a /29 int_if="igb0" # internal ip
> 10.0.0.2/8
> tap_if="tap0" # this services a vm on this machine, also with a real ip
>
> bridge0 has ix0 and tap0 as members
>
> tap0 needs unfiltered access. it has its own firewall.
> ix0 wants to block everything apart from ssh.
>
> This doesn't work (it blocks everything apart from ssh to the vm as
> well):
>
> [snip]
> block all
> pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
> pass in quick on $tap_if inet proto tcp from any to ($tap_if)
>
> thanks,
External traffic to your tap interface arrives through ix0. So you need
to change a third rule:
block all
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
pass in quick on $ext_if inet proto tcp from any to ($tap_if)
Also check net.link.bridge.pfil_member=1
As for me I prefer to have all IPs and filter it on bridge interface and
not on members.
More information about the freebsd-pf
mailing list