Packet filtering on tap interfaces
mal content
artifact.one at googlemail.com
Sat Aug 12 16:36:38 UTC 2006
Hello, this is a simplified re-phrasing of a question posted to
questions at . It didn't get any answers over there because I
think people took one look at it and switched off. A cut down
version follows...
How does one do packet filtering on tap interfaces? I'm using
qemu and I'm going to be loading some untrusted OS images
so I'd like complete filtering of packets to and from the qemu
process.
I was given a partial solution by somebody before, but I couldn't
get it to work.
I'm currently:
1. Using bridge.sh[1] to bridge between tap0 and my real fxp0
interface.
2. Trying to log or filter packets on tap0.
My current pf.conf looks like this:
nic0 = "fxp0"
host_ip = "192.168.2.5"
pass in log all
pass out log all
Which should surely filter everything. However, I can use the
network on the guest OS (going through tap0) without ever
triggering the pf logging. Why is this happening? Even when
explicity specifying:
pass in log all on tap0
pass out log all on tap0
I still don't see any logs.
Can tap interfaces reliably be filtered?
MC
[1] http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/netgraph/ether.bridge
More information about the freebsd-hackers
mailing list