Packet filtering on tap interfaces
artifact.one at googlemail.com
Sat Aug 12 16:36:38 UTC 2006
Hello, this is a simplified re-phrasing of a question posted to
questions at . It didn't get any answers over there because I
think people took one look at it and switched off. A cut down
How does one do packet filtering on tap interfaces? I'm using
qemu and I'm going to be loading some untrusted OS images
so I'd like complete filtering of packets to and from the qemu
I was given a partial solution by somebody before, but I couldn't
get it to work.
1. Using bridge.sh to bridge between tap0 and my real fxp0
2. Trying to log or filter packets on tap0.
My current pf.conf looks like this:
nic0 = "fxp0"
host_ip = "192.168.2.5"
pass in log all
pass out log all
Which should surely filter everything. However, I can use the
network on the guest OS (going through tap0) without ever
triggering the pf logging. Why is this happening? Even when
pass in log all on tap0
pass out log all on tap0
I still don't see any logs.
Can tap interfaces reliably be filtered?
More information about the freebsd-hackers