From nobody Sat Apr 15 23:20:22 2023 X-Original-To: freebsd-doc@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PzTnf1xBhz45HDX for ; Sat, 15 Apr 2023 23:20:38 +0000 (UTC) (envelope-from tomek@cedro.info) Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PzTnd46Fwz3Q8Q for ; Sat, 15 Apr 2023 23:20:37 +0000 (UTC) (envelope-from tomek@cedro.info) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=cedro.info header.s=google header.b=NejcDHiU; spf=none (mx1.freebsd.org: domain of tomek@cedro.info has no SPF policy when checking 2607:f8b0:4864:20::b2c) smtp.mailfrom=tomek@cedro.info; dmarc=none Received: by mail-yb1-xb2c.google.com with SMTP id by8so6157948ybb.9 for ; Sat, 15 Apr 2023 16:20:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cedro.info; s=google; t=1681600836; x=1684192836; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=NXVrA236Dq22GhcyQVyghvHUWKG8c2e0DE6SNBgt/yw=; b=NejcDHiUDQuXvb4c/gc7hbl4EHJVlrUAVNsrY0ZbqCKNCcelKtZ3oFTTZeHtTtGjhJ +i59Z4W1rimjMPanCH6PaNI79KgWk8wSXu5ggC1VPK3vXbctl7x6IuOuk2K+3DTdMGt7 LDxLZTXTkXoiULurIj4W2QvJwyD89VvqDwyc6V3xPdk+LP1KI5Jr19WD95xOThLyBBkX KQ9TNXBN11sLqvxZleRFk4utzcJ4DVBYHSox2Z2eGdxDt5z7Kp43eePNZpfrneixoN18 oA+14wyyf1ll70n6E04sqZ8ZYIrx0Ek8rUrjrgYH3Z3DfYP85OtTEmu31dZwAyBT39BY Yy2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681600836; x=1684192836; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=NXVrA236Dq22GhcyQVyghvHUWKG8c2e0DE6SNBgt/yw=; b=Vvd2zIasuduFYWTHhnpgEjB8O/uF1GzSxaJ4R+Z58E6z83/fSEbZWSvZx5D5VWrQAS Jt2sUdMnC5X9UiR8pgjd85pQqcnyIvmMU7aB+pj44FPuTu9MGY62zHqqvXnxaoA86o6r vn9+PPLFhp2WXkqE9+LIsxSLfp4sS/edwD/JcYxJB7sqwh+pFeFYBXc2xZXM4IdMEhav NvKN6d2+s3izbeUJ4rjW7/ded3aWYsJ0ZaivqX1PFRviWhY8zMfAUmJKFOUOjiQp5RAS d5oY2/nKqTBHeJUzJVUZ/bxoLiiX2wITmfLZzl6lgf4JgV9H6oPbF3S+2SUudh7eq7z6 nBcg== X-Gm-Message-State: AAQBX9cuJ8cYjFA2tQl51QbquSNqvrkgJKPKbWiW39MwBUYMyEV1z4Dy 7WaO091Xea/G2mHzz8wRJLjGkkmqg1NGwbMHxVY= X-Google-Smtp-Source: AKy350Z8Gg9alpKzAmIs2gvhDEs4y+ByQbTEYl8kuYWvHd22wRPo0/3sPMh6aLdfK2j8rXbhheIdRw== X-Received: by 2002:a25:468b:0:b0:b8f:3eda:a54b with SMTP id t133-20020a25468b000000b00b8f3edaa54bmr9289591yba.32.1681600836612; Sat, 15 Apr 2023 16:20:36 -0700 (PDT) Received: from mail-yb1-f179.google.com (mail-yb1-f179.google.com. [209.85.219.179]) by smtp.gmail.com with ESMTPSA id d71-20020a25cd4a000000b00b8f5b3b7115sm1938932ybf.60.2023.04.15.16.20.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 15 Apr 2023 16:20:36 -0700 (PDT) Received: by mail-yb1-f179.google.com with SMTP id v9so1860312ybm.0; Sat, 15 Apr 2023 16:20:36 -0700 (PDT) X-Received: by 2002:a25:cc54:0:b0:b92:3962:13d4 with SMTP id l81-20020a25cc54000000b00b92396213d4mr1210677ybf.11.1681600835892; Sat, 15 Apr 2023 16:20:35 -0700 (PDT) List-Id: Documentation project List-Archive: https://lists.freebsd.org/archives/freebsd-doc List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-doc@freebsd.org MIME-Version: 1.0 From: Tomek CEDRO Date: Sun, 16 Apr 2023 01:20:22 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: bhyve and firewall / bridge filtering To: freebsd-doc@freebsd.org, FreeBSD Questions Mailing List Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[cedro.info:s=google]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-doc@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b2c:from,209.85.219.179:received]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_SPF_NA(0.00)[no SPF record]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[cedro.info:+]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[cedro.info]; PREVIOUSLY_DELIVERED(0.00)[freebsd-doc@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4PzTnd46Fwz3Q8Q X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Hello world :-) I think that Handbook could be updated with small but important information on how to best unfilter networking on a bhyve host where firewall is in place. This is not that obvious at first and the simplest idea to test is to disable host firewall. That helps but also leaves host machine vulnerable. I have found a solution on the FreeBSD Forums [1] and proposed "vm" man page update [2]. If anyone experienced could verify is this is the best solution, please let me know, this could be also added to the Handbook :-) Thanks :-) Tomek === If a host that runs virtual machine has active firewall then bridge filtering needs to be disabled by adding following lines to loader.conf(5) or sysctl.conf(5): net.link.bridge.ipfw=0 net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=0 You can also disable bridge packet filtering at runtime with sysctl(8): # sysctl net.link.bridge.ipfw=0 # sysctl net.link.bridge.pfil_bridge=0 # sysctl net.link.bridge.pfil_member=0 === [1] https://forums.freebsd.org/threads/bhyve-and-firewall-on-host.75089/ [2] https://github.com/churchers/vm-bhyve/pull/510 -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info