From nobody Sun Oct 15 14:13:59 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S7j0X6zMYz4x0Xr for ; Sun, 15 Oct 2023 14:14:04 +0000 (UTC) (envelope-from void@f-m.fm) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4S7j0W4SfMz3ZZ5 for ; Sun, 15 Oct 2023 14:14:03 +0000 (UTC) (envelope-from void@f-m.fm) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=f-m.fm header.s=fm3 header.b=SDNevwpk; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=kRgT9M6c; spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.27 as permitted sender) smtp.mailfrom=void@f-m.fm; dmarc=pass (policy=none) header.from=f-m.fm Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 45AAF5C0236 for ; Sun, 15 Oct 2023 10:14:03 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Sun, 15 Oct 2023 10:14:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc :content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:sender:subject:subject:to:to; s=fm3; t=1697379243; x=1697465643; bh=RDhsooRfBIHci/iyIUtgqj9dP WS8O8kdQsXcTFYbaQ0=; b=SDNevwpkjYUjCbgaU2DRRoxjjqP71b3blSQwiSK1h 5cpL01k5NOrG5jOkdVJBh32pRbl51cgL+vhYwRS5n4lwmszEtpQq1cltZgtU5Po3 EFw7guAl1DeVAoExKAEJcL2cGw3Apsu5Wz+tua9ULtuHGsjbsk6lc97PXeJYbTwl TwRHmzkPSXB70DbCBiAS1c5qygg1WhLvawyJJKYn5ilHo4QL6dVdJ9+fusPkfKAA NYvbs5bJ9qxUtPvErElLGxHc56lak/b99SnhgND2FCRqIBQa6dArgZBSZfAj3TN7 3OuKqjtUGksfgrSZBaLUnBiU0rXWkXXeZRLtoOx6iCyCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1697379243; x=1697465643; bh=RDhsooRfBIHci/iyIUtgqj9dPWS8O8kdQsX cTFYbaQ0=; b=kRgT9M6cBxYEJSoPWV+kMGhVVUIG+KyPxtnJpMrIuLTaL2P9CqP KcvY0rNZcGVAq70rEkaVaseRzlgUk6h25lVxkGmH/BrsoyZ4ktDjREJJHyuuUhFt 7Q/yZi0Pq8+VQrz4Ig158If28efSs0RNEoh+GPi9I02iB73shXmWnUnpTdAVwecZ 7CMT9+seML6Zz4nANQrV05yKimWAmlaN5h/X8EfFeoXXY/yP/TW5Po+N7M3kEOOj QRfOLbgn4ontUcTFEYZImRIoIrn8KkCKMvIbmVwIWmWIZCRlx5gk7A4z7PkUrQhs WRI0Gb4R9KQM2AHwOvRm+M4+GxpsQVkSA1g== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrieekgdeilecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehttdertddttd dvnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffrrghtthgv rhhnpeevudffiedvffffgffhgeefjeefffdtieetheetkeefhfdvfefgtedtueehgeffue enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehvohhi ugesfhdqmhdrfhhm X-ME-Proxy: Feedback-ID: i2541463c:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 15 Oct 2023 10:14:02 -0400 (EDT) Date: Sun, 15 Oct 2023 15:13:59 +0100 From: void To: freebsd-net@freebsd.org Subject: ipfw firewalling for bhyve host, bypassing bhyve guests Message-ID: List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.28 / 15.00]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.68)[-0.684]; DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none]; MID_RHS_NOT_FQDN(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.27:c]; R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.27:from]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[f-m.fm]; MLMMJ_DEST(0.00)[freebsd-net@freebsd.org]; DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[f-m.fm]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4S7j0W4SfMz3ZZ5 Hello, My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to them unprocessed, as these each have pf and their own firewall policies. The host running an up-to-date 13-stable. I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3 so that is why i want to use ipfw on the bhyve host. So we have bridge0 with igb0 tap0 and tap1 as members. In this example, igb0 has a mac address of 11:11:11:11:11:11 tap0 has 22:22:22:22:22:22 tap1 has 33:33:33:33:33:33 How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs? Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24 22:22:22:22:22:22 passing unhindered, unprocessed. Possible? --