ipfw layer2+3 firewalling question
- Reply: Ronald Klop : "Re: ipfw layer2+3 firewalling question"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 23 Mar 2025 14:07:53 UTC
Hi, (originally posted on the forums) My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to and from them unprocessed, as these each have pf and their own firewall policies. The host running recent -current. I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3, and to filter on bridge or tap requires layer2, so that is why i want to use ipfw on the bhyve host. So we have bridge0 with igb0 tap0 and tap1 as members. In this example, igb0 has a mac address of 11:11:11:11:11:11 tap0 has 22:22:22:22:22:22 tap1 has 33:33:33:33:33:33 How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs? Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24, and define that rule with the regular layer3 syntax. and then want 22:22:22:22:22:22 passing unhindered, unprocessed. Possible? Looking for a worked example but can't seem to find one Could it be like "$cmd add allow all from any to any via tap0" or "$cmd add allow all from any to any via 22:22:22:22:22:22" or something else? There are a number of ipfw sysctls. Like net.link.bridge.ipfw net.link.bridge.allow_llz_overlap net.link.bridge.pfil_local_phys net.link.bridge.pfil_member net.link.bridge.ipfw_arp net.link.bridge.pfil_bridge net.link.bridge.pfil_onlyip Are any of these needed in my context? I need to allow based on tap, not the bridge (I guess). The bridge has the real interface (igb0) as a member as well. So I think that would preclude me from using the above sysctls. Is this correct? --