Re: ipfw layer2+3 firewalling question

Hi Ronald, thank you for your reply.

On Sun, Mar 23, 2025 at 08:21:21PM +0100, Ronald Klop wrote:
>
>I assume that in your setup igb0 is the host interface as well as bridge member. 

That's correct.

>That makes the setup a bit hard to reason about. IMHO you now have a virtual setup 
>which you wouldn't be able to replace with physical hardware. To mimic a physical 
>setup you could add another epair interface to act as the host interface and 
>leave igb0 as a bridge member only.

that's something I've not considered
>
>igb0 ---+--- tap0 -- vmnet
>        |
>        +--- tap1 -- vmnet
>        |
>        +-- epair0a -- epair0b (this is where the host should listen on)
>
>And instead of putting the host IP address on igb0 you should put this 
>on epair0b.
>
>By default the ipfw firewall will then see the IP traffic of epair0b. As all 
>the other interfaces only pass ethernet traffic around.
>
>Something like this in /etc/rc.conf should do the trick.
>
>cloned_interfaces="bridge0 epair0 tap0 tap1"
>ifconfig_bridge0="addm igb0 addm epair0a addm tap0 addm tap1"
>ifconfig_igb0="up"
>ifconfig_epair0a="up"
>ifconfig_epair0b="SYNCDHCP" # or some other inet config

ok I'll try that.

What I have tried, just for interest, in pf.conf (I know pf is unsuitable, but for an
experiment), in /etc/rc.conf, there is

cloned_interfaces="bridge0 tap0 tap1"
ifconfig_bridge0="addm igb0 addm tap0 tap1"

in /etc/pf.conf, there's

int_if="igb0"
ext_if="igb1"
int_taps="{ tap0, tap1 }"

>snip<

set skip on lo0
set skip on $int_taps
set block-policy drop

>snip<

this gets weird effects like the vm on tap0 cant ping tap1 and so on.
I was wondering if something like "set skip on mac_address would work"
in the ipfw context, and what its syntax was for specific layer2 
filtering.
--