From nobody Mon Nov 01 20:30:28 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 44D42182CAD9 for ; Mon, 1 Nov 2021 20:44:39 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-oln040092072078.outbound.protection.outlook.com [40.92.72.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HjlQG1FVsz4hwS for ; Mon, 1 Nov 2021 20:44:38 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GOjYp7cMlzFCVlgKUVmG365HvdqDsPy8V/KEoOussm+tBzK/POSHBloyzs8QZFDS8FE1Tt0R9hEl7+PWwrkXLvjMX/mPEyGvIthZuKF4oLsCE8FFll/v4t4CuPlQZFkRaAGlOfeOXpk6cviQjREZZn8siv0+nMl0wntUjDLOnJgqukoSHR9ICEAkgZrkyc/OcdGqvlqQ2KqYaQ8y51CqwA/wCcimNhQvJ+wgdWeaSRXS9LZ6jTkKCdChkroHze2ZCCPrMNWyLlY9JWect0vAzTNaVwcu1kTTX07kySIKHhQh476ioVwJ2I4JuwzM2w0/aW8HkdyP0lg8zROocEVDxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cTjCRmcU1S4Ew+NGNdXTQwtapMMdQAueprtXutBs7sU=; b=Ac1cQlbuJekwa5rx+hao78mnC713MvRBUDCThDI68hv1GdbHTpdSjJRZ78kkdaPWBNZN/cWKVZNZFbXBVentdEn3IyHZFrSTu1RIrLJ47Wj2KzIJ+h+EVqDikiN3qCeXVf3giuoye+talDzZiu6aj4UF2gCH/nP65Sjbk+0mE6x5OIXJ6DabAvKfOb0ST/tng8O5x89l1xSJgkZx2WL7jUHHQ+oLAn7mtsKQY11U+g+8cE3GLq8EBqmzHP/Y41Q89ia0b39Qk2vtRaC1rrRdd8tJVlgC4qk+xd/euBBQRJpNIkPHvesWUqMEPhw1fxavN+YqHlT+3oO7qtwJSq4+IQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from AM9PR07MB7956.eurprd07.prod.outlook.com (2603:10a6:20b:30d::20) by AM0PR07MB3955.eurprd07.prod.outlook.com (2603:10a6:208:46::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.4; Mon, 1 Nov 2021 20:28:39 +0000 Received: from AM9PR07MB7956.eurprd07.prod.outlook.com ([fe80::cde2:f4ca:8325:6a10]) by AM9PR07MB7956.eurprd07.prod.outlook.com ([fe80::cde2:f4ca:8325:6a10%7]) with mapi id 15.20.4669.008; Mon, 1 Nov 2021 20:28:39 +0000 Date: Mon, 1 Nov 2021 21:30:28 +0100 From: kaycee gb To: pf@freebsd.org Subject: Re: pf on a bhyve host Message-ID: In-Reply-To: References: X-Mailer: Claws Mail 3.17.6 (GTK+ 2.24.31; x86_64-slackware-linux-gnu) Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TMN: [9rg296iOlALr4aUTtzLXuIYZW889JTtH] X-ClientProxiedBy: AM3PR05CA0146.eurprd05.prod.outlook.com (2603:10a6:207:3::24) To AM9PR07MB7956.eurprd07.prod.outlook.com (2603:10a6:20b:30d::20) X-Microsoft-Original-Message-ID: <20211101213028.2629be9a@slackstro.home.lan> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM3PR05CA0146.eurprd05.prod.outlook.com (2603:10a6:207:3::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4649.14 via Frontend Transport; Mon, 1 Nov 2021 20:28:38 +0000 Received: from slackstro.home.lan ([172.16.93.19]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 1A1KSZQt003020 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 1 Nov 2021 21:28:36 +0100 (CET) (envelope-from kisscoolandthegangbang@hotmail.fr) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 1d2a0dad-03a0-4857-4974-08d99d763035 X-MS-TrafficTypeDiagnostic: AM0PR07MB3955: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +MSvwnOULqWcxNmW783Nai2Tt0dK2Ny5x2B7uqWr/8ysu5WsLdMpLRMAnx45oyhzaR6Gum3NOgCLGRT0V/LreRJd5CJtfzb7WRDBhoMPwH9a0i0r53UZ9/6kAGYWW1vfQP0iky+Sa4s+av7OuGJLDWDqtZ/wnsX5W3OQedBhSpXlOQItYv6hSFF4d1+0pvCtVU5zFYh3Fm9cFh3QMVGIKaKoMulyVi1TGSHJCEzM5auQBj6nxrn8yvnLdHVD8VcyFGXUBTU+rjrZfBD5eUAxL/5ii5GnpoN1Q+qGxHzEAqotSZNKB4Nq7IOtt5snZ/SA/k396WEDKoprJpsukXSDwa+RgA+uDWPB4DBdGsG6ilZdX78Y+2NC88PWq10ynR4Eil9O3eOzrRvk3UpfKduUia0jv/5YH8oEmawrZquKI51DzE5sayHhprjnfqOkVgwO6FpmgckvrJ72Z2avBZdkHI754R1wqrVAy5wDfsxprSv5HgJP/YwqT4uKU8tubxnf3U0QW+eURNuUTZQpglxZHTWc1b3Trs0wJWD72wkmH5E= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 6i1uCJDmi4nAWbVVpj9mjR/Lgsb725DARr50ZH7M5XkFhrl7tJUKb/Rkjs+CFCphWceiRlhMyqmvSQR95Ou5IctgSSiTpZyWOJlkwTlmD/lfInN/GhYUP2ICST2kTXz0vJVn822qon8PSIZm+3mjhA/QkEtoaWGdHIHqWklVSC5ehXGTNRHHe7ta9cA1UW+7EQOMoC5jvNAnmPLZBmyuKAvHay1RRtEjh4MK1JN2DsTbNpD2Rj16r3n1u3AoaAhij45T1AZfBHj5maLotQvTAwdAWaL0sjWGPh78Epo1sugS0xdJypv8dZeDPugPMadsZri14TcoXXQi1kzCPKWuekh27cdbT0yXO0YqPrOD5GqwetiCxqmwi7jX0lflrgC+7tq+yElQw/qArOfz721vEXFAE2nEnDG0adv4vX1KyLK1bQUmPkVxCx4hZoxEROzIUTWRrnFs/8f6NReal5Og2lsW+syW95fGjpy4DFIZWhyMJGz1mgOdigDoA42ln/xBGasA1J4T+M1Or4f87p06CMHvYsQN/Ws8G3AUkDGyU3G2sS19hincShY8j7ys3MlGd9DTg0keCM7xQ1k7+3VMEfBVaCfaSu5qG373wjDijTMFrWT7lTIWrZK+jBv1glCFA6/c0p1SOX7Fjcx7Q3ijh62mNJo6sN1g2++yVHFQvaZ49FtasRvwLjGEJQ+b28Y/ X-OriginatorOrg: sct-15-20-3174-8-msonline-outlook-466f4.templateTenant X-MS-Exchange-CrossTenant-Network-Message-Id: 1d2a0dad-03a0-4857-4974-08d99d763035 X-MS-Exchange-CrossTenant-AuthSource: AM9PR07MB7956.eurprd07.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2021 20:28:39.4188 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB3955 X-Rspamd-Queue-Id: 4HjlQG1FVsz4hwS X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; arc=pass ("microsoft.com:s=arcselector9901:i=1"); dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 40.92.72.78 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-2.86 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_FIVE(0.00)[5]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.92.72.78:from]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[hotmail.fr]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; RECEIVED_SPAMHAUS_PBL(0.00)[93.1.37.139:received]; R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; RCVD_IN_DNSWL_NONE(0.00)[40.92.72.78:from]; NEURAL_SPAM_SHORT(0.94)[0.942]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US]; RCVD_TLS_LAST(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1] X-ThisMailContainsUnwantedMimeParts: N Hi,=20 Le Sun, 31 Oct 2021 12:48:48 +0000, tech-lists a =C3=A9crit : > Hello pf@ >=20 > (the context is a 12.2-p10 host and various bhyve guests) >=20 > What's the best way to have pf protect the host (on igb0) but=20 > leave the traffic for the tap devices unexamined? It seems, for example >=20 > set skip on $tap_ifs >=20 > where $tap_ifs is a macro containing four tap devices, doesn't do what's= =20 > needed.=20 Do the "set skip" option expands correctly (one tap if per line) ?=20 > In this context, igb0 is bridged with the tap devices. Traffic=20 > still gets hit by pf block rules on the host despite being for the vm > behind the tap device(s). Do you filter on your bridge if or igb0 ?=20 >=20 > Is a different approach needed?=20 Based on your context, I would do same as you.=20 Do you have a catch (block) all rule at then end ? Alternatively, I would try to have rules specifically for each interfaces y= ou have except for TAP IFs (and probably bridges). Some sort of "set skip" emulation. As for the rest, I can't answer. =20 > Do I need to use vlans? The bhyhe guests > need to have real routable IPs and both the host and the guests are on > the same subnet. The desired outcome was previously achieved with a > hardware firewall in front of the bhyve host. I'm not sure if this is > possible with freebsd's pf. Maybe it is with openbsd's? I understand > that we have pci passthru with bhyve+openbsd guests now. >=20 > thanks, K.