pf and tap(4) interfaces
tech-lists
tech-lists at zyxst.net
Tue Oct 13 16:07:45 UTC 2020
Hi,
Is it possible to have a ruleset allowing unfiltered access to a tap
interface, but filtered on the real interface it's bridged to?
Let's say there are these:
ext_if="ix0" # real external ip, on a /29
int_if="igb0" # internal ip 10.0.0.2/8
tap_if="tap0" # this services a vm on this machine, also with a real ip
bridge0 has ix0 and tap0 as members
tap0 needs unfiltered access. it has its own firewall.
ix0 wants to block everything apart from ssh.
This doesn't work (it blocks everything apart from ssh to the vm as
well):
[snip]
block all
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
pass in quick on $tap_if inet proto tcp from any to ($tap_if)
thanks,
--
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20201013/a0ccaee8/attachment.sig>
More information about the freebsd-pf
mailing list