IPFW firewalling for bhyve host bypassing bhyve guests

[dev.null]

Hello,

My objective is to protect services on a bhyve host, while allowing traffic to the bhyve guests to pass to them unprocessed, as these each have pf and their own firewall policies. The host running an up-to-date 13-stable.

I know ipfw can process both layer 2 and layer 3 traffic, but pf only processes layer 3 so that is why i want to use ipfw on the bhyve host.

So we have bridge0 with igb0 tap0 and tap1 as members.
In this example, igb0 has a mac address of 11:11:11:11:11:11
tap0 has 22:22:22:22:22:22
tap1 has 33:33:33:33:33:33

How can I tell ipfw to pass 22:22:22:22:22:22 and 33:33:33:33:33:33 and apply no more rules to frames matching those MACs?

Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24
22:22:22:22:22:22 passing unhindered, unprocessed.

Possible?

 

[smithi]

Let's say I want to just block on 11:11:11:11:11:11 (igb0) port 22 apart from 10.0.0.0/24
22:22:22:22:22:22 passing unhindered, unprocessed.

Possible?

Should be, but I don't know how.

I just checked if_bridge(4) and tap(4) but it's not at all clear to me how ipfw(8) can filter traffic between host and tap bridge members.

Unless someone pops up here I'd suggest joining and posting your (very clear) question to freebsd-net@freebsd.org

 

[dkh]

Had entered a reply but it didn't address the actual question - so replacing it as I don't quite see a delete.

 

[VladiBG]

sysctl	description
net.link.bridge.ipfw	Layer2 filter with IPFW
net.link.bridge.allow_llz_overlap	Allow overlap of link-local scope zones of a bridge interface and the member interfaces
net.link.bridge.pfil_local_phys	Packet filter on the physical interface for locally destined packets
net.link.bridge.pfil_member	Packet filter on the member interface
net.link.bridge.ipfw_arp	Filter ARP packets through IPFW layer2
net.link.bridge.pfil_bridge	Packet filter on the bridge interface
net.link.bridge.pfil_onlyip	Only pass IP packets when pfil is enabled