Hi. I am looking for some advice on the best way to implement an ipfw firewall on a bhyve host with multiple guests.
Ideally I'd like to globally control each guest firewall rule. My first attempt of writing rules for each tap interface was
unsuccessful. While attempting to ssh to a guest eventually would work, it appeared some processes would hang.
The network topology is pretty simple. 1 1GE management interface (access port) and 1 10GE trunk. Bridge interfaces
for each VLAN are created as "hubs" for each VLAN.
This script gets piped into /etc/rc.firewall on the host OS.
Ideally I'd like to globally control each guest firewall rule. My first attempt of writing rules for each tap interface was
unsuccessful. While attempting to ssh to a guest eventually would work, it appeared some processes would hang.
The network topology is pretty simple. 1 1GE management interface (access port) and 1 10GE trunk. Bridge interfaces
for each VLAN are created as "hubs" for each VLAN.
This script gets piped into /etc/rc.firewall on the host OS.
Code:
#!/bin/tcsh
echo ipfw -q -f flush
set cmd='echo ipfw add'
# global rules
#
# interfaces
set maho_mgmt="igb0"
set pif="igb0 cxgbe0.90 cxgbe0.48 tap0 tap1 tap2 tap3 tap4 tap5 tap7 tap8 tap9 tap10"
set ns=`awk '{if ($1 == "nameserver") print $2}' /etc/resolv.conf`
if ($#ns < 2) set ns = ($ns[1] $ns[1])
set anyports='80,443,21,22,123'
set inports='22'
set cip='192.168.0.0/16'
set promdev='9090,3000,9116'
set snmp="161,162"
set vnc="5900-5920"
#
$cmd 00010 allow all from any to any via lo0
$cmd 00012 allow all from any to any via cxgbe0
$cmd 00020 allow icmp from any to any
$cmd 00040 allow ip from any to any via bridge190
$cmd 00050 allow ip from any to any via bridge148
# allow dynamicly created rules
$cmd 00099 check-state
set a=1
foreach i ($pif)
$cmd 00${a}10 allow tcp from any to $ns[1] 53 out via $i setup keep-state
$cmd 00${a}20 allow tcp from any to $ns[2] 53 out via $i setup keep-state
$cmd 00${a}30 allow udp from any to $ns[1] 53 out via $i keep-state
$cmd 00${a}40 allow udp from any to $ns[2] 53 out via $i keep-state
$cmd 00${a}50 allow tcp from any to any $anyports out via $i setup keep-state
#INBOUND
$cmd 00${a}60 allow tcp from $cip to any $inports in via $i keep-state
@ a++
end
# tap intefaces
# tap0
$cmd 00${a}10 allow tcp from $cip to any $promdev in via tap0 keep-state
# tap6
# prometheus snmp on freebsd13-clone
@ a++
$cmd 00${a}10 allow udp from any to any $snmp out via tap6 keep-state
@ a++
## Mahodara mgmt
# VNC
$cmd 00${a}10 allow tcp from $cip to any $vnc in via $maho_mgmt keep-state
#
# should be implicit
$cmd deny ip from any to any