PF pf for byhve host on second interface

N

nebu

Hi,


I am aware that this might be a stupid question, but I obviously lack some understanding here.


I am running a bhyve host (using vm-bhyve) with guests in different subnets. I have an internal interface (igb0) and a dmz interface (igb1) and i am using virtual switches (bridges vm-internal and vm-dmz) for my VMs with tap devices.



Without pf everything works as expected. Now I want to make sure that access from the dmz subnet via igb1 to my host is impossible. ssh is only listening on the internal IP, I just want to make sure everything is closed in case I forget something.


In pf.conf I tried using "set skip" on everything related to the VMs and leave firewalling to those VMs. So I put this in my pf.conf:


Code: 
virt_if = "{ vm-dmz,  vm-internal, tap0, tap1, tap2 }"
set skip on $virt_if

But what do I do with the physical interfaces? Pass all traffic from igb0 to vm-internal and from igb1 to vm-dmz? My VMs currently don't get any Network access when pf is enabled.
 
nebu said:
Now I want to make sure that access from the dmz subnet via igb1 to my host is impossible
Click to expand...
That traffic never passes through igb1. The bridge is connected to the host, so it doesn't need to go out the external interfaces.
 
SirDice said:
That traffic never passes through igb1. The bridge is connected to the host, so it doesn't need to go out the external interfaces.
Click to expand...
I am not sure I understand. igb1 is configured as DHCP in my host's rc.conf. I need that to get an IP to the VM connected via the vm-dmz interface. If igb1 doen not have an IP, the VM connected to the virtual switch also doesn't get one via DHCP. Am I misunderstanding things?

Code: 
------------------------
Virtual Switch: dmz
------------------------
  type: standard
  ident: vm-dmz
  vlan: -
  physical-ports: igb1
  bytes-in: 15104 (14.750K)
  bytes-out: 400 (400.000B)

  virtual-port
    device: tap2
    vm: slack14

And if, by accident, any service on the host is listening on 0.0.0.0 it will also be listening on igb1, that is what I want to prevent.
 
The vm-dmz bridge and the IP address of your host's SSH are attached to the host (it doesn't matter if you assigned that IP address to an external interface, that's irrelevant in this case). So traffic from the vm-dmz network to the host doesn't go out of igb1 just to enter it again on the igb0 interface. Therefor it never passes igb1 (or igb0) because it's stays within the host itself.
 
Ah, I think we are misunderstanding each other. The igb1 interface is attached to an existing subnet with other machines in it. The DMZ subnet is not limited to the VMs connected to the vm-dmz bridge. I want to filter packages coming from other machines in the DMZ subnet trying to reach the host.
 
You must log in or register to reply here.
Back
Top