Date: Sat, 12 Aug 2006 17:36:30 +0100 From: "mal content" <artifact.one@googlemail.com> To: freebsd-hackers@freebsd.org Subject: Packet filtering on tap interfaces Message-ID: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, this is a simplified re-phrasing of a question posted to questions@. It didn't get any answers over there because I think people took one look at it and switched off. A cut down version follows... How does one do packet filtering on tap interfaces? I'm using qemu and I'm going to be loading some untrusted OS images so I'd like complete filtering of packets to and from the qemu process. I was given a partial solution by somebody before, but I couldn't get it to work. I'm currently: 1. Using bridge.sh[1] to bridge between tap0 and my real fxp0 interface. 2. Trying to log or filter packets on tap0. My current pf.conf looks like this: nic0 = "fxp0" host_ip = "192.168.2.5" pass in log all pass out log all Which should surely filter everything. However, I can use the network on the guest OS (going through tap0) without ever triggering the pf logging. Why is this happening? Even when explicity specifying: pass in log all on tap0 pass out log all on tap0 I still don't see any logs. Can tap interfaces reliably be filtered? MC [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/share/examples/netgraph/ether.bridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8e96a0b90608120936q67a5365vcc97217b44a272c0>