Date: Sat, 12 Aug 2006 19:35:27 +0200 From: Max Laier <max@love2party.net> To: freebsd-hackers@freebsd.org Cc: mal content <artifact.one@googlemail.com> Subject: Re: Packet filtering on tap interfaces Message-ID: <200608121935.33395.max@love2party.net> In-Reply-To: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com> References: <8e96a0b90608120936q67a5365vcc97217b44a272c0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart4112652.B6gO07oNMV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 12 August 2006 18:36, mal content wrote: > Hello, this is a simplified re-phrasing of a question posted to > questions@. It didn't get any answers over there because I > think people took one look at it and switched off. A cut down > version follows... > > How does one do packet filtering on tap interfaces? I'm using > qemu and I'm going to be loading some untrusted OS images > so I'd like complete filtering of packets to and from the qemu > process. > > I was given a partial solution by somebody before, but I couldn't > get it to work. > > I'm currently: > > 1. Using bridge.sh[1] to bridge between tap0 and my real fxp0 > interface. > > 2. Trying to log or filter packets on tap0. > > My current pf.conf looks like this: > > nic0 =3D "fxp0" > host_ip =3D "192.168.2.5" > pass in log all > pass out log all > > Which should surely filter everything. However, I can use the > network on the guest OS (going through tap0) without ever > triggering the pf logging. Why is this happening? Even when > explicity specifying: > > pass in log all on tap0 > pass out log all on tap0 > > I still don't see any logs. > > Can tap interfaces reliably be filtered? This is because the packets never make it to the IP-Layer (where our=20 packet filters normally hook into). You can try to use if_bridge(4) to=20 bridge tap0 and fxp0. if_bridge(4) offers extensive means of packet=20 filtering described in the man page in great detail. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart4112652.B6gO07oNMV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBE3hFlXyyEoT62BG0RAt17AJ92xVakPAnAbUvATURqMKDI4g81fACcCl5g enRgPkm4C5uc7qJZetiQlr0= =Lb/4 -----END PGP SIGNATURE----- --nextPart4112652.B6gO07oNMV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608121935.33395.max>