Re: Making pf block DomU <-> DomU traffic

To: Torbjörn Granlund <tg%gmplib.org@localhost>
Subject: Re: Making pf block DomU <-> DomU traffic
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sun, 8 Mar 2015 19:25:45 +0100

On Sat, Mar 07, 2015 at 03:36:02PM +0100, Torbjörn Granlund wrote:
> I have used pf for many years, and also Xen under NetBSD.  I have never
> used them in combination.  Now I do, using a custom-built Dom0 kernel
> with pf (as loadable kernel modules + Xen is well-known as non-working).
> 
> Despite draconian block rules, I fail to block traffic between DomU
> guests.  These guests both run NetBSD PV.
> 
> [...]
> The way I understand NetBSD bridges is that they act as "level 2"
> switches.  The DomU systems I wish to isolate from eachother are
> attached to the same bridge, bridge0.  Packet to the rest of the world
> go through tap0 as it is also attached to bridge0.
> 
> This view explains why the 'block tap0' rule in ineffective; the bridge0
> switch will naturally pass packets directly from 10.0.0.2 to 10.0.0.5.
> But 'block all' should, er, block it all.
> 
> But then, how do I force this blocking?  "block all dammit!".  :-)

With ipf, I have to build a kernel with
options BRIDGE_IPF

and then add the 'ipf' keyword to all interface member of the bridge
(see brconfig(8) for details; you can do this in the vif-bridge script).

Reading the code, this in fact cause bridge to call pfil_hook which is
not ipf-specific so I guess it should work with pf too. At last it's
worth a try.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- Making pf block DomU <-> DomU traffic
  - From: Torbjörn Granlund

Prev by Date: Re: pure-ftpd
Next by Date: ap mod_secure
Previous by Thread: Re: Making pf block DomU <-> DomU traffic
Next by Thread: pure-ftpd
Indexes:

Home | Main Index | Thread Index | Old Index