Re: Restricting IP ranges for guests over tap devices

Sat, 08 Aug 2020 17:15:53 -0700 

Mark Raynsford via freebsd-virtualization wrote this message on Sat, Aug 01, 
2020 at 14:51 +0000:
> Let's say I have a machine running a few dozen bhyve guests. Each bhyve
> guest gets its own tap device, and all of the tap devices are connected
> to a bridge.
> 
> Everything works fine. I can write pf rules that control access between
> each guest, and between each guest and the world. I can't directly
> observe the IP addresses that the guests have assigned to the tap
> devices I gave them, but if I know the addresses beforehand, I can for
> example write pf rules that say things like:
> 
>   block log all
>   pass in on tap23 proto tcp \
>     from any to $guest_23_ip port ssh modulate state
> 
> That then means that even if the guest is compromised and tries to bind
> a server to another address, the pf rules won't allow anyone else to
> actually connect to it.
> 
> The good thing about this is also the bad thing about this; I have to
> write specific rules that say "only allow access to this specific IP
> via this specific tap device". Over dozens of guests, that can multiply
> to hundreds of laboriously maintained rules.
> 
> Is there some more general way I can supply a mapping between tap
> devices and allowed addresses? Remember that pf can't see the guest
> addresses on the host sides of the tap devices, so I can't use the
> (device) syntax to expand to "the address of a NIC called 'device'".
> 
> I can generate rule sets, but perhaps there's something "better"[0]? The
> documentation isn't suggesting much.
> 
> [0] Better in the sense that, for example, a table is usually better
>     than a massive list of macros. :)

Don't think there is anything better...

bridge does have sticky that binds the mac address to an interface, but
that doesn't deal w/ IP ARP.

One issue w/ this is how do you know the difference between one machine
that's been down for a long time, and an attacking machine that takes
over the down'd machine's IP address?

I assume that these addresses are assigned via DHCP server, otherwise
if you are launching the VM's w/ known static IP's, you could use
pf's anchor directive, and each start/stop of a VM, update the rule for
that tap's anchor.

-- 
  John-Mark Gurney                              Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

Attachment: signature.asc
Description: PGP signature

Reply via email to