On 2025-05-27, Heinrich Rebehn <heinrich.reb...@rebehn.net> wrote: > Hello all, > > The question may sound weird, but here is my situation: > > I have a (Linux) PBX (FreePBX) that I want to protect with an OpenBSD > firewall since I am not familiar with Linux' builtin firewall and also I > would like to separate things. > > I also would like to avoid routing / NAT on the firewall, which leads me to > using a transparent filtering bridge. > > When experimenting with such a setup on my rented VMWare ESXi host, I > immediately got an abuse email from my hoster, complaining the use of > unauthorised MAC addresses. > The reason is: > When I order an additional IP address for my PBX VM, I am provided a defined > MAC address which I have to configure on the VM. I am not allowed to use any > other MAC.
Surely you still need access to update/manage the firewall? Seems the simplest solution might be to order an additional address to use on it, and configure that MAC address via 'lladdr'. (The VM host may need to be configured to allow using a non-default MAC). > My setup: > > +--------------------------+ +--------------------------+ > +----------------+ >| PBX (using provided MAC) |----| OpenBSD filtering bridge |---| hoster's >router| > +--------------------------+ +--------------------------+ > +----------------+ > | | > | | > VMX1 VMX0 with 'alien' > MAC address > > > The challenge: How do I prevent my firewall's VMX0 interface from sending any > packet using any other than the provided MAC address. > > Things that I already considered: > - When acting as a bridge, packets from PBX should be forwarded with original > MAC > - IP forwarding is disabled, net.inet.ip.forwarding=0 > - VMX0 and VMX1 are only configured as UP (no IP address) > - The bridge is configured as: > up > add vmx0 > add vmx1 > blocknonip vmx0 > blocknonip vmx1 > -autoedge vmx0 > -autoedge vmx1 > -edge vmx0 > -edge vmx1 > - /etc/pf.conf: > set skip on lo > block drop out quick log on vmx0 from self to any > block drop in quick log on vmx0 from any to self > block drop log > pass # No filtering done ATM > > > Anything else that needs to be considered? the initial temporary PF ruleset in /etc/rc does allow some packets, though you maybe ok if the interfaces have no address configured. try it with a vm with a network interface plumbed through to another vm where you can watch with tcpdump. bios/uefi may send packets in some circumstances e.g. pxe > PS: If you consider this whole setup insane, I am open for better solutions > :-) > > Thanks for any help, > > Heinrich > > > -- Please keep replies on the mailing list.
