(自分のための覚え書き)FreeBSDとBHIVEとJAILとVLANとIPFWとBRIDGEとVNETと、たくさん! - Qiita
2.2 Configure FreeBSD sysctls to easily bridge out
I’m usually using PF for firewall, and to be able to have my best use of the bridge you can create with vm-bhyve. To this goal, I’m deciding not to firewall the bridge in any way, and to tell PF not to care about bridge it’s quite easy, it’s even a configuration I’m using for VNET jails.So let’s change the PF behavior with bridge with these sysctls, descriptions:
net.link.bridge.pfil_bridge: Packet filter on the bridge interface
net.link.bridge.pfil_onlyip: Only pass IP packets when pfil is enabled
net.link.bridge.pfil_member: Packet filter on the member interfacecommands: sysctl net.link.bridge.pfil_bridge=0 sysctl net.link.bridge.pfil_onlyip=0 sysctl net.link.bridge.pfil_member=0You can put these sysctls directly in your /etc/sysctl.conf so that at reboot it’s already configured.
Now you can only care for what’s important, and if you want to firewall your VM, you can always add one inside the VM itself.https://yom.iaelu.net/2020/05/freebsd-using-docker-and-kubernetes/
I've set additionally:
Code: sysctl net.link.bridge.pfil_bridge=0 sysctl net.link.bridge.pfil_member=0and now the bhyve machines has network access without additional ipfw rules.
https://forums.freebsd.org/threads/bhyve-and-firewall-on-host.75089/
iocage documentation regarding vnets recommend to "Add these tunables to /etc/sysctl.conf:"
https://www.reddit.com/r/freebsd/comments/angqb5/bridge_networking_and_firewall_question/
/etc/sysctl.conf
Add these tunables to /etc/sysctl.conf:
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface net.link.bridge.pfil_member=0 # Packet filter on the member interface
net.link.bridge.pfil_onlyip Controls the handling of non-IP packets which are not passed to pfil(9). Set to 1 to only allow IP packets to pass (subject to firewall rules), set to 0 to unconditionally pass all non-IP Ethernet frames. net.link.bridge.pfil_member Set to 1 to enable filtering on the incoming and outgoing member interfaces, set to 0 to disable it. net.link.bridge.pfil_bridge Set to 1 to enable filtering on the bridge interface, set to 0 to disable it.
