I'm trying to firewall on the host via linux iptables. Guest uses bridged networking. I have tried different approaches, including matching on PHYSDEV - nothing seems to allow iptables to see the packets going to the guest. Is the vmnet module stealing the packets before PHYSDEV can match them? tcpdump sees the guest packets just fine, now I just need to be able to touch them somehow 
manually putting the interface in promiscuous mode has no effect.
Besides simplifying things, I think security is improved by firewalling on the host as opposed to firewalling each guest.
Any thoughts appreciated.