On Mon, Aug 28, 2017 at 06:48:20PM -0400, Bryan Harris wrote:
> On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlar...@azathoth.net> wrote:
> > On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:
>
> >> If the vio is connected to the virtual switch, and the switch is
> >
> > But the vio(4) interface isn't visible to the host. So what you said there
> > doesn't make sense. It's connected to the switch *via* the corresponding
> > tap interface on the host.
>
> I think I understand now.
>
> >> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
> >
> > what about just:
> >
> > pass
>
> Does that allow traffic to come in on the egress? I want to have
> normal traffic rules that are "more safe than nothing" during the
> learning process. But I also want to pass the VM traffic so that I
> can experiment with things in the VM without the worry that I made a
> pf.conf mistake.
>
> ssh_nets="{ <home, work, stuff like that goes here> }"
> vm_if = "vether0"
> vm_net = $vm_if:network
>
> block all
> set skip on lo
> antispoof for egress
> antispoof for $vm_if
> match in all scrub (no-df max-mss 1440)
>
> # match in log (matches) on $vm_if from $vm_net tag localnet
> # match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
> # match log (matches) inet proto udp from any to egress:0 port 53 tag dns
>
> pass inet proto icmp icmp-type { echoreq, unreach }
> pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
> pass in on egress inet proto udp from any to egress:0 port 53
> pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
> # pass in on egress proto tcp from any to egress port 80 rdr-to
> 192.0.2.12 port 80
> # pass in on egress proto tcp from any to egress port 443 rdr-to
> 192.0.2.12 port 443
>
> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>
> pass out all
>
> match out on egress inet from $vm_net nat-to (egress)
>
> V/r,
> Bryan
>
Your pf config is more complex than mine. Perhaps someone with more pf
expertise can comment. Mine is pretty basic, just has a rule for the NAT
for the VM traffic and a few other unrelated rules.
-ml
