On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlarkin@azathoth.net> wrote:
> On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:
>> If the vio is connected to the virtual switch, and the switch is
>
> But the vio(4) interface isn't visible to the host. So what you said there
> doesn't make sense. It's connected to the switch *via* the corresponding
> tap interface on the host.
I think I understand now.
>> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>
> what about just:
>
> pass
Does that allow traffic to come in on the egress? I want to have
normal traffic rules that are "more safe than nothing" during the
learning process. But I also want to pass the VM traffic so that I
can experiment with things in the VM without the worry that I made a
pf.conf mistake.
ssh_nets="{ <home, work, stuff like that goes here> }"
vm_if = "vether0"
vm_net = $vm_if:network
block all
set skip on lo
antispoof for egress
antispoof for $vm_if
match in all scrub (no-df max-mss 1440)
# match in log (matches) on $vm_if from $vm_net tag localnet
# match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
# match log (matches) inet proto udp from any to egress:0 port 53 tag dns
pass inet proto icmp icmp-type { echoreq, unreach }
pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
pass in on egress inet proto udp from any to egress:0 port 53
pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
# pass in on egress proto tcp from any to egress port 80 rdr-to
192.0.2.12 port 80
# pass in on egress proto tcp from any to egress port 443 rdr-to
192.0.2.12 port 443
pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
pass out all
match out on egress inet from $vm_net nat-to (egress)
V/r,
Bryan
No comments:
Post a Comment