Somehow this thread gave me the idea to try:
pass on { vether* tap* }
Which did not work. But it lead to the idea to use the group names:
pass on { vether tap }
Which does work. It's funny because I like using group names (like
egress) and I noticed earlier today that all taps are in a group
called tap, but I never connected the dots.
V/r,
Bryan
On Mon, Aug 28, 2017 at 6:52 PM, Mike Larkin <mlarkin@azathoth.net> wrote:
> On Mon, Aug 28, 2017 at 06:48:20PM -0400, Bryan Harris wrote:
>> On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlarkin@azathoth.net> wrote:
>> > On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:
>>
>> >> If the vio is connected to the virtual switch, and the switch is
>> >
>> > But the vio(4) interface isn't visible to the host. So what you said there
>> > doesn't make sense. It's connected to the switch *via* the corresponding
>> > tap interface on the host.
>>
>> I think I understand now.
>>
>> >> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>> >
>> > what about just:
>> >
>> > pass
>>
>> Does that allow traffic to come in on the egress? I want to have
>> normal traffic rules that are "more safe than nothing" during the
>> learning process. But I also want to pass the VM traffic so that I
>> can experiment with things in the VM without the worry that I made a
>> pf.conf mistake.
>>
>> ssh_nets="{ <home, work, stuff like that goes here> }"
>> vm_if = "vether0"
>> vm_net = $vm_if:network
>>
>> block all
>> set skip on lo
>> antispoof for egress
>> antispoof for $vm_if
>> match in all scrub (no-df max-mss 1440)
>>
>> # match in log (matches) on $vm_if from $vm_net tag localnet
>> # match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
>> # match log (matches) inet proto udp from any to egress:0 port 53 tag dns
>>
>> pass inet proto icmp icmp-type { echoreq, unreach }
>> pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
>> pass in on egress inet proto udp from any to egress:0 port 53
>> pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
>> # pass in on egress proto tcp from any to egress port 80 rdr-to
>> 192.0.2.12 port 80
>> # pass in on egress proto tcp from any to egress port 443 rdr-to
>> 192.0.2.12 port 443
>>
>> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
>>
>> pass out all
>>
>> match out on egress inet from $vm_net nat-to (egress)
>>
>> V/r,
>> Bryan
>>
>
> Your pf config is more complex than mine. Perhaps someone with more pf
> expertise can comment. Mine is pretty basic, just has a rule for the NAT
> for the VM traffic and a few other unrelated rules.
>
> -ml
No comments:
Post a Comment