On Mon, Aug 28, 2017 at 09:35:52PM -0400, Bryan Harris wrote:
> Somehow this thread gave me the idea to try:
>
> pass on { vether* tap* }
>
> Which did not work. But it lead to the idea to use the group names:
>
> pass on { vether tap }
>
> Which does work. It's funny because I like using group names (like
> egress) and I noticed earlier today that all taps are in a group
> called tap, but I never connected the dots.
>
> V/r,
> Bryan
>
Thanks, glad to see you got it working.
-ml
> On Mon, Aug 28, 2017 at 6:52 PM, Mike Larkin <mlar...@azathoth.net> wrote:
> > On Mon, Aug 28, 2017 at 06:48:20PM -0400, Bryan Harris wrote:
> >> On Mon, Aug 28, 2017 at 6:18 PM, Mike Larkin <mlar...@azathoth.net> wrote:
> >> > On Mon, Aug 28, 2017 at 06:03:16PM -0400, Bryan Harris wrote:
> >>
> >> >> If the vio is connected to the virtual switch, and the switch is
> >> >
> >> > But the vio(4) interface isn't visible to the host. So what you said
> >> > there
> >> > doesn't make sense. It's connected to the switch *via* the corresponding
> >> > tap interface on the host.
> >>
> >> I think I understand now.
> >>
> >> >> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
> >> >
> >> > what about just:
> >> >
> >> > pass
> >>
> >> Does that allow traffic to come in on the egress? I want to have
> >> normal traffic rules that are "more safe than nothing" during the
> >> learning process. But I also want to pass the VM traffic so that I
> >> can experiment with things in the VM without the worry that I made a
> >> pf.conf mistake.
> >>
> >> ssh_nets="{ <home, work, stuff like that goes here> }"
> >> vm_if = "vether0"
> >> vm_net = $vm_if:network
> >>
> >> block all
> >> set skip on lo
> >> antispoof for egress
> >> antispoof for $vm_if
> >> match in all scrub (no-df max-mss 1440)
> >>
> >> # match in log (matches) on $vm_if from $vm_net tag localnet
> >> # match log (matches) inet proto tcp from any to egress:0 port 53 tag dns
> >> # match log (matches) inet proto udp from any to egress:0 port 53 tag dns
> >>
> >> pass inet proto icmp icmp-type { echoreq, unreach }
> >> pass in on egress inet proto tcp from $ssh_nets to egress:0 port 22
> >> pass in on egress inet proto udp from any to egress:0 port 53
> >> pass in on egress inet proto tcp from any to egress:0 port { 53 80 443 }
> >> # pass in on egress proto tcp from any to egress port 80 rdr-to
> >> 192.0.2.12 port 80
> >> # pass in on egress proto tcp from any to egress port 443 rdr-to
> >> 192.0.2.12 port 443
> >>
> >> pass on { vether0 tap0 tap1 tap2 tap3 tap4 tap5 tap6 tap7 tap8 tap9 }
> >>
> >> pass out all
> >>
> >> match out on egress inet from $vm_net nat-to (egress)
> >>
> >> V/r,
> >> Bryan
> >>
> >
> > Your pf config is more complex than mine. Perhaps someone with more pf
> > expertise can comment. Mine is pretty basic, just has a rule for the NAT
> > for the VM traffic and a few other unrelated rules.
> >
> > -ml
