dch
Developer
I'm bridging my test bhyve VMs out the my normal LAN, via igb0 on my desktop.
I evidently need *some* pf changes to allow DHCP to work, but I have no idea
what I'm missing. The normal host system has no trouble getting its own DHCP
IP of course, via the same interface. When I disable pf, the VM gets DHCP and
can access the internet. Tips?
Here's the config, at present the VM is off so not added to the bridge.
I evidently need *some* pf changes to allow DHCP to work, but I have no idea
what I'm missing. The normal host system has no trouble getting its own DHCP
IP of course, via the same interface. When I disable pf, the VM gets DHCP and
can access the internet. Tips?
Here's the config, at present the VM is off so not added to the bridge.
Code:
# ifconfig
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e501bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether ac:1f:6b:15:2d:78
inet6 fe80::ae1f:6bff:fe15:2d78%igb0 prefixlen 64 scopeid 0x1
inet 172.16.1.14 netmask 0xffffff00 broadcast 172.16.1.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e505bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether ac:1f:6b:15:2d:79
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: vm-public
ether 02:37:62:ce:b3:00
nd6 options=1<PERFORMNUD>
groups: bridge
id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 20000
Code:
# pf.conf
# /etc/pf.conf
# macros
protocols = "{ tcp, udp }"
# blocked_ports = "{ syslog, epmd, amqp, couchdb }"
blocked_ports = "{ syslog, amqp, couchdb }"
tcp_services = "{ domain, http, https, smtp, 2200, couchdb, amqp, 1978, 3389, 6600, 9000 }"
udp_services = "{ domain, 9993, 10001, 21027 }"
plex_ports = "{ 32400, 1900, 3005, 5353, 8324, 32469, 32410, 32412, 32413, 32414 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# interfaces
extl_if = "igb0"
intl_if = "lo0"
jail_if = "lo1"
hive_if = "bridge0"
# networks
internet = $extl_if:network
intl_net = $intl_if:network
jail_net = $jail_if:network
hive_net = $hive_if:network
zero_net = "10.144.0.0/16"
local_net= "172.16.0.0/16"
# limits
# bigger state tables help erlang receive sockets faster
# https://blog.tyk.nu/blog/fun-with-freebsd-listen-queue-overflow/
set limit { states 200000, frags 40000, src-nodes 40000 }
set timeout { adaptive.start 180000, adaptive.end 200000 }
# trusted nets and devices
set skip on { $intl_if, $jail_if, $hive_if }
set skip on { $zero_if }
# tables
table <badhosts> persist file "/etc/pf.blocklist"
# clean packets are happy packets
scrub in all
# jails are allowed outbound connections but not inbound
# these should be set up explicitly using spiped or similar
nat on $extl_if proto $protocols from $jail_net to any -> ($extl_if:0)
nat on $extl_if proto $protocols from $zero_net to any -> ($extl_if:0)
# plex https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-
# block by default
block in log all
# but allow legit internal traffic
pass in quick on $extl_if proto { udp } from any to $extl_if port $udp_services
pass in quick on $extl_if proto { tcp } from any to $extl_if port $tcp_services
pass in quick on $extl_if from $local_net to $extl_if
pass in quick on $extl_if proto { udp, tcp } from $local_net to any port $plex_ports
pass in quick on $extl_if proto { udp, tcp } from $local_net to any port $udp_services
# you shall not pass
block drop in quick on $extl_if from $martians to any
block drop out quick on $extl_if from any to $martians
block drop in quick on $extl_if proto { udp, tcp } from any to any port $blocked_ports
# handle script kiddies and other nasties on demand
block drop in quick on $extl_if from <badhosts> to any
# o ye of little faith
# pass in log all
pass out all