To start, I have looked this up and I have tried the suggestions here on the forums with no luck. I'm running FreeBSD 12.0 and using sysutils/vm-bhyve to do my vm management.
My main interface: em0
My switch: vm-public
My PF firewall rules:
To my understanding, the pass in quick on vm-public all should do the trick but alas, no luck. Thoughts?
My main interface: em0
My switch: vm-public
My PF firewall rules:
Code:
ext_if="em0"
# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
tcp_services = "{1022, 22}"
udp_services = "{1900, 5353, 32410, 32412, 32413, 32414, 25565}"
dhcp = "{ 67, 68 }"
# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types. The additional
# ICMPv6 types are for neighbor discovery (RFC 4861)
icmp_types = "{echoreq, unreach}"
# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"
# Don't send rejections. Just drop.
set block-policy drop
# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on { lo0, vm-public }
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble
# Allow bhyve VMs
pass in quick on vm-public all
pass in quick on vm-public proto udp from any port $dhcp to any port $dhcp
pass out quick on vm-public proto udp from any port $dhcp to any port $dhcp
###############################################
# set a default deny policy.
block in log all
# This is a desktop so be permissive in allowing outgoing connections.
pass out quick modulate state
# Enable antispoofing on the external interface
antispoof for $ext_if inet
# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any
# drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
# Allow the services defined in the macros at the top of the file
pass in on $ext_if inet proto tcp from any to any port $tcp_services $tcp_state
pass in on $ext_if inet proto udp from any to any port $udp_services $udp_state
# Allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state
To my understanding, the pass in quick on vm-public all should do the trick but alas, no luck. Thoughts?