Hello.
I'm preparing to manage few VMs under FreeBSD bhyve, and focusing on implementing a good set of PF rules on the main host machine.
I wanted to ask for your opinions, is it wise to have a rule like;
pass in/out quick on vm-publicswitch all (vm-publicswitch containing all the IP ranges of my VMs)
to allow everything going to VMs and coming from VMs, and managing the strictive rules within each VM individually? (PFs on each VM)
Or you guys would suggest me to do everything on the main host PF?
I'd like to learn which one is better and a stable approach;
managing all firewall rules on the main host or delegating some responsibilities to the VMs themselves?
P.S.: Using NAT here
nat on $ext_if from {$vm_network} to any -> ($ext_if:0)
I'm preparing to manage few VMs under FreeBSD bhyve, and focusing on implementing a good set of PF rules on the main host machine.
I wanted to ask for your opinions, is it wise to have a rule like;
pass in/out quick on vm-publicswitch all (vm-publicswitch containing all the IP ranges of my VMs)
to allow everything going to VMs and coming from VMs, and managing the strictive rules within each VM individually? (PFs on each VM)
Or you guys would suggest me to do everything on the main host PF?
I'd like to learn which one is better and a stable approach;
managing all firewall rules on the main host or delegating some responsibilities to the VMs themselves?
P.S.: Using NAT here
nat on $ext_if from {$vm_network} to any -> ($ext_if:0)
