Create pre-cloned interface for VirtualBox

[Beeblebrox]

I start VirtualBox and load required kernel modules through script when I need to use it. My VBox guests use the Host-Only network model, which passes traffic through the virtual NIC vboxnet0. This is a clone of lo0 AFAIK.

The problem is that vboxnet0 does not get created until I start a VBox guest, and this prevents me from writing rules involving vboxnet0 into my firewall pf.conf. What's the solution to this? I thought of creating a dummy vboxnet0 so that PF sees it when system starts up, but I can't remember how to create such interface:

cloned_interfaces="vboxnet0"
ifconfig_vboxnet0="inet 192.168.56.1/28"

I also have some doubts about this method because seeing that vboxnet0 already exists, VirtualBox may decide to create vboxnet1. Does any one have alternate bright ideas?

 

[asteriskRoss]

You could use an anchor (see the anchors section in the pf.conf(5) man page) in your PF configuration file and add the vboxnet0 related rules to that with pfctl(8) after you start your Virtual Box guest. You could do this manually or using devd(8) you could configure devd.conf(5) to call pfctl(8) to add the rules automatically when the vboxnet0 device is attached and flush the rules from your anchor when it is detached.

Assuming you are blocking everything by default in your PF configuration, there would be no risk of unwanted traffic sneaking in or out before the rules came into effect.

 

[Beeblebrox]

Interesting idea. I'll have to do some reading about modifying pf rules through devd. Thanks.