PF PF configuration to use bastille containers and vm-bhyve simultaneously.

[gRoot]

I am using bastille for jails and the /etc/pf.conf used to look like this

ext_if="wlan0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state

Now I was trying to get vm-bhyve to work and the only way I could find to do it was like this

ext_if="wlan0"
virt_net="10.0.0.0/24"
scrub all
nat on $ext_if from $virt_net to any -> ($ext_if)
pass log all

#ext_if="wlan0"
#set block-policy return
#scrub in on $ext_if all fragment reassemble
#set skip on lo
#table <jails> persist
#nat on $ext_if from <jails> to any -> ($ext_if:0)
#rdr-anchor "rdr/*"
#block in all
#pass out quick keep state
#antispoof for $ext_if inet
#pass in inet proto tcp from any to any port ssh flags S/SA keep state

As you can see I had to comment out all of the bastille configuration.... My question is: Is there a way to combine these two in PF so that I can use vm-bhyve and bastille containers without having to comment one or the other out every single time?

 

[gRoot]

I managed to combine both of them and did not get any errors when I restarted the PF service this is what I have now.

### INTERFACES ###

ext_if="wlan0"

virt_net="10.0.0.0/24"


### SETTINGS ###

set block-policy return


### NORMALISATION ###

scrub all


### TABLES ###

table <jails> persist

table <ssh_allowed> persist



### NAT RULES ###

nat on $ext_if from $virt_net to any -> ($ext_if:0)

nat on $ext_if from <jails> to any -> ($ext_if:0)


### Traffic Redirection ###

rdr-anchor "rdr/*"


### RULES ###

set skip on lo0

block in all



# DEBUG: RULES FOR VMM

pass log all

pass out quick keep state

antispoof for $ext_if inet

pass in inet proto tcp from any to any port ssh flags S/SA keep state

This PF configuration mostly works except that from the bhyve guest I can ping the host and reach the internet, but I can't ping the bhyve guest from the host.

 

[patmaddox]

I think your block in all is blocking things coming from bhyve. Do you have an interface or alias on the host that’s part of that network? What is the output of ifconfig?
I would start with the following in your commented out block and then start tightening things up further from there:

block in all
pass in on $virt_net # not 100% sure syntax is right but you get the idea
# add your ssh line back as well

 

[gRoot]

This is the output of ifconfig

% ifconfig

em0: flags=8822<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

    options=481249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,NOMAP>

    ether 54:ee:75:32:0e:91

    media: Ethernet autoselect

    status: no carrier

    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>

    inet6 ::1 prefixlen 128

    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2

    inet 127.0.0.1 netmask 0xff000000

    groups: lo

    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

    ether e8:b1:fc:d2:b4:1e

    inet 192.168.1. netmask 0xffffff00 broadcast 192.168.1.255

    groups: wlan

    ssid /dev/null channel 153 (5765 MHz 11a) bssid 10:da:43:cc:a0:3d

    regdomain FCC country US authmode WPA2/802.11i privacy ON

    deftxkey UNDEF AES-CCM 2:128-bit txpower 23 bmiss 10 mcastrate 6

    mgmtrate 6 scanvalid 60 wme roaming MANUAL

    parent interface: iwm0

    media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11a

    status: associated

    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384

    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>

    groups: lo

    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

vm-public: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

    ether 7e:e0:1b:8d:71:8b

    inet 10.10.0.1 netmask 0xffff0000 broadcast 10.10.0.255

    id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15

    maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200

    root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0

    member: tap0 flags=943<LEARNING,DISCOVER,PRIVATE,AUTOEDGE,AUTOPTP>

            ifmaxaddr 0 port 6 priority 128 path cost 2000000

    member: wlan0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

            ifmaxaddr 0 port 3 priority 128 path cost 370370

    groups: bridge vm-switch viid-4c918@

    nd6 options=9<PERFORMNUD,IFDISABLED>

tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500

    description: vmnet/Windows10/0/public

    options=80000<LINKSTATE>

    ether 58:9c:fc:10:ff:e0

    groups: tap vm-port

    media: Ethernet autoselect

    status: active

    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

    Opened by PID 2039

 

[gRoot]

The second configuration is correct. I couldn't ping the guest because windows disables ping by default. As soon as I disabled the windows firewall on the guest I was able to ping.