I have the following PF rules for bhyve as guest, and FreeBSD 11.1 Pre-release as the host :
The questions are, why when reloading the pf rules, the ssh access getting disconnected?, the rule was reloaded by service pf reload.
Second question is why do i need to reload each time i have rebooted?.
Here is dmesg -a of a boot :
The igb0 already ifconfig_igb0="SYNCDHCP" on rc.conf.
Do i need modifying the rcorder of the /etc/rc.d/pf to start after NETWORKING?.
Code:
####Interfaces
ext_if="igb0"
bhyve_if_jenkins="bridge0"
####IP Assignment
IP_PUB="163.245.253.15"
###Jail Network
NET_BHYVE_JENKINS="172.16.0.0/24"
###PORT
PORT_JENKINS="{80,443,4242,8080,3389}"
PORT_HOST = "{ssh,5901}"
icmp_types = "{ echoreq, unreach }"
################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
# set optimization normal
# set timeout { tcp.closing 60, tcp.established 7200}
################ Queueing ####################################################
################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble
# nat all bhyve traffic
nat pass on $ext_if from $NET_BHYVE_JENKINS to any -> ($ext_if)
# redirect bhyve jenkins port traffic
rdr pass on $ext_if proto tcp from any to ($ext_if) port $PORT_JENKINS -> $IP_BHYVE_JENKINS
## Antispoof
antispoof for ($ext_if) inet
#Block ALL
block log on $ext_if
#Block port DNS
block in quick inet proto { tcp, udp } from any to ($ext_if) port 53
## allow icmp request types specified by $icmp_types
pass in inet proto icmp all icmp-type $icmp_types
#Allow SSH
pass in quick on $ext_if inet proto tcp from !($ext_if)to ($ext_if) port $PORT_HOST flags S/SA keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_HOST flags S/SA keep state
#DNS
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_DNS flags S/SA keep state
pass out quick on $ext_if inet proto udp from ($ext_if) to !($ext_if) port $PORT_DNS
## Block NMAP
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUPThe questions are, why when reloading the pf rules, the ssh access getting disconnected?, the rule was reloaded by service pf reload.
Second question is why do i need to reload each time i have rebooted?.
Here is dmesg -a of a boot :
Code:
uhub4: 6 ports with 6 removable, self powered
[9] Setting hostuuid: 4c4c4544-0056-4e10-804c-c2c04f594a32.
[9] Setting hostid: 0x5a71507c.
[9] Starting file system checks:
[9] Mounting local filesystems:.
[11] ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/gcc48 /usr/local/lib/perl5/5.24/mach/CORE
[11] 32-bit compatibility ldconfig path: /usr/lib32
[11] Setting up harvesting: [UMA],[FS_ATIME],SWI,INTERRUPT,NET_NG,NET_ETHER,NET_TUN,MOUSE,KEYBOARD,ATTACH,CACHED
[11] Feeding entropy: .
[12] Starting dhclient.
[12] igb0: no link ......
[15] igb0: link state changed to UP
[16] got link
[16] DHCPREQUEST on igb0 to 255.255.255.255 port 67
[16] DHCPACK from 163.245.253.1
[16] bound to 163.245.253.15 -- renewal in 2147483647 seconds.
[18] Starting Network: lo0 ix0 ix1 igb0 igb1.
[18] lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
[18] options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
[18] inet6 ::1 prefixlen 128
[18] inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
[18] inet 127.0.0.1 netmask 0xff000000
[18] nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
[18] groups: lo
[18] ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
[18] options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[18] ether a0:36:9f:e2:a5:dc
[18] hwaddr a0:36:9f:e2:a5:dc
[18] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[18] media: Ethernet autoselect
[18] status: no carrier
[18] ix1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
[18] options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[18] ether a0:36:9f:e2:a5:de
[18] hwaddr a0:36:9f:e2:a5:de
[18] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[18] media: Ethernet autoselect
[18] status: no carrier
[18] igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
[18] options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[18] ether 18:66:da:8e:52:9d
[18] hwaddr 18:66:da:8e:52:9d
[18] inet 163.245.253.15 netmask 0xffffff00 broadcast 163.172.253.255
[18] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[18] media: Ethernet autoselect (1000baseT <full-duplex>)
[18] status: active
[18] igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
[18] options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[18] ether 18:66:da:8e:52:9e
[18] hwaddr 18:66:da:8e:52:9e
[18] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[18] media: Ethernet autoselect
[18] status: no carrier
[18] Starting devd.
[19] Starting Network: ix0.
[19] ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
[19] options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[19] ether a0:36:9f:e2:a5:dc
[19] hwaddr a0:36:9f:e2:a5:dc
[19] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[19] media: Ethernet autoselect
[19] status: no carrier
[19] Starting Network: ix1.
[19] ix1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
[19] options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[19] ether a0:36:9f:e2:a5:de
[19] hwaddr a0:36:9f:e2:a5:de
[19] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[19] media: Ethernet autoselect
[19] status: no carrier
[19] Starting Network: igb1.
[19] igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
[19] options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
[19] ether 18:66:da:8e:52:9e
[19] hwaddr 18:66:da:8e:52:9e
[19] nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
[19] media: Ethernet autoselect
[19] status: no carrier
[19] Starting pflog.
[19] pflog0: promiscuous mode enabled
[19] Jun 6 22:36:12 pflogd[65058]: [priv]: msg PRIV_OPEN_LOG received
[19] Enabling pf.
[19] add host 127.0.0.1: gateway lo0 fib 0: route already in table
[19] Additional inet routing options: gateway=YES.
[19] add host ::1: gateway lo0 fib 0: route already in table
[19] add net fe80::: gateway ::1
[19] add net ff02::: gateway ::1
[19] add net ::ffff:0.0.0.0: gateway ::1
[19] add net ::0.0.0.0: gateway ::1
[20] Creating and/or trimming log files.
[20] Starting syslogd.
[20] grep: /var/run/dmesg.boot: No such file or directory
[20] grep: /var/run/dmesg.boot: No such file or directory
[21] bridge0: Ethernet address: 02:5a:71:50:7c:00
[21] grep: /var/run/dmesg.boot: No such file or directory
[21] grep: /var/run/dmesg.boot: No such file or directory
[21] Clearing /tmp (X related).
[21] Starting dnsmasq.
[23] Updating motd:.
[23] Mounting late filesystems:.
[23] Configuring vt: blanktime.
[23] Performing sanity check on sshd configuration.
[23] Starting sshd.
[23] Starting sendmail_submit.
[23] Starting sendmail_msp_queue.
[23] Starting cron.
[24] Starting background file system checks in 60 seconds.
[71] tap0: Ethernet address: 00:bd:f7:ec:f7:00
[71] bridge0: link state changed to DOWN
[71] tap0: promiscuous mode enabled
[72] tap0: link state changed to UP
[72] bridge0: link state changed to UPThe igb0 already ifconfig_igb0="SYNCDHCP" on rc.conf.
Do i need modifying the rcorder of the /etc/rc.d/pf to start after NETWORKING?.