I am now able to make it work, though it was through trial and errors, so I'll
appreciate any help in understanding why my solution works!
If my configuration is like this, it all works fine:
block all
pass out inet all keep state
# Config to allow virtual Machine VMM to access the internet
DNS_SERVER="8.8.8.8"
match out on egress from 100.64.0.0/10 to any nat-to (egress)
pass in proto { udp tcp } from 100.64.0.0/10 to any port domain rdr-to
$DNS_SERVER port domain
pass in on tap0 proto { udp tcp } from 100.64.0.0/10 to any port !=53
I had to add the last line.
It makes sense that I had to allow a pass in on tap0: otherwise the virtual
machine is not allowed to send messages to this interface at all.
However, I am confused as to why I need to exclude port 53.
I just noticed that if I use instead:
pass in on tap0 proto { udp tcp } from 100.64.0.0/10
Then I can still access the internet, but DNS resolution will fail.
dig google.com
;; communications error to 100.64.1.2#53: connection refused
If I exclude the port 53 (DNS port) then it works.
Does anyone understand why?
@David: thanks for your questions. I am trying to achieve having internet
connectivity in the virtual machine. And I am trying to understand why it does
or does not work.
Thanks all,
Jake
>
>
> 04-psyche.tot...@icloud.com writes:
>
>> Hi all,
>>
>> I have setup a virtual machine on my openbsd box, following the guide
>> https://www.openbsd.org/faq/faq16.html#VMMnet
>>
>> I have trouble configuring pf to give the the VM access to the internet.
>>
>> If my /etc/pf.conf contains the following lines, I don't have access to the
>> internet from the VM:
>>
>> ----------
>> block all
>> pass out inet all keep state
>>
>> # Config to allow virtual Machine VMM to access the internet
>> DNS_SERVER="8.8.8.8"
>> match out on egress from 100.64.0.0/10 to any nat-to (egress)
>> pass in proto { udp tcp } from 100.64.0.0/10 to any port domain rdr-to
>> $DNS_SERVER port domain
>> -----------
>
> Is this the entirety of /etc/pf.conf?
>
>>
>>
>> However, if I comment out the first line (block all), or add a "pass in"
>> line then it works.
>>
>
> I'm far from a "pf person" let alone a "network person", but what are
> you trying to achieve with your config?
>
> The example /etc/examples/pf.conf starts with something like:
>
> block return # block stateless traffic
> pass # establish keep-state
>
> Why can't you start there?
>
>> Either is way too permissive though, what is the smallest "pass in" I should
>> add to allow it internet access?
>>
>> I tried "pass in to 100.64.0.0/10" but it does not work.
>>
>> Thank you!
>>
>> Jake
