From 8685f3e73fff55920e357a8eb631f00a9a257813 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Sun, 16 Aug 2020 17:07:11 -0400
Subject: gateway: more writing on pf rules

---
 content/posts/openbsd-vpn-gateway/index.org | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

(limited to 'content/posts/openbsd-vpn-gateway')

diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org
index c581f4c..efb1208 100644
--- a/content/posts/openbsd-vpn-gateway/index.org
+++ b/content/posts/openbsd-vpn-gateway/index.org
@@ -228,7 +228,7 @@
   forward any packets it receives that aren't destined for any of its
   interfaces according to its routing table and firewall rules.
 
-* PF
+* PF Rules
   At this point, we're forwarding the incoming packets out the VPN
   tunnel, but they have no method to find their way back to us. This
   is because when we're forwarding them, they still have their LAN
@@ -261,12 +261,13 @@
   #####################################
 
   ext_if = "vio0"
+  vpn_if = "tun0"
 
   pass in on $ext_if
   pass out on $ext_if from self # ($ext_if)
 
-  match out on tun0 from $ext_if:network to any nat-to (tun0)
-  pass out on tun0
+  match out on $vpn_if from $ext_if:network to any nat-to ($vpn_if)
+  pass out on $vpn_if
   #+END_SRC
 
   Let's go through this line by line to see what's going
@@ -288,3 +289,19 @@
     purposes. The default =pf.conf= passes any traffic that isn't
     explicitly blocked. By commenting this line out we are inverting
     that. Everything is blocked unless we explicitly pass it.
+
+  - =block return in on ! lo0 proto tcp to port 6000:6010= This is a
+    default rule, left in for security reasons. It stops other
+    machines from being able to reach our X Windows session, should we
+    be running one.
+
+  - =block return out log proto {tcp udp} user _pbuild= This is
+    another default rule, left in for security reasons. It stops the
+    =_pbuild= user from accessing the internet. This is to stop ports
+    builds from accessing any resources online.
+
+  - =ext_if = "vio0"= We use this macro to set the external interface
+    name. This is done so we only have to set the name of the
+    interface in one place, should we ever need to change it.
+
+  -
-- 
cgit v1.2.3