From 8685f3e73fff55920e357a8eb631f00a9a257813 Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Sun, 16 Aug 2020 17:07:11 -0400 Subject: gateway: more writing on pf rules --- content/posts/openbsd-vpn-gateway/index.org | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'content/posts') diff --git a/content/posts/openbsd-vpn-gateway/index.org b/content/posts/openbsd-vpn-gateway/index.org index c581f4c..efb1208 100644 --- a/content/posts/openbsd-vpn-gateway/index.org +++ b/content/posts/openbsd-vpn-gateway/index.org @@ -228,7 +228,7 @@ forward any packets it receives that aren't destined for any of its interfaces according to its routing table and firewall rules. -* PF +* PF Rules At this point, we're forwarding the incoming packets out the VPN tunnel, but they have no method to find their way back to us. This is because when we're forwarding them, they still have their LAN @@ -261,12 +261,13 @@ ##################################### ext_if = "vio0" + vpn_if = "tun0" pass in on $ext_if pass out on $ext_if from self # ($ext_if) - match out on tun0 from $ext_if:network to any nat-to (tun0) - pass out on tun0 + match out on $vpn_if from $ext_if:network to any nat-to ($vpn_if) + pass out on $vpn_if #+END_SRC Let's go through this line by line to see what's going @@ -288,3 +289,19 @@ purposes. The default =pf.conf= passes any traffic that isn't explicitly blocked. By commenting this line out we are inverting that. Everything is blocked unless we explicitly pass it. + + - =block return in on ! lo0 proto tcp to port 6000:6010= This is a + default rule, left in for security reasons. It stops other + machines from being able to reach our X Windows session, should we + be running one. + + - =block return out log proto {tcp udp} user _pbuild= This is + another default rule, left in for security reasons. It stops the + =_pbuild= user from accessing the internet. This is to stop ports + builds from accessing any resources online. + + - =ext_if = "vio0"= We use this macro to set the external interface + name. This is done so we only have to set the name of the + interface in one place, should we ever need to change it. + + - -- cgit v1.2.3