From nobody Tue Aug 23 06:16:26 2022
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MBfBS36Q0z4ZXBq
	for <questions@mlmmj.nyi.freebsd.org>; Tue, 23 Aug 2022 06:16:32 +0000 (UTC)
	(envelope-from clopmz@outlook.com)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-oln040092066024.outbound.protection.outlook.com [40.92.66.24])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MBfBR46Y7z3Xvg
	for <questions@freebsd.org>; Tue, 23 Aug 2022 06:16:31 +0000 (UTC)
	(envelope-from clopmz@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=k2aRgdjFaOxaggwSLx1I5HGQRFvq//gaMCFL98Wi2aR6dnd+pbdh9NA8Sa+veVSidzpvZwPeBTl78Gy0rDcZIrVQZXBoUIFz+4qQduzkGMczFlkWTHlOVuRcxqNOan1RjM6jqhP+7qnM3VWpfWJQ3jrIx45OCd9JU9hBQRsK+k1EW/YpiHeKezXL7UoNriil3I6OMweT9WBOUAtm7I+svuu62QOvC0DFPN6JCj9x2XUUQKtZwdaULBC+Mu5HY1FqPn9wvYEv7+yZGmodpntC0/uSrURqpMFvSHUGn659gbzaXJ9eVX0sldvENdzrZ0cDJgfhVSo6MVtyue46Zhsoqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=bvQicsshSnBAVhQdJ//6thlJIxpCgVWqrr7f0OGudjA=;
 b=ZP89ppnoBIPgsmPXngS6wjN8e3LZ8yWpQiM1Jiya45flYXpNSyNu2pcqSdfvYocPmHDpOddSdNfa4sf4M1+9Qn5Nn+9SS57PvV4HvslImRp7QNm7MFeupg8/uo8nkX0Y0ugISvJgIgnJcgj8ZiKNiieWh3XG120BzERhiLlLXXZ57DF+mkcfhfqU7XJBZTepTJM5U2eS9kE2hie/F25TqJqtlIVQ8ZcL4RPVzXWVBu+6mDm2qE7H3tKiYsWI/5M8fqr0+VfWT+zMoENLCd3N4SXqAxB2dKoQS3q99geogDYWaLfJ3FrV4NlauorHyz3JgX2pvAlKeIgxuTZOZ0LNcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=bvQicsshSnBAVhQdJ//6thlJIxpCgVWqrr7f0OGudjA=;
 b=XErFumE0LvCFQ4iszmPwmGa3R6UIQ1FAuTu6mtd2i6gEMTYZRkP+d/yaMdW3enUVvGu+wkr9NvIVvo864J1Klhd3F5IgVQnrTFkNUEUnBFOCgouHa3ATDkiwu3RcM677CJEvlYWLU4tCpM8tvZ80/67JFWuwHy7uspzqd9SKh8PvNN+LbiH62tLlsLoLbITHbD9YZFohcsHIDno6ZPG9xG4xhfE6xj3yMH+r5M3xNzsl9kGS4y30ROfRij2KaMID0CJWw8vJf2/HEV79qFUUY7wI3jJiWs7ALm0kd0bJS9OIK4jdOQ+ssWMGD+7aEhz8lsnGvqKCOdj4qZff+m+AuQ==
Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:29a::16)
 by DB9P251MB0836.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:397::21) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5546.22; Tue, 23 Aug
 2022 06:16:29 +0000
Received: from PRAP251MB0567.EURP251.PROD.OUTLOOK.COM
 ([fe80::ad16:61d5:b534:cb68]) by PRAP251MB0567.EURP251.PROD.OUTLOOK.COM
 ([fe80::ad16:61d5:b534:cb68%3]) with mapi id 15.20.5546.022; Tue, 23 Aug 2022
 06:16:29 +0000
Message-ID:
 <PRAP251MB05672A79A03A28AB4D027979DB709@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
Date: Tue, 23 Aug 2022 08:16:26 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.12.0
To: questions@freebsd.org
From: =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com>
Subject: Problems betwwen pf in FreeBSD 13 and WireGuard
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-TMN: [HQ8I6qWo2NfxVgHMH0bIPoGqLHYzGgCY]
X-ClientProxiedBy: MR1P264CA0156.FRAP264.PROD.OUTLOOK.COM
 (2603:10a6:501:54::17) To PRAP251MB0567.EURP251.PROD.OUTLOOK.COM
 (2603:10a6:102:29a::16)
X-Microsoft-Original-Message-ID:
 <b15343da-b249-6cd7-1789-bbb3cb23a0fe@outlook.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f5f29e6d-8780-4772-06c2-08da84cf0402
X-MS-TrafficTypeDiagnostic: DB9P251MB0836:EE_
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
	lg9BPQZ0KNE45oQg1BvwL8bXVhWHN2yxOEwSdykVJxQa3Qp3S6pP6bdSqyTUdTDQQQH5t4o1pVw+kKBdRMDp3s2leoVxGjzU4GctJjkKxD/6vrUh1XV+supjMPsJDFpJeIeXHx6qc4nhY95Ozf4nI5oEQn1HcxZ9sBZH/gxGYYJDofN6LbEBikOE6dW/hbtbE+soTOhMuLynya6cAvBMKsje3VmVHGMZPveo/4/8WkpoI1SzeV6FYaxxBLr6CKAoBmcLozYl+c6xwvCp0Y5alYpLNHPLtNtpQcGe6DhW2RybnRgFij0xAYqdmFF7G46JNb5HYIRduQIV8nMAZw3suJnrI2lDlDK5ykWWqIpmU4J5hV35foHG3cD3yZV17nprHeefOXtiXGlA5IlcCDaNpsL7KFKC7Hh7/T/XbbKK8A7LfNJUvUuMzV0dRxRagl/+GWw1JJk6Gm4WJNMRi8m5vJB2VCYX2+wyTBnk08pIE1GNpqEhgCoHOlPNvyImU/ReqXgmn2X2HIhsqVVYdl4LfGiOZcdjbwa18sUqMDZt4jsz39G31SDmh5ucvIYIQeNcqBiK+vg8+GlUcDSUEUtlX16KiZ/VBMdqeNzeYvUjxs0+KC8BhyoyJLU0Q74E36H4kgIgJdDsHnUTcKlssCFvlQ==
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0:
	=?utf-8?B?MXdRYm5XM2JoN2llcngzL0h1ZW5ySFZScWx1dThvODRYL0VEcXI3bUovZDNv?=
 =?utf-8?B?SEdkc1o1NzVSdFhjb3dpK0FaU1Z2MGladE1JZWZRaW96UUNPcDhuOUdmWFlj?=
 =?utf-8?B?ek4vcVhXZHRhdUQ2Umk5d2o5d0VRNGo5UmNJRE95eElYOHhZZkhLNWhZZXNR?=
 =?utf-8?B?WEZZT2hUZ3pVSnB1ZXhqVGxlZTNXWFQ4blM1Y3FycnRnTVhyQlBlM3EvSSt1?=
 =?utf-8?B?R25kSWZobUQrOFBJVEZkelc4M0YrSEtocUV0eHZWbC9hUFZSNVVFQVdrcmpD?=
 =?utf-8?B?R1VvRXNHVnplQ1czYnI2TjZmQlUvNXlKQStHYVJucDEvMUxpOWxNdFlNU3pv?=
 =?utf-8?B?L1dMTnptZnpoaVVrcXE0NTFpVjNWV0s2WXBPMW5UWWdsMFBwLzJTQlpKaC9w?=
 =?utf-8?B?R3BrUzVBQkEzSjVaM1JoR2VYUEdVNVBvYkttR3UwZXA1RXhBMGxBdk9hMjJi?=
 =?utf-8?B?RytZbXU5SE16bE5QOTJHZGtPRzA1RzU0aytCN29GRzNJc1UzcVhCSDVlMlFP?=
 =?utf-8?B?cG5CREw2ZXovcnpvS0Y3cEpFNEE0QjdRN1ZDdnZ2QVgwU05qd3hqRDNKQWZO?=
 =?utf-8?B?MXZQRklobFROemlpd1hQa1kxUDdMdXh6VEJtTEpLNkRhSEhaNDhTVmhyUjl1?=
 =?utf-8?B?NnFkOVNibHdwRGhReU1sT1pyU0N5VHE1MFMxVUhYbEtEYzc2N1l6Uk9EZkZx?=
 =?utf-8?B?VnJRVU00dnBwUUROV1lTSzN5NlRKT2RnelJvTEFObktuL2pCd1Vsc1o2VTJn?=
 =?utf-8?B?MmJHUERRaVhVUlltUGo4L3lYcElPYnZqQkoxM0lPSUNZLzUxbzk0bE5tV0VH?=
 =?utf-8?B?cWJpQXg3a0xKQVdSSVp1QWZUN25sb3llN1lrY0MxVE5Tc2ZNeHp2aHFXR1NQ?=
 =?utf-8?B?NVpERzVER0p2V1MzYTNhemIzc1didDRmQm9JdEpOVm12QnFrOWdtbGpDZWRl?=
 =?utf-8?B?a1hXSzlwRW52TER2eUI3TWk5VHdPL2YxemtrMmdsSW42SXM2WFhPR2VXVHJS?=
 =?utf-8?B?d0h4cGNFeUhpZWZpZWJNYk1lUHNYZGI0RmE1YTVZZVExeFVhQVZqc2hLZWdD?=
 =?utf-8?B?UFlFakJkYnR0bzNWN2pKYXhSNGVmL0pWMFpyNkVYaHhZRWlyaVNGalN0aTBn?=
 =?utf-8?B?UVd4Vy9zL1h3bXd3NjMvZFV0cGxuaXRhODdvRWZPSDl2L0c1SVVWRjNnVlRp?=
 =?utf-8?B?TzVuZ2tGc0FOV3VhcTc1Ym8rK0szOGhiTTNEcm40Y3hISVdETWNRbHp3VDdR?=
 =?utf-8?B?STV6bjFHSjVocFFubVBGRzl6cCtCRUt0UGtUUG1GdjBOeEZQNHQrWFdSaXE1?=
 =?utf-8?B?NkVCRGRXVVNoRUJxSVB1Z2xCRFBrWDAzQ3lYUUtNZEhWaXZsNjM5anNJVUFQ?=
 =?utf-8?B?eHJ3QVhPQU9BTitsdXpEdFkxOTVtMXZZQnFaWmY1bWpsRHE0MjZHQU1HVUxC?=
 =?utf-8?B?YS85WXR4YXlHTTh1ckRXMFhOdlgxOWhNWTJmNzBhRCs1Y0NVTlpOUEltLzJG?=
 =?utf-8?B?cWM2Wk5id3c5TnR2WkV1aE1EQTRqSm85eC82b1VYZ3lOZWMyaDJwQlhxZi9h?=
 =?utf-8?B?Q1NUdzlxUnRCbXBnSmUybHl0azQzVFVCUjV1OXlZNWMxZ1R2OSsweTlURlNB?=
 =?utf-8?B?dUFIUUFOQ3l4L054RGtqRGh6NzNjaW9HQ1VzdklmeXVKbHZWRkFlTGw0aVg3?=
 =?utf-8?B?UU82bkFKN0dyQXJuSnZDeHlTbGI5YURJWkhrSHV6QlBUclBoZ0VOeXJnPT0=?=
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5f29e6d-8780-4772-06c2-08da84cf0402
X-MS-Exchange-CrossTenant-AuthSource: PRAP251MB0567.EURP251.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Aug 2022 06:16:28.9965
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9P251MB0836
X-Rspamd-Queue-Id: 4MBfBR46Y7z3Xvg
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=outlook.com header.s=selector1 header.b=XErFumE0;
	arc=pass ("microsoft.com:s=arcselector9901:i=1");
	dmarc=pass (policy=none) header.from=outlook.com;
	spf=pass (mx1.freebsd.org: domain of clopmz@outlook.com designates 40.92.66.24 as permitted sender) smtp.mailfrom=clopmz@outlook.com
X-Spamd-Result: default: False [-0.98 / 15.00];
	FORGED_MUA_THUNDERBIRD_MSGID_UNKNOWN(2.50)[];
	ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1];
	NEURAL_HAM_LONG(-1.00)[-0.995];
	NEURAL_HAM_SHORT(-0.98)[-0.985];
	R_MIXED_CHARSET(0.91)[subject];
	DMARC_POLICY_ALLOW(-0.50)[outlook.com,none];
	NEURAL_HAM_MEDIUM(-0.41)[-0.411];
	R_DKIM_ALLOW(-0.20)[outlook.com:s=selector1];
	R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15];
	MIME_GOOD(-0.10)[text/plain];
	FREEMAIL_FROM(0.00)[outlook.com];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	DWL_DNSWL_NONE(0.00)[outlook.com:dkim];
	ASN(0.00)[asn:8075, ipnet:40.80.0.0/12, country:US];
	FREEMAIL_ENVFROM(0.00)[outlook.com];
	MID_RHS_MATCH_FROMTLD(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	TO_DN_NONE(0.00)[];
	RCVD_IN_DNSWL_NONE(0.00)[40.92.66.24:from];
	DKIM_TRACE(0.00)[outlook.com:+];
	RCVD_TLS_LAST(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[questions@freebsd.org]
X-ThisMailContainsUnwantedMimeParts: N

Hi all,

I have a problem between pf rules and WireGuard connections that I can't 
understand. First my pf rules:

prodif          = "vtnet0"
pubif           = "vtnet1"
mgmtif          = "vtnet2"
ctfif           = "vtnet3"
dmzif           = "vtnet4"
wgif            = "wg0"
int_ifs         = "{" $prodif $mgmtif $ctfif $dmzif $wgif "}"

set skip on { lo wg0 }
set block-policy drop
set state-policy if-bound
set loginterface egress
set timeout { tcp.established 7200, tcp.closing 60 }


# Scrubbing rules
scrub in all random-id fragment reassemble no-df max-mss 1440

nat on egress from <internal_networks> to !<internal_networks> -> (egress:0)
no nat
no rdr


# Spoofing protection for all network interfaces.
block in log from no-route label "Deny non-routeable traffic rule"
block in log quick from urpf-failed label "Deny failed uRPF check rule"

# Default blocking all traffic in on all network interfaces
block return in log on $int_ifs label "Deny incmoming traffic on $if"

# Deny all rest of packets with logging
block log all

# Allow ICMP requests to check default route
pass out on egress inet proto icmp from (self) icmp-type echoreq label 
"Allow ICMP requests for public interface"

...........................................................

pass in quick on $wgif inet proto { tcp udp icmp } from <wg_admins> to 
any label "Allow access to $dstaddr from $srcaddr"

pass out on $prodif

With these rules, I can access to FreeBSD via ssh, but I can not access 
to any other host in the network. Connections always are dropped by rule 
"block log all" ... and I don`´t understand why ...

May be a bug? Or do I need to enable some option in WireGuard side?



-- 
Best regards,
C. L. Martinez