Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 23 Aug 2022 08:16:26 +0200
From:      =?UTF-8?Q?Carlos_L=c3=b3pez_Mart=c3=adnez?= <clopmz@outlook.com>
To:        questions@freebsd.org
Subject:   Problems betwwen pf in FreeBSD 13 and WireGuard
Message-ID:  <PRAP251MB05672A79A03A28AB4D027979DB709@PRAP251MB0567.EURP251.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help 
Hi all,

I have a problem between pf rules and WireGuard connections that I can't 
understand. First my pf rules:

prodif          = "vtnet0"
pubif           = "vtnet1"
mgmtif          = "vtnet2"
ctfif           = "vtnet3"
dmzif           = "vtnet4"
wgif            = "wg0"
int_ifs         = "{" $prodif $mgmtif $ctfif $dmzif $wgif "}"

set skip on { lo wg0 }
set block-policy drop
set state-policy if-bound
set loginterface egress
set timeout { tcp.established 7200, tcp.closing 60 }


# Scrubbing rules
scrub in all random-id fragment reassemble no-df max-mss 1440

nat on egress from <internal_networks> to !<internal_networks> -> (egress:0)
no nat
no rdr


# Spoofing protection for all network interfaces.
block in log from no-route label "Deny non-routeable traffic rule"
block in log quick from urpf-failed label "Deny failed uRPF check rule"

# Default blocking all traffic in on all network interfaces
block return in log on $int_ifs label "Deny incmoming traffic on $if"

# Deny all rest of packets with logging
block log all

# Allow ICMP requests to check default route
pass out on egress inet proto icmp from (self) icmp-type echoreq label 
"Allow ICMP requests for public interface"

...........................................................

pass in quick on $wgif inet proto { tcp udp icmp } from <wg_admins> to 
any label "Allow access to $dstaddr from $srcaddr"

pass out on $prodif

With these rules, I can access to FreeBSD via ssh, but I can not access 
to any other host in the network. Connections always are dropped by rule 
"block log all" ... and I don`´t understand why ...

May be a bug? Or do I need to enable some option in WireGuard side?



-- 
Best regards,
C. L. Martinez

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?PRAP251MB05672A79A03A28AB4D027979DB709>