Date: Mon, 28 Aug 2017 16:18:48 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Fongaboo <freebsd@fongaboo.com> Cc: Ultima <ultima1252@gmail.com>, freebsd-questions@freebsd.org Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: <20170828150926.U23641@sola.nimnet.asn.au> In-Reply-To: <20170828150306.R23641@sola.nimnet.asn.au> References: <mailman.1203.1503788746.74519.freebsd-questions@freebsd.org> <20170827164229.W23641@sola.nimnet.asn.au> <20170828150306.R23641@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Argh, I take the digest and you didn't cc me on this one, so having to insert your message from the web archive and manually quote, this might get messy .. but the digest won't be here for 6 hours, so I'll try. > On Mon Aug 28 00:39:38 UTC 2017 Fongaboo wrote: > On Sun, 27 Aug 2017, Ian Smith wrote: > > > I know next to nothing about OpenVPN - though the digitalocean tutorial > > looks pretty thorough on the surface - and absolutely nothing about AWS, > > but do know a bit about ipfw and friends. > > Yeah I figured this was more a pure Firewall and routing issue contextual > to FreeBSD than anything OpenVPN-specific. > > > Your changing of the default firewall_script from /etc/rc.firewall to > > "/usr/local/etc/ipfw.rules" suggests that you've been unfortunately > > illadvised by the still-dreadful IPFW section in the handbook, written > > by someone who uses ipfilter. Rely on /etc/rc.firewall and ipfw(8) for > > accurate information on using ipfw. > > I'm not sure what you mean by 'Rely on /etc/rc.firewall and ipfw(8)". Are > these files in FreeBSD to refer to? Or are you talking about the > respective handbook entries for these things? Yes, /etc/rc.firewall is a system supplied file. ipfw(8) syntax refers to the ipfw manual, accessed by 'man ipfw', or more specifically 'man 8 ipfw' being in section 8 of the manual pages. You'll see that syntax used a lot in *BSD. ipfw(8) is a very thorough manual, usually kept well up to date, unlike the handbook (in this instance). It's quite large, but worth browsing at least once to see what's where with ipfw. > > I note that the digitalocean tute did not make that mistake, though it > > would be more up-to-date to use firewall_nat_enable rather than natd(8), > > however natd works as well as ever, if a bit more slowly (extra process) > > > > So .. firewall_type="open" is a parameter to whatever firewall_script. > > /etc/rc.firewall uses that to generate an open firewall, i.e. inserting > > 'pass all from any to any', overriding the default 'deny all from any > > to any'. You didn't show your ipfw.rules, but I doubt it parses 'open' > > as a parameter - so it would not be surprising if you were locked out. > > So when I eliminate 'firewall_script="/usr/local/etc/ipfw.rules"' what > is IPFW using for its rules? As mentioned below, refer to /etc/defaults/rc.conf. You should at least read its first section which explains that these settings apply unless overridden by entries in /etc/rc.conf (or /etc/rc.conf.local). In this case 'grep firewall /etc/defaults/rc.conf' shows all of the default ipfw settings, including: firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall So overriding that as you did, your ipfw.rules script was invoked instead, whatever you'd put in there. If one of those from the handbook page, almost certainly containing errors or at least very poor practice, which I won't go into further (yet again :) > > > rc.conf (revised for ipfw_nat): > > > > > > #enable firewall > > > firewall_enable="YES" > > > firewall_script="/usr/local/etc/ipfw.rules" > > > firewall_type="open" > > > > Same problem here. Comment out that firewall_script line to get the > > default, as shown in /etc/defaults/rc.conf Sorry, that was a bit terse - but all you needed to do to get an open firewall that also performed NAT, with either natd(8) or firewall_nat. > > > firewall_nat_enable="YES" > > > firewall_nat_interface="xn0" > > > > > > gateway_enable="YES" > > > > You'll likely need some firewall_nat_flags as well. See rc.firewall for > > NAT setup (natd or firewall_nat) with 'open' or 'client' rulesets. For natd(8) you had: natd_flags="-dynamic -m". The equivalent of those for firewall_nat_flags is shown in the ipfw(8) section "NETWORK ADDRESS TRANSLATION (NAT)" as "reset same_ports". Or you could just use natd. > > Try it with the default firewall_script, for a proper open firewall, > > that you can condition to suit once your VPN stuff is all working. > > So in short, you think 'firewall_nat_enable' and a combination of some > firewall_nat_flags will accomplish the gateway redirection to the WAN? > Just want to make sure I'm following correctly. It should do, though I'm not familiar with the AWS setup you're using re inside and outside interfaces, whether bridging as well, etc. I think Richard (Ultima) has and can provide much more useful advice about that. My only other advice, from seeing your whole rc.conf, is perhaps don't enable so many servers (web, mail etc) until you have networking going. > > pf is fine too of course, properly configured, but I hate seeing people > > quit using ipfw because of some truly bad advice from >10 years ago :( As you've seen, pf setup can have some tricky aspects too .. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170828150926.U23641>