From owner-freebsd-questions@freebsd.org Thu Jun 30 14:26:44 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B3C7B86B21 for ; Thu, 30 Jun 2016 14:26:44 +0000 (UTC) (envelope-from rnmtw70@yandex.com) Received: from forward12h.cmail.yandex.net (forward12h.cmail.yandex.net [IPv6:2a02:6b8:0:f35::9d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 469762E46 for ; Thu, 30 Jun 2016 14:26:44 +0000 (UTC) (envelope-from rnmtw70@yandex.com) Received: from smtp4h.mail.yandex.net (smtp4h.mail.yandex.net [IPv6:2a02:6b8:0:f05::118]) by forward12h.cmail.yandex.net (Yandex) with ESMTP id 10DCA21598 for ; Thu, 30 Jun 2016 17:26:32 +0300 (MSK) Received: from smtp4h.mail.yandex.net (localhost [127.0.0.1]) by smtp4h.mail.yandex.net (Yandex) with ESMTP id D0F9D2C3400 for ; Thu, 30 Jun 2016 17:26:32 +0300 (MSK) Received: by smtp4h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id cYCVxjJRgc-QWC4vxHO; Thu, 30 Jun 2016 17:26:32 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com; s=mail; t=1467296792; bh=C97N6GMrsUtw208SMm5nmRrt9knqZ5yQe1Xx4YNdsN4=; h=To:From:Subject:Message-ID:Date:User-Agent:MIME-Version: Content-Type:Content-Transfer-Encoding; b=Q6smy5x3sjDRxVZZq5FlpzMkR+FL43mJtBVw85/GpjNeMXojSut++SBCB5Ous4IS+ v4Fi/CTFs+SsukhPeXNWeqmIrkMzDU7T+K6BmenjBPbAh6TxlUOEEX3hwQrE8hKJ6H CRrxd4EshnNtD80luCVEG+agWOeFrfK2G9YhfaAg= Authentication-Results: smtp4h.mail.yandex.net; dkim=pass header.i=@yandex.com X-Yandex-Suid-Status: 1 0 To: freebsd-questions@freebsd.org From: Rolf Nielsen Subject: Firewall setup for high security for OpenVPN client Message-ID: <16f62435-ad9c-9da4-b7ca-5aade5d00ec4@yandex.com> Date: Thu, 30 Jun 2016 16:26:31 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2016 14:26:44 -0000 Hello everyone, I've been using OpenVPN for some time, and now I'm looking to strengthen the security a bit more. I have disabled WebRTC in Firefox, and I'm using the VPN service's DNS servers, rather than the ones of my ISP, and now it's time for the firewall. I will of course need to communicate with the VPN server, and I'm assuming that goes on the physical interface. Inbound, outbound or both? TCP, UDP or both? I get my IP from my ISP through DHCP. Need I open anything up for that? Inbound, outbound or both? I'm guessing ports 67 and possibly 68, UDP. Anything other than that on the physical interface? Apart from any servers I may be running, what should I open up on the tun interface? And last, but not least, what should I absolutely close? In case it matters here, I'm currently using ipfw. Since most people tend to recommend pf, I believe I will move to that one, but I'll do that later. Since I'm used to ipfw, it's more likely that I understand what I'm doing, and once I understand that, I'll consider learning how to do it in pf instead. -- Vänligen / Sincerely, Rolf Nielsen