From nobody Tue Dec 28 19:33:08 2021 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1583C1921F16 for ; Tue, 28 Dec 2021 19:33:29 +0000 (UTC) (envelope-from karlthane@gmail.com) Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JNl7r2RdDz3k6g for ; Tue, 28 Dec 2021 19:33:28 +0000 (UTC) (envelope-from karlthane@gmail.com) Received: by mail-qt1-x832.google.com with SMTP id a1so17025182qtx.11 for ; Tue, 28 Dec 2021 11:33:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=/+M8zZtET67nC2YocJiu0EMnbENvieVWEkjsFg6z80I=; b=EjhGniqcHoi+Hx/qqxbXcU/A6nQWRI1+/2WD7NQ1aM12aUeQvmc80qxFIFtrSEaAZg GWs/Tz9vpm5HgQW9hqA5BjVmC4Jx09wb5xd92AKUiErjFbUXvY08I9yfp0JLCP8M/U6Q qRGq2rAIA8YRXD0BSEjdupgePnnO6UtibBmC55wW2qLNTriKsMbuUlBEtNVTOaFKzULg 60g4yRhTN4vwoDYvDbLfCpCS28QsdklPMdCnkVzOiB7rGSMZ88KwnOe4Jpflr+U/DYdP LXPesuxPCeOMZzR2FPfYeYYjrSCbdoe4W+PCu7oFgQWvA8RA5xYMAWuQr/ecPVLT5Bud ahvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=/+M8zZtET67nC2YocJiu0EMnbENvieVWEkjsFg6z80I=; b=HBa7PnwveUuu503BtL686ppILVE235zTg7nNjmMmWtv0yat07et1B2Vqs4AVtWDCeI fTuSnAjiBZuKKeJFjQa/X+6KLdQJF9PPpzfhAzY7W5qGb35Wl+W34jB6BXc/YgDnoXGI xrJB5lCJlOkL07qGXzFSy8Z35jtYXALKIfU1dEfQWr/8y8RdCYfWV/pwUcRTFoljsUZZ i8xIfWIEnV8cq1QiQwsBB+EcMryOxS4aPyF9IFYJHrREa5bVKIIBibJyQWx4T4435NAv yVmTo2KiHi98f5Xi2q7dCJaLqbOaEeHBbiHlKnfJozv4A7Q/qhI8bmmEmuWQ8ghxr5hi ftkA== X-Gm-Message-State: AOAM532Kjlr4aYF6As9A1fDhh/4vGsMoXaOvkOnrD40zpT2yy5Mv3BK7 uhy4Q4nJ4sI+oajuqSGaElzZ6UGQk0uVpQIdQb48VJh5 X-Google-Smtp-Source: ABdhPJwhqUsYCRmxE7jddnOlGRzpaxT91FFzm0xxsm8DuXgIrKDRKipToiKYOA8vNtlXOGzGmrBk/TtDe1iJ0H8kNIQ= X-Received: by 2002:ac8:5743:: with SMTP id 3mr19839664qtx.440.1640720001747; Tue, 28 Dec 2021 11:33:21 -0800 (PST) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 References: <5f2cca65-daab-989c-5fd0-6a5373f5bd56@pp.dyndns.biz> In-Reply-To: <5f2cca65-daab-989c-5fd0-6a5373f5bd56@pp.dyndns.biz> From: Alex Thomas Date: Tue, 28 Dec 2021 13:33:08 -0600 Message-ID: Subject: Re: PF and tun1 To: questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4JNl7r2RdDz3k6g X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=EjhGniqc; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of karlthane@gmail.com designates 2607:f8b0:4864:20::832 as permitted sender) smtp.mailfrom=karlthane@gmail.com X-Spamd-Result: default: False [-0.37 / 15.00]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(0.63)[0.627]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::832:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_SPAM_LONG(1.00)[0.999]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N I have tried that, and have commented out the table for rfc6890 and the rules for it. Still not having any success. On Tue, Dec 28, 2021 at 1:28 AM Morgan Wesstr=C3=B6m wrote: > > On 2021-12-28 02:55, Alex Thomas wrote: > > I am trying to get nebula working on tun1 with pf as my firewall. If I > > turn pf off, everything works. How to I tell pf to ignore / let > > everything pass on the tun1 device. > > > > vtnet0 =3D "vtnet0" > > nebula1 =3D "tun1" > > icmp_types =3D "{ echoreq unreach }" > > table persist > > table { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 > > 169.254.0.0/16 \ > > 172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 > > 192.88.99.0/24 \ > > 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 > > 203.0.113.0/24 \ > > 240.0.0.0/4 255.255.255.255/32 } > > > > set skip on lo0 > > set skip on tun1 > > set skip on $nebula1 > > scrub in all fragment reassemble max-mss 1440 > > antispoof quick for $vtnet0 > > block in quick on egress from > > block return out quick on egress to > > block all > > pass in on $vtnet0 proto tcp to port { 22222 } \ > > keep state (max-src-conn 15, max-src-conn-rate 3/1, \ > > overload flush global) > > pass out proto { tcp udp } to port { 22 53 80 123 443 } > > pass out inet proto icmp icmp-type $icmp_types > > > > In my experience the skip rules only work on interfaces that are availabl= e when > pf starts, which excludes tun-interfaces. I don't know if this is by desi= gn. > Remove your skip rules for tun1 and $nebula1 and just add a pass rule for= that > interface: > > pass on tun1 all > > Additionally, since you're quick blocking all traffic to and from private= IP > addresses, make sure you don't use any of those IP addresses on tun1. > > /Morgan >