Hi,
I appreciate the valuable advices you provided about pf rules in
OpenBSD. I am currently away on a trip, but once I return, I will
thoroughly test those rules and provide you with feedback.
On Wed, Aug 16, 2023 at 3:50 PM Stuart Henderson
<stu.li...@spacehopper.org> wrote:
>
> On 2023-08-14, SOUBHEEK NATH <soubheekn...@gmail.com> wrote:
> > 2. Please have a look at the configuration I have implemented.
> >
> > pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
> > block in on wg0 proto tcp from any to any port {22 80}
> > block in quick on bwfm0 proto tcp from any to any port {22 80}
> >
> > This configuration is functioning well and your suggestions have
> > greatly assisted me in achieving it.
> >
> > I would like to discuss my insights on this configuration and would
> > appreciate your feedback on it.
> >
> > I. I use the word "quick" in the first line to prevent the "block"
> > rules in the second line from taking precedence over it.
>
> That's one way to do it. Personally I don't like writing "quick" on all
> these lines so I normally order them for "last match wins" rather than
> "first match wins". This is mostly down to personal preference.
>
> > II. The second line effectively prevents any devices in the wireguard
> > network from accessing ports 22 and 80. However, because the 'quick'
> > command is used in the first line, the rule in the first line takes
> > precedence and allows access to ports 22 and 80 for the machine with
> > IP address 10.0.8.3.
>
> This also blocks forwarded traffic from machines on wg0 (other than
> 10.0.8.3) to port 22/80 on the internet, not just to the machine running
> PF. If this is what you want, that's ok, if not then you.may want "self"
> instead of "any".
>
> > On Mon, Aug 14, 2023 at 7:35 AM lain. <l...@fair.moe> wrote:
> >>
> >> On 2023年08月13日 12:17, Stuart Henderson wrote:
> >> > >
> >> > > https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/
> >> >
> >> > what a mess of things from the base OS and unneeded third-party tools.
> >> >
> >> List of tools:
> >> wireguard-tools (required), nano (vim would have been enough), and the
> >> rest is everything OpenBSD ships with.
>
> wireguard-tools is not required, everything you need for wg(4) is in
> the base OS.
>
> >> Oh the horror, that's far too much, the sky is falling!
>
> After some OS upgrades, some packages (especially those interfacing
> with the kernel for things like networking) will be broken until
> packages are updated.
> This is a problem if you rely on wg(4) to access the machine.
>
> I suggest replacing use of wireguard-tools with the native configuration
> direct in hostname.wg0, see the wg(4) and ifconfig(8) manuals.
>
> >> > > On Sun, Aug 13, 2023 at 7:04 AM lain. <l...@fair.moe> wrote:
> >> > >>
> >> > >> I failed to come up with reasons for using a preshared key, so I've
> >> > >> let
> >> > >> ChatGPT generate reasons for me:
> >> >
> >> > oh $deitt please do not.
> >> >
> >> What matters is not who or what answered, what matters is the answer,
> >> and the answer it provided is good, but I guess autists gonna autist.
>
> chatgpt often makes the answer sound good but the answer is not
> necessarily reliable, so still needs vetting by someone who understands
> the area. better leave it to someone who understands in the first place.
>
> if you want to quote something, there's a perfectly good explanation
> in the wg(4) manual.
>
> --
> Please keep replies on the mailing list.
>
