Hi, I appreciate the valuable advices you provided about pf rules in OpenBSD. I am currently away on a trip, but once I return, I will thoroughly test those rules and provide you with feedback.
On Wed, Aug 16, 2023 at 3:50 PM Stuart Henderson <stu.li...@spacehopper.org> wrote: > > On 2023-08-14, SOUBHEEK NATH <soubheekn...@gmail.com> wrote: > > 2. Please have a look at the configuration I have implemented. > > > > pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80} > > block in on wg0 proto tcp from any to any port {22 80} > > block in quick on bwfm0 proto tcp from any to any port {22 80} > > > > This configuration is functioning well and your suggestions have > > greatly assisted me in achieving it. > > > > I would like to discuss my insights on this configuration and would > > appreciate your feedback on it. > > > > I. I use the word "quick" in the first line to prevent the "block" > > rules in the second line from taking precedence over it. > > That's one way to do it. Personally I don't like writing "quick" on all > these lines so I normally order them for "last match wins" rather than > "first match wins". This is mostly down to personal preference. > > > II. The second line effectively prevents any devices in the wireguard > > network from accessing ports 22 and 80. However, because the 'quick' > > command is used in the first line, the rule in the first line takes > > precedence and allows access to ports 22 and 80 for the machine with > > IP address 10.0.8.3. > > This also blocks forwarded traffic from machines on wg0 (other than > 10.0.8.3) to port 22/80 on the internet, not just to the machine running > PF. If this is what you want, that's ok, if not then you.may want "self" > instead of "any". > > > On Mon, Aug 14, 2023 at 7:35 AM lain. <l...@fair.moe> wrote: > >> > >> On 2023年08月13日 12:17, Stuart Henderson wrote: > >> > > > >> > > https://www.vultr.com/docs/install-wireguard-vpn-server-on-openbsd-7-0/ > >> > > >> > what a mess of things from the base OS and unneeded third-party tools. > >> > > >> List of tools: > >> wireguard-tools (required), nano (vim would have been enough), and the > >> rest is everything OpenBSD ships with. > > wireguard-tools is not required, everything you need for wg(4) is in > the base OS. > > >> Oh the horror, that's far too much, the sky is falling! > > After some OS upgrades, some packages (especially those interfacing > with the kernel for things like networking) will be broken until > packages are updated. > This is a problem if you rely on wg(4) to access the machine. > > I suggest replacing use of wireguard-tools with the native configuration > direct in hostname.wg0, see the wg(4) and ifconfig(8) manuals. > > >> > > On Sun, Aug 13, 2023 at 7:04 AM lain. <l...@fair.moe> wrote: > >> > >> > >> > >> I failed to come up with reasons for using a preshared key, so I've > >> > >> let > >> > >> ChatGPT generate reasons for me: > >> > > >> > oh $deitt please do not. > >> > > >> What matters is not who or what answered, what matters is the answer, > >> and the answer it provided is good, but I guess autists gonna autist. > > chatgpt often makes the answer sound good but the answer is not > necessarily reliable, so still needs vetting by someone who understands > the area. better leave it to someone who understands in the first place. > > if you want to quote something, there's a perfectly good explanation > in the wg(4) manual. > > -- > Please keep replies on the mailing list. >