DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security
Reload this Page Need suggestions on improving my pf rules
FAQ Today's Posts Search

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #21   (View Single Post)  
Old 25th November 2014
J65nko J65nko is offline
Administrator
  
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,132
Default
Re: your OpenVPN setup

How did you configure OpenVPN on your OpenBSD box? Most people have a lot of problems in getting it connected to a VPN service.

Re: filter rules

From http://www.swissvpn.net/index.php?co...ng=en#selected
Quote:
How can I ensure that my computer only connects to the Internet via SwissVPN, and not directly?

The most reliable way of achieving this is by installing a separate router/firewall between your computer and the Internet. Configure the firewall to only allow outbound connections with the following protocols:
  • DNS (TCP/UDP port 53)
  • HTTPS (TCP port 443), for OpenVPN

I played a little bit with a pf.conf ruleset and enabled logging so the working can be verified by running tcpdump on the pflog0 device.

Code:
set block-policy return
set skip on lo
set loginterface egress

# --- OUTGOING services: TCP
pass out log quick on egress inet proto tcp from egress to any port https
pass out log quick on tun0   inet proto {tcp, udp, icmp} 

pass out     quick on egress inet proto udp to 192.168.222.10 port 53

# --- INCOMING services: TCP
pass in quick on egress inet proto tcp from egress:network to port ssh

# -- DEFAULT policy 
block quick inet proto udp from any port 1900 to any port 1900
block quick inet proto udp from any to any port { 138 137 139 }
block return log all
# -------------------------------------------------------------------------
# use 'tcpdump -eni pflog0' to watch blocked packets in real time
# use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file 
# -------------------------------------------------------------------------
With the SwissVPN.net demo account I only can do DNS lookups, ping (ICMP) and access (TCP) their website, but that all works with this ruleset.
So you could give it a try

PS: I needed pass out quick on egress inet proto udp to 192.168.222.10 port 53 else I could not setup the VPN connection. And that is the reason that after stopping OpenVPN is still could do DNS lookups. But I could neither do pings or visit a website after stopping,
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
 

Tags
pf rules, vpn, workstation

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Improving the security of your SSH private key files J65nko News 1 24th May 2013 09:17 PM
Need suggestions on what to name this project TerryP Off-Topic 10 6th November 2010 03:13 PM
looking for external drive buy suggestions gosha General Hardware 20 5th September 2009 05:32 AM
VPN setup suggestions needed mikesg OpenBSD Security 8 4th September 2009 09:45 PM
Software suggestions rex FreeBSD General 10 17th May 2008 12:00 AM


All times are GMT. The time now is 09:48 AM.

DaemonForums.org RSS Feeds - Contact Us - DaemonForums.org - Archive - Privacy Statement - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick