PF Port forwarding over VPN over PF

E

eastman

Hello. I need to open a port on my Freebsd desktop. there is a VPN server on Linux, everything is configured there. when I connect to a VPN with the firewall turned off on the local host, the port is open when I comment on the line block all in the enabled PF. The port is also opening. But what is the correct way to pass a port through the block all filter?

gateway_enable="YES" in rc.conf

VPN connection address log
Code: 
2023-10-28 19:41:11 [server_HFJeyr26y1CXo8Jr] Peer Connection Initiated with [AF_INET]123.45.67.89:1194
2023-10-28 19:41:11 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-10-28 19:41:11 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-10-28 19:41:12 SENT CONTROL [server_HFJeyr26y1CXo8Jr]: 'PUSH_REQUEST' (status=1)
2023-10-28 19:41:12 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 84.200.69.80,dhcp-option DNS 84.200.70.40,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-128-GCM'
2023-10-28 19:41:12 OPTIONS IMPORT: --ifconfig/up options modified
2023-10-28 19:41:12 OPTIONS IMPORT: route options modified
2023-10-28 19:41:12 OPTIONS IMPORT: route-related options modified
2023-10-28 19:41:12 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-10-28 19:41:12 Preserving previous TUN/TAP instance: tun0
2023-10-28 19:41:12 Initialization Sequence Completed

ifconfig
Code: 
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
    ether 98:40:bb:32:1e:f3
    inet 192.168.1.141 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
    groups: pflog
tun0: flags=8143<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.2 netmask 0xffffff00 broadcast 10.8.0.255
    groups: tun
    nd6 options=9<PERFORMNUD,IFDISABLED>
    Opened by PID 7600

all PF Settings
Code: 
rdr on re0 proto { tcp, udp } from any to 123.45.67.89 port 12345 -> 10.8.0.2 port 12345
nat on re0 proto { tcp, udp } from 10.8.0.2 to any -> 123.45.67.89
block all
pass out proto { tcp udp } to port { 53 80 123 443  22 1194 12345 }
pass out inet proto icmp icmp-type { echoreq }


I read man pf.config. To understand, it seems that somehow you need to add NAT rules to the filters after "block all", but I don't understand how.
 
Last edited by a moderator:
it looks like you don't need to be redirected with a VPN, but you need to add the opening of an incoming port. pass in proto { tcp } to port { 12345 }

block all pass out proto { tcp udp } to port { 53 80 123 443 22 1194 12345 } pass in proto { tcp } to port { 12345 } pass out inet proto icmp icmp-type { echoreq }


This is how the port works. if there are safety concerns. Please write.
 
You must log in or register to reply here.
Back
Top