PF Need advice to optimize rules

[Mitch911]

Hi all,

I'm working on a personal gateway based on FreeBSD an PF to route all my home internet traffic to an OpenVPN tunnel. Actually everything works fine but I think it can be better with some optimisation and help.

Here, my pf.conf:

### Interfaces Physiques
ext_if = "xl0"
ext_gw = "192.168.1.254"
lan_if = "fxp0"

### VPN Interfaces
vpn_if = "tun0"

### No NAT
table <novpn> { 1.2.3.4 }
table <novpnneg> { !1.2.3.4 }

### Requete ICMP
icmp_types = "echoreq"

### Table abuse IP
table <abusive_ips> persist

### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
#scrub in on $ext_if all fragment reassemble
scrub in all fragment reassemble

### NAT OpenVPN
nat on $ext_if inet from $lan_if:network to <novpn> -> ( $ext_if )
nat on $vpn_if inet from $lan_if:network to any -> ( $vpn_if )

### RDR all DNS Traffic
rdr pass on $lan_if proto { tcp udp } from $lan_if:network to !$lan_if port 53 -> 127.0.0.1 port 53

### RDR all Web to Squid
rdr pass on $lan_if inet proto tcp from $lan_if:network to any port 80 -> 127.0.0.1 port 3129

### Exception on Loopback Interface
set skip on lo0

### Default Policy
block all

### Blocp IP from abusive
block in quick from <abusive_ips>

# Prevent VPN bypass
block out quick on $ext_if from $lan_if:network to <novpnneg>

### Allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state

### Route for NoVpn
pass out on $ext_if route-to ( $ext_if 192.168.1.254 ) from any to <novpn>

### Allow outgoing traffic
pass inet proto { tcp, udp } from { self , $lan_if:network }

### Allow SSH on host
pass in on $ext_if reply-to ( $ext_if $ext_gw ) proto tcp from any to $ext_if port 22 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_ips> flush global)

And here some problem I have and don't know how to resolv it:
- I have to make two table (or list) to negate outgoing traffic for my network.
- I have to allowing all outgoing traffic because when I try to limit it, it won't work ( $lan_if:network to $vpn_if <- Maybe it's normal, but how can I define through interface?)
- I have to configure Squid to use outgoing interface because I don't know how to limit 80 traffic from squid (localhost) process without blocking localhost traffic (maybe put Squid in a jail)
- Maybe need reorder and clean some rules but I don't really understand ALL pf.conf() options (match out for ex)
- Some daemon at reboot don't work (ntp,dns) because the tunnel isn't ready yet...

Thanks for your help

 

[junovitch@]

Hi all,
- Some daemon at reboot don't work (ntp,dns) because the tunnel isn't ready yet...
Thanks for your help

An extremely small mention to add for now.

pf.conf(4)

Surrounding the interface name (and optional modifiers) in parentheses changes this behaviour. When the interface name is surrounded by parentheses, the rule is automatically updated whenever the interface changes its address. The ruleset does not need to be reloaded. This is especially useful with nat.

Try this as an example for DNS.

### RDR all DNS Traffic
rdr pass on $lan_if proto { tcp udp } from ($lan_if:network) to !($lan_if) port 53 -> 127.0.0.1 port 53

 

[Mitch911]

Thanks for reply

I've already do it with this line:

### NAT OpenVPN
nat on $ext_if inet from $lan_if:network to <novpn> -> ( $ext_if )
nat on $vpn_if inet from $lan_if:network to any -> ( $vpn_if )

Because lan interface have fixed IP, I didn't have to use parenthese.
But, on boot, I think my problem is on the phase of making VPN Tunnel.

DNS Server need it but it isn't finish so I'll go to timeout...