Hi all,
Could somebody with some knowledge and experience have a look at my pf.conf before I start using it, to make sure I'm not doing anything stupid with it?
I am using FreeBSD 12.2 on a laptop connected via wifi to my ISP router and the VPN provided for work.
I am using OpenVPN and UDP-based ovpn files.
Ideally, I would like to force all traffic through the VPN or otherwise block it (in the future).
But I have started with a basic pf.conf which I hope will work with or without the VPN.
Is my current set up OK for use with or without the VPN?
My /etc/rc.conf:
PF seems to load OK, doesn't complain about syntax when I run:
Here is my basic / standard pf.conf that I have cobbled together from man pages and what not:
EDIT: Obviously I have tested it, and it seems to work:
- I have "full" connectivity, as far as I can tell, with or without VPN
- Our VPN leak test page reports no IP leaks
- No DNS leaks reported
- Online "firewall testers" seem OK (without VPN)
Any and all feedback is very much appreciated.
Thank you.
Could somebody with some knowledge and experience have a look at my pf.conf before I start using it, to make sure I'm not doing anything stupid with it?
I am using FreeBSD 12.2 on a laptop connected via wifi to my ISP router and the VPN provided for work.
I am using OpenVPN and UDP-based ovpn files.
Ideally, I would like to force all traffic through the VPN or otherwise block it (in the future).
But I have started with a basic pf.conf which I hope will work with or without the VPN.
Is my current set up OK for use with or without the VPN?
My /etc/rc.conf:
Code:
pf_enable="YES"
pf_flags=""
pf_log="YES"
pf_rules="/etc/pf.conf"
pflog_enable=yes
pflog_flags=""
pflog_logfile="/var/log/pflog
gateway_enable="NO"
PF seems to load OK, doesn't complain about syntax when I run:
pfctl -nf /etc/pf.conf
Here is my basic / standard pf.conf that I have cobbled together from man pages and what not:
Code:
### Macros
# Interface names
ext_if = "wlan0"
vpn_if = "tun0"
# Macro name for non-routables
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
### Settings
# Set optimization rules
set ruleset-optimization basic
set optimization normal
# Silently drop blocked packets
set block-policy drop
# Silently drop failed packets
set fail-policy drop
# Bind states to interfaces
set state-policy if-bound
# set fingerprints file
set fingerprints "/etc/pf.os"
# Pass loopback
set skip on lo0
# Generate debug messages only for serious errors
set debug urgent
# Reassemble fragmented packets
scrub in all fragment reassemble
### Rules
# Default deny everything
block log all
# Block all IPv6
block quick inet6 all
# Block spooks
antispoof for lo0
antispoof for $ext_if
block in quick from no-route to any
block in quick from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
# Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# Block RFC 1918 addresses
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Allow everything else
pass out all keep state
EDIT: Obviously I have tested it, and it seems to work:
- I have "full" connectivity, as far as I can tell, with or without VPN
- Our VPN leak test page reports no IP leaks
- No DNS leaks reported
- Online "firewall testers" seem OK (without VPN)
Any and all feedback is very much appreciated.
Thank you.