I'm trying to build a ruleset I though I had my handle on it but when I rebooted, I was locked out. Objective: Implementation of OpenVPN with PF/NAT to allow traffic to access a standalone FreeBSD 8.0 server and also to tunnel to the internet. The server has no intranet connections.
There must be something fundamentally wrong in this ruleset:
There must be something fundamentally wrong in this ruleset:
Code:
tcp_pass = "{ 20 21 22 25 53 80 81 8010 110 137 138 139 443 445 465 587 993
udp_pass = "[ 137 138 139 465 587 1194}"
vpn_if = "tun0"
vpn_net = "10.8.0.0/24"
ext_if = "re0"
ip_addr = "209.160.65.133"
openvpn_server = "10.8.0.1"
openvpn_port = "1194"
#basic rules
pass out on re0 proto tcp to any port $tcp_pass keep state
pass out on re0 proto udp to any port $udp_pass keep state
pass in on re0 proto udp to any port $udp_pass keep state
pass int on re0 proto tcp to any port $tcp_pass keep state
#nat rules
nat on $ext_if inet from $vpn_net to any -> $ext_if
# --- pass incoming openvpn connections to the internal openvpn server ---
pass in quick on $ext_if inet proto { tcp udp } from any to $OPENVPN_SERVER
pass out quick on $ext_if inet from any to any keep state
# --- SCRUB section ---
scrub in all
# --- antispoof protection ---
antispoof quick for $ext_if inet
#provide a wall
block all