PF Filtering trafic initiated by firewall itself.

[Greg Uramowski]

Good evening,

Let me describe my setup first.

I got server (Let's called C) which connects to two other offices via OpenVPN (traffic is routed not NATed).

It is required of me to setup server in a way that traffic designated to office A goes via TunA and traffic for office B goes via Tun B. And this is not an issue.

My issues is that my server can only be allowed to connect to public IPs of server A (office A) and server B (office B) so traffic generated by DNS or NTP on Server C may travel to Internet via link to office A , Tun A.

None of requests generated by server C can go to internet directly.

As I don't have much expireince with pf I ask for help , please?

Please accept my writing . English is not my native language.

Kind regards
Greg

 

[asteriskRoss]

Welcome to the forums, Greg Uramowski. What you want to do is possible; you can filter outbound as well as inbound traffic using a firewall. Remember you will need to allow the connections for the VPN tunnels. The FreeBSD Handbook has a section on firewalls and might be a good place to start. If your current firewall configuration is not working, you could post your current set of firewall rules so someone can help you.

 

[gkontos]

If you choose to use PF you might find interesting OpenBSD PF: UserGuide.

 

[Greg Uramowski]

Thank you both for your replies.

I have working solution. It is not probably the best approach but it works.

So I've recompiled kernel to be able to use multiple routing tables.
I running my connection A in routing table 1 and connection B with routing table 2 (both inheriting default routing path from primary routing table).
I've removed default routing path from primary routing table 0 and added new default one with same gateway which is used as default by TunA.

All of this is done by some CSH script run by Cron so settings are verified periodically to sustain consistency.

On top of this I've setup PF to re-route incoming packets to relevant routing tables.

I'm sure this can be done in more efficient/cleaner way.

I will ready recommended documentation. Thank you.

Kind regards
Greg

 

[Oko]

If you choose to use PF you might find interesting OpenBSD PF: UserGuide.

Yes if he was using OpenBSD. FreeBSD uses obsolete syntax besides obsolete version of PF. That is the primary reason I never
answer any PF related questions on this forum.

 

[gkontos]

Yes if he was using OpenBSD. FreeBSD uses obsolete syntax besides obsolete version of PF. That is the primary reason I never
answer any PF related questions on this forum.

For simple PF rules that guide will be just fine.