Trying my hand at freebsdFreeBSD server with a single network (igb1) on the LAN with a OpenVPN connection. (Moved from 10 years of Linux thanks to ZFS. Last time I ran FreeBSD it came with a thick white book around the time MS-DOS 3 was around for perspective) I am trying to restrict a particular local user account to only use the OpenVPN connectivity, however I want to make sure that the admin ports are accessible despite being owned by the KYLE user to the local LAN. (Clarifying that all NON-KYLE traffic goes to extIF.)
LAN <-> (extIF) Server (lun0) <-> OpenVPN (lun0)
I have a service on the Server that is owned by a user KYLE listening on port 5555, 6666, and 7777 that is owned by KYLE. All other traffic from KYLE must go to the lun0 that isn't those 3 ports.
I want to block all traffic to extIF owned by KYLE except ports 5555, 6666, 7777 so I can still get to the web interfaces KYLE runs.
I want all incoming traffic to lun0 blocked except for things the KYLE owned processes start (typical keep state) and a few select ports but most of all those 5555, 6666, 7777 ports should NOT be accessible.
I thought I could use route-to user KYLE but after 5 days of fumbling I haven't found a working configuration. In the land of IPTABLES you could mangle packets and what not without trouble but since coming back to FreeBSD the whole PF/IPFW has me completely lost.
My early attempt ran along the lines of:
But I have had little success with some odd syntax errors when testing out pass out with a port specified.
System is FreeBSD 10.2 and I've been tinkering with it so long I am all turned around now.
Anyone care to lend a hand on how to accomplish this via PF (or is one of the other firewalls more appropriate?)
Idgarad
LAN <-> (extIF) Server (lun0) <-> OpenVPN (lun0)
I have a service on the Server that is owned by a user KYLE listening on port 5555, 6666, and 7777 that is owned by KYLE. All other traffic from KYLE must go to the lun0 that isn't those 3 ports.
I want to block all traffic to extIF owned by KYLE except ports 5555, 6666, 7777 so I can still get to the web interfaces KYLE runs.
I want all incoming traffic to lun0 blocked except for things the KYLE owned processes start (typical keep state) and a few select ports but most of all those 5555, 6666, 7777 ports should NOT be accessible.
I thought I could use route-to user KYLE but after 5 days of fumbling I haven't found a working configuration. In the land of IPTABLES you could mangle packets and what not without trouble but since coming back to FreeBSD the whole PF/IPFW has me completely lost.
My early attempt ran along the lines of:
Code:
extIF="ibg1"
extIP="192.168.1.100"
vpnIF="lun0"
tcp_services = "{ ssh, smtp, domain, www, pop3, auth, pop3s }"
udp_services = "{ domain }"
safePorts = "{ 80, 443, 119, 25, 586, 443, 53 }"
localNetwork = "{ 192.168.1.0/24}"
restrictedUser = "KYLE"
adminPorts = "{ 5555, 6666, 7777}"
set skip on ibg1
set skip on lo0
scrub in all
block return in log all
block in on $vpnIF all #block all incoming
block out on $extIF all user $restrictedUser #block everthing to lan from restricted user
block out on $vpnIF ports { $adminPorts } #except for
#I feel like there should be a route-to line here to ensure KYLE goes to the VPN. Like
# **route all traffic from KYLE that is not ports adminPorts to VPN**
pass out on $vpnIF proto all from any to any ports { $safePorts } #poke holes out to Vpn
##### VPN SPLIT
#pass out on $vpn_if proto all from any to any \
# user KYLE \
# route-to (lun0)But I have had little success with some odd syntax errors when testing out pass out with a port specified.
System is FreeBSD 10.2 and I've been tinkering with it so long I am all turned around now.
Anyone care to lend a hand on how to accomplish this via PF (or is one of the other firewalls more appropriate?)
Idgarad