I'm trying to create a simple ansible template for the packet filter on FreeBSD 11.1-RELEASE. I have vtnet0 (public), vtnet1 (private, 10.10 address) and tun0 (openvpn, fully working/tested from a client to nodes on my network).
My rc.conf looks like the following:
hostname="bastion"
sshd_enable="YES"
static_routes="linklocal"
ifconfig_vtnet0="DHCP"
ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-aF"
ifconfig_vtnet1="inet 10.10.6.20 netmask 255.255.255.0"
gateway_enable="YES"
openvpn_enable="YES"
pf_enable="YES"
My cloud provider gives me ipv4/ipv6 public addresses via DHCP.
I've looked at the FreeBSD docs and other ansible playbooks and came up with this basic pf.conf:
block all
set skip on lo0
set skip on tun0
pass out all keep state
tcp_services = "{ ssh }"
udp_services = "{ openvpn }"
pass in proto tcp to any port $tcp_services keep state
pass in proto udp to any port $udp_services keep state
However with this configuration, I block all ssh and openvpn access and have to login to my box via the VM web console.
My goal is for this box to only allow in openvpn (udp) and ssh from the public interface, allow all traffic over the vpn (tun0) and all traffic from internal.
Setting up
pfmay be a bit of a hassle. You need to understand thatpftreats all interfaces absolutely equally and there is no concept of packets originating on the box itself as there is iniptables--OUTPUTchain. I would start with something along these lines and build on that:Warning: Don't use standard openvpn and ssh ports.