From nobody Mon Dec 13 02:08:39 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 8287B18E29DC; Mon, 13 Dec 2021 02:08:42 +0000 (UTC) (envelope-from ooonea@gmail.com) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JC4gF5dFKz4TvV; Mon, 13 Dec 2021 02:08:41 +0000 (UTC) (envelope-from ooonea@gmail.com) Received: by mail-wr1-x429.google.com with SMTP id a18so24606835wrn.6; Sun, 12 Dec 2021 18:08:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:content-language:to:from :subject:content-transfer-encoding; bh=IHMpoFfj7BjS4QfMJJ68zMN3Nhn1C/fFJsMs4ubBJcs=; b=YSQ9f7osKpvCYiO9LQcOakADcQYWKk2NTK6T7FAG7YGKgmw7IZNJDkkTWGxr4YO9pD IkTHzqbhPzcRkVek5HEdOYnVo2PLwNtZ7AKEa1XNRZ690jsjJm2MQa01auv+fB/l2qas PLEMTMH+0ow8AvaQrAwPB1SkA95vScclkxDt56Ih8+C2i24LRaTCfYSATp8hbMlaE/D9 anUSVEj9FGmAYaPlyGBvtbzYU0JuRuFdH2B/ll0eh29U2eKYyeTbHYxgIadcK0PWqeE5 g85mde5eEA490qeKCWX7uez1U380DIWHsAxW6PIBbcTs9a6PMlhd4JDWTNBQmBGg4lMm DgtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:from:subject:content-transfer-encoding; bh=IHMpoFfj7BjS4QfMJJ68zMN3Nhn1C/fFJsMs4ubBJcs=; b=sGNjYV4XMtmU1xPKj5s+PrHuJBXQ5Gx24bYaMstbVmTtvcMdJ6z82xTaXuJQd0Fy2R BHlgO9cdiw3SDc5EM0E5knTxo/pPAZjHahXsyeRAQ4HUWElFCfOGTlf+8sAm68xFfFlO NeGgqsPSNtHJhgzEKrReOBOQgx34UJKjOw9kcdqcjXgLD2VfOnclOHCRO4fcZVCiL2jZ +yGCYt5n8KdC4wp0XxoaM/C13cuqnNT+kzH2p3E6yslJ7ucguwyaaZvk0qiTYDFW0qtC wU8uwoHwtw1dGNwhVS6uUWLx5qvyze4SiDChzTaiQgiEC/gSepJ5judedZ1pmkR1pU7b MT1A== X-Gm-Message-State: AOAM533TLSZxFTFHn/eDvc9k7CLMu05AM+HHp+bFPpYpQ8sZjjkTRexC DHvr23qk44xkpiI73mGEMmxbQls7uyqHoQ== X-Google-Smtp-Source: ABdhPJzaxoznBjCvGXDd8NpmeHqpQBMVk730Uc5Vqwh3C8GM61m9cxPevHLHgCZMpHe1/w5jXVAJ1g== X-Received: by 2002:a05:6000:2c8:: with SMTP id o8mr28862454wry.266.1639361320370; Sun, 12 Dec 2021 18:08:40 -0800 (PST) Received: from [192.168.1.228] (host-80-181-163-216.retail.telecomitalia.it. [80.181.163.216]) by smtp.gmail.com with ESMTPSA id c7sm7240126wrq.81.2021.12.12.18.08.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 12 Dec 2021 18:08:40 -0800 (PST) Message-ID: Date: Mon, 13 Dec 2021 03:08:39 +0100 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:91.0) Gecko/20100101 Thunderbird/91.4.0 Content-Language: en-US To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org From: Giuseppe Piscitelli Subject: Configuration for a laptop Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JC4gF5dFKz4TvV X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=YSQ9f7os; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ooonea@gmail.com designates 2a00:1450:4864:20::429 as permitted sender) smtp.mailfrom=ooonea@gmail.com X-Spamd-Result: default: False [-1.75 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; RECEIVED_SPAMHAUS_PBL(0.00)[80.181.163.216:received]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.996]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.75)[-0.749]; NEURAL_SPAM_SHORT(1.00)[1.000]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::429:from]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N Hi, I am new to pf and FreeBSD. This is my pf.conf: ext_if = "{ re0, wlan0 }" wg_if = "192.168.9.0/24" lan = "192.168.1.0/24" avahi_services = "{ mdns, mdnsresponder }" pass quick on lo0 all block in all pass out all keep state pass in log proto { tcp, udp } from $lan port $avahi_services pass in log proto { tcp, udp } from $wg_if port 51820 My goal is to exclude the loopback interface from the rules, block all traffic from outside to inside, allow all traffic from inside to outside, allow mdns service and allow wireguard on port 51820. Applied the rules everything seems to work. Is this correct? Any suggestions?