From nobody Fri Mar 15 21:24:37 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TxHMm2lTkz5Cxlw for ; Fri, 15 Mar 2024 21:25:08 +0000 (UTC) (envelope-from me@wesleyac.com) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TxHMl3R13z4GJp for ; Fri, 15 Mar 2024 21:25:07 +0000 (UTC) (envelope-from me@wesleyac.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=wesleyac.com header.s=fm2 header.b="X6DX/IEo"; dkim=pass header.d=messagingengine.com header.s=fm1 header.b=oimUwzpj; dmarc=none; spf=pass (mx1.freebsd.org: domain of me@wesleyac.com designates 64.147.123.19 as permitted sender) smtp.mailfrom=me@wesleyac.com Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 885CF32009FD; Fri, 15 Mar 2024 17:25:06 -0400 (EDT) Received: from imap45 ([10.202.2.95]) by compute5.internal (MEProxy); Fri, 15 Mar 2024 17:25:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wesleyac.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :message-id:mime-version:reply-to:subject:subject:to:to; s=fm2; t=1710537906; x=1710624306; bh=SiN6KdvrNsbolDP9g7X2pYBdu+B7AP1a cVy0e1KUL4M=; b=X6DX/IEoOcZoSYTuKyowVE9xqqOHrGZtnfdyg0FkxpL5tZxo y8Gp8YXJC7uYlHrdrQJxaxDtJC+bWThke5rlMDepMeFV9EL4NdSjm+rlSx4O5WJq Xs/u4dZbM0R7Py1ccJJD8uG1NahlAD2YJZKau7t+OidC3aVa5V+VNJzpLCmy9Wmr RrUTX+uQpJQ7O2nRTgsfolZNsf6zrbipoAa6ZJ/ez6u5Of632fNJgP31N7KdBonv F45VyyYM8MPg7GBPEA26t9F5a/eWF6hkKgDyEYElx/ZqAlu3cEELbq+Ug+/b2MB3 qQK8O/I68hMtOVD8g1UgSTaa2QDBa6eXFWI02A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1710537906; x=1710624306; bh=SiN6KdvrNsbolDP9g7X2pYBdu+B7AP1acVy 0e1KUL4M=; b=oimUwzpjSWjwVzglDlV3lpkv3telbL2xcxV50Ug64qkFn+JD/ll c55RdqMh8kHkt8qZYdAVEjiCbkJM+mruQNasQoILBrnCAJidOoc0Qeew04gL/JrK 5ATGIoK71GwGy90weHeAQ/I2zZJAzUXJuxlOkkeWdOmLTgLSaWHmUKjBsKZMhH/i gTLJ9REORwkMoZ2sGNf/RWBfBVm+V6zNnoz81rZYbgMc6UwLD3NQPkL8VM3gL9Dw VaOr5DcBibaYUsZ4bjKUoMCwI2brIW+XmYxy/+Nom8Dxg769h0xTrga0EV0f/Cnt yiPw5Yp1qENnW0EfLrpWfiN4FwlKX+0dOnQ== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrjeelgddugeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfhggvshhlvgihucetphhtvghkrghrqdevrghsshgvlhhsfdcu oehmvgesfigvshhlvgihrggtrdgtohhmqeenucggtffrrghtthgvrhhnpeehgfejvdfhue egheevudfgiedvfeekheeifeeghefguddtffehheegheeiheejteenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmvgesfigvshhlvgihrggtrd gtohhm X-ME-Proxy: Feedback-ID: i0c594533:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id B8C78272007C; Fri, 15 Mar 2024 17:25:05 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-300-gdee1775a43-fm-20240315.001-gdee1775a List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-Id: <6aee40eb-d7ac-4163-93a9-ae746da65c82@app.fastmail.com> Date: Fri, 15 Mar 2024 17:24:37 -0400 From: "Wesley Aptekar-Cassels" To: freebsd-questions@freebsd.org Subject: Filtering incoming WireGuard traffic with pf? Content-Type: text/plain X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.57 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.984]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19:c]; R_DKIM_ALLOW(-0.20)[wesleyac.com:s=fm2,messagingengine.com:s=fm1]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; XM_UA_NO_VERSION(0.01)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US]; FREEFALL_USER(0.00)[me]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; DMARC_NA(0.00)[wesleyac.com]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[wesleyac.com:+,messagingengine.com:+] X-Rspamd-Queue-Id: 4TxHMl3R13z4GJp Hi all, I have a WireGuard tunnel between two machines running FreeBSD 14.0-RELEASE-p3. This works well, but I want to reduce my attack surface by having WireGuard only decrypt packets from specific source IPs. My expectation is that this would be done in my pf configuration, but I am having trouble understanding the relationship between WireGuard and pf. The relevant section of my /etc/pf.conf is: ``` ext_if = "vtnet0" wg_lan = "10.10.0.0/24" set skip on lo scrub in nat on $ext_if from $wg_lan to any -> ($ext_if) block in on $ext_if pass out ``` My WireGuard configuration sets Address, ListenPort, and PrivateKey for Interface, and PublicKey, PreSharedKey, AllowedIPs, and Endpoint for Peer. I can share the full config if needed, but from reading the wg(8) manpage it seems like there is no configuration knob to restrict source IPs in WireGuard, so I assume that I need to do something in pf to filter this. My expectation was that `block in on $ext_if` would block WireGuard traffic and that I'd need a `pass in on $ext_if proto udp to ($ext_if) port 51820` line in order to enable it, but my WireGuard tunnel works even without that, which makes it seem to me that the decapsulation of the WireGuard traffic happens before it hits pf. How can I restrict WireGuard traffic to only be accepted from particular source IPs? Is pf the correct place to do this, or should I be looking elsewhere? Thanks, :w