Re: Filtering incoming WireGuard traffic with pf?
- In reply to: Lexi Winter : "Re: Filtering incoming WireGuard traffic with pf?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 18 Mar 2024 01:27:19 UTC
On Sun, Mar 17, 2024, at 7:05 AM, Lexi Winter wrote: > what's likely going on here is that your local machine (the one running > pf) is creating an outgoing connection to the Wireguard peer, which pf > allows because of the 'pass out' rule. then because pf keeps state by > default, the return traffic is also allowed, and there's no need for an > incoming rule. > > you could test this by blocking traffic on the Wireguard port on both > ends of the tunnel; that should prevent the Wireguard connection from > coming up at all. however, you'll need to disable both ends of the > peers for a few minutes before testing, to make sure any existing pf > state has expired. Indeed, this was it, thanks. I was confused because I did have the same pf configuration on both machines, but I must have pinged them both from each other via the wireguard IPs, so each one was allowing traffic from the other as return traffic. I now have the following pf rule added, and everything works as expected: pass in on $ext_if proto udp from X.X.X.X to ($ext_if) port 51820 Thanks for the help! :w