Re: Filtering incoming WireGuard traffic with pf?

From: Wesley Aptekar-Cassels <me_at_wesleyac.com>
Date: Mon, 18 Mar 2024 01:27:19 UTC
On Sun, Mar 17, 2024, at 7:05 AM, Lexi Winter wrote:
> what's likely going on here is that your local machine (the one running
> pf) is creating an outgoing connection to the Wireguard peer, which pf
> allows because of the 'pass out' rule.  then because pf keeps state by
> default, the return traffic is also allowed, and there's no need for an
> incoming rule.
> 
> you could test this by blocking traffic on the Wireguard port on both
> ends of the tunnel; that should prevent the Wireguard connection from
> coming up at all.  however, you'll need to disable both ends of the
> peers for a few minutes before testing, to make sure any existing pf
> state has expired.

Indeed, this was it, thanks. I was confused because I did have the same pf
configuration on both machines, but I must have pinged them both from each
other via the wireguard IPs, so each one was allowing traffic from the other as
return traffic.

I now have the following pf rule added, and everything works as expected:

pass in on $ext_if proto udp from X.X.X.X to ($ext_if) port 51820

Thanks for the help!

:w