From nobody Mon Mar 18 01:27:19 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tycfl3prsz5FHfP for ; Mon, 18 Mar 2024 01:27:43 +0000 (UTC) (envelope-from me@wesleyac.com) Received: from wfhigh4-smtp.messagingengine.com (wfhigh4-smtp.messagingengine.com [64.147.123.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tycfl1KhGz549K for ; Mon, 18 Mar 2024 01:27:43 +0000 (UTC) (envelope-from me@wesleyac.com) Authentication-Results: mx1.freebsd.org; none Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailfhigh.west.internal (Postfix) with ESMTP id 17C8E18000E6; Sun, 17 Mar 2024 21:27:41 -0400 (EDT) Received: from imap45 ([10.202.2.95]) by compute5.internal (MEProxy); Sun, 17 Mar 2024 21:27:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wesleyac.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1710725260; x=1710811660; bh=AYeTF6tJjk IQQHzbSIVL4BWyRWbOthv4673cfDTiSs4=; b=baMktyttntK8CHp3tSwIaUPWHb EK4tPkJSD58vMZgniyGp04/SYRpp95Tkv5NZFegAxSkS/Z5yupvzBUgBUIFjoCdg nOdYMIml3W+m650WoFVhbzW48q1rvovyzJs6g1m7XjWe/EyIsSfaBYPNoTPqUutq 88TPcmiwHdjQ0+ntPNquy4wCpb8OPWOj/ivM0gwkD19viOUmgzLAA9XHlSWGZ4bM WVLLZFWzHiL+1cu6kPHqmZb9C5szpiuWH3uZXNxXu9reBjC/3ZjRk4CJUlD87NQS 4aHdsAYfSOPhcRkQKKOwDiPxIsj57iH4XRxBE0fFg5a9VE0jQsLOK6xyvQUg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; t=1710725260; x=1710811660; bh=AYeTF6tJjkIQQHzbSIVL4BWyRWbO thv4673cfDTiSs4=; b=wm6l6PjZwnkUcAFHHcDxXp+nJtK/A5btmMWr/BZDvVaB XcKlHyVGloXdZSyrEwDtlY0g+P9XC2UlG2WeiXoIT9+kpurwpMQcGckpbEDB+Hpp D/ayROJOuQdPIMJEb8Mn4gK63DYRulKQoFiHnDoJxELw9pc2U4tqmTgAZ+OY46yr HxNgYK+NJdDb9C1uG8H0Uy+BGTxLgbMHZCd5y6VJsSXjTbTAkI/T2aFImWb8KuEE bc2DWeZFGRQnaFxpkTMEfD9WmUdeQtMeaNeEgtdCTHIugY3O4guXRaeIdAD3fm+X gz84UZZjYPkTPAZWzoQHQDmV3IVD6i3fWDRcxR767g== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrkeeigdefhecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdghvghs lhgvhicutehpthgvkhgrrhdqvegrshhsvghlshdfuceomhgvseifvghslhgvhigrtgdrtg homheqnecuggftrfgrthhtvghrnhepgffggeeliedvgefgjeeggeevffeuvefffefhjeel vdehheduueelgeehgfefjedvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhgvseifvghslhgvhigrtgdrtghomh X-ME-Proxy: Feedback-ID: i0c594533:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 2F060272007C; Sun, 17 Mar 2024 21:27:40 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.11.0-alpha0-300-gdee1775a43-fm-20240315.001-gdee1775a List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Message-Id: <12846907-f22f-4bc3-bde9-5fef439d0a36@app.fastmail.com> In-Reply-To: References: <6aee40eb-d7ac-4163-93a9-ae746da65c82@app.fastmail.com> Date: Sun, 17 Mar 2024 21:27:19 -0400 From: "Wesley Aptekar-Cassels" To: "Lexi Winter" Cc: freebsd-questions@freebsd.org Subject: Re: Filtering incoming WireGuard traffic with pf? Content-Type: text/plain X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US] X-Rspamd-Queue-Id: 4Tycfl1KhGz549K On Sun, Mar 17, 2024, at 7:05 AM, Lexi Winter wrote: > what's likely going on here is that your local machine (the one running > pf) is creating an outgoing connection to the Wireguard peer, which pf > allows because of the 'pass out' rule. then because pf keeps state by > default, the return traffic is also allowed, and there's no need for an > incoming rule. > > you could test this by blocking traffic on the Wireguard port on both > ends of the tunnel; that should prevent the Wireguard connection from > coming up at all. however, you'll need to disable both ends of the > peers for a few minutes before testing, to make sure any existing pf > state has expired. Indeed, this was it, thanks. I was confused because I did have the same pf configuration on both machines, but I must have pinged them both from each other via the wireguard IPs, so each one was allowing traffic from the other as return traffic. I now have the following pf rule added, and everything works as expected: pass in on $ext_if proto udp from X.X.X.X to ($ext_if) port 51820 Thanks for the help! :w