https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254015

--- Comment #13 from shamaz.ma...@gmail.com ---
Can you reproduce by it yourself by adding net.link.ether.ipfw = 0 to
/etc/sysctl.conf

and writing firewall rules like these:

#!/bin/sh

IPFW="/sbin/ipfw -q"
IFACE="wg0"
PUB_IFACE="re1"
SKIP_IP="skipto 20000"
SKIP_ETHER="skipto 30000"

# Ports list:
SSH="22"
TELNET="23"
SMTP="25"
WHOIS="43"
WWW="80"
HTTPS="443"
POP3="110"
SSMTP="465"
POP3S="995"
GIT="9418"
FTPC="21"
FTPD="20"
IRC="6660-7000"
NTP="123"

OPENPORTS="$WWW,$HTTPS"
OPENPORTS="$OPENPORTS,$SSH,$WHOIS,$GIT"

GOODMACS="cc:af:78:58:73:a2 60:45:cb:64:2a:65 3c:7c:3f:3c:52:5b"
GOODMACS_TAG="100"
SUBNET="192.168.20.0/24"

LOCALIFACES="re0 wlan0 bridge0 lo0 tap0"

$IPFW -f flush
$IPFW -f nat flush

# Start NAT
$IPFW nat 1 config if $IFACE log same_ports reset

# Deny fragmented packets
$IPFW add reass ip from any to any frag in

#$IPFW add $SKIP_ETHER ip from any to any layer2

$IPFW add check-state :before-nat

# Drop connections to LAN from untrusted macs
#$IPFW add allow ip from any to any tagged $GOODMACS_TAG via bridge0
# Allow DHCP
#$IPFW add allow udp from any 68 to me dst-port 67 in via bridge0 keep-state
:before-nat
# And ICMP
#$IPFW add allow icmp from any to any via bridge0
# Drop everything else
#$IPFW add deny ip from any to $SUBNET in via bridge0

# Enable LAN traffic
for lan_iface in $LOCALIFACES; do
        $IPFW add allow ip from any to any via $lan_iface
done

# Public iface setup
# Wireguard
$IPFW add allow udp from me to 185.213.155.130 dst-port 51820 out via
$PUB_IFACE keep-state :before-nat
# OpenVPN
#$IPFW add allow udp from me to any dst-port 1197 out via $PUB_IFACE keep-state
:before-nat

$IPFW add allow icmp from any to any via $PUB_IFACE
$IPFW add deny ip from any to any via $PUB_IFACE

$IPFW add nat 1 ip from any to any in via $IFACE
$IPFW add check-state :after-nat

# Allow DNS for this machine
$IPFW add $SKIP_IP tcp from me to any 53 out via $IFACE setup keep-state
:after-nat
$IPFW add $SKIP_IP udp from me to any 53 out via $IFACE keep-state :after-nat

# All common open ports
$IPFW add $SKIP_IP tcp from me to any $OPENPORTS out \
    via $IFACE setup keep-state :after-nat

# DHCP
$IPFW add $SKIP_IP udp from any 68 to any dst-port 67 out via $IFACE keep-state
:after-nat

# NTP
$IPFW add $SKIP_IP udp from me to any $NTP out via $IFACE keep-state :after-nat

# Allow ICMP
$IPFW add $SKIP_IP icmp from any to any via $IFACE

$IPFW add deny all from me to any out via $IFACE
$IPFW add deny all from any to me in via $IFACE
$IPFW add 20000 nat 1 ip from any to any out via $IFACE
$IPFW add allow ip from any to any via $IFACE
$IPFW add deny ip from any to any

# Ethernet-layer processing
$IPFW add 30000 allow ip from any to any mac-type arp
for mac in $GOODMACS; do
        $IPFW add allow tag $GOODMACS_TAG ip from any to any mac any $mac in
        $IPFW add allow tag $GOODMACS_TAG ip from any to any mac $mac any out
done
$IPFW add allow ip from any to any

You can drop all rules about VPN, home VLAN, etc. Just leave layer2 filtering.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to