Hello all.
I've asked a month ago if it's possible to tag an incoming connection
and keep the tag also after redirect to an other device with pf. The
answer was no.
I thought about a way to restrict an openvpn connection based on the ip
the connection was initiated.
Now I found a way I would like to show.
I hope it's not wasted bandwidth.
OpenVPN produce a status file like the following
----------------------------------------------------
10.8.0.6,test.brandwand.domain,12.12.12.12:62140,Thu Jan 5 17:45:20 2006
10.8.0.14,world.brandwand.domain,11.11.11.11:60646,Thu Jan 5 17:05:48 2006
----------------------------------------------------
I read this file with a little script and set an anchor for every
connection. After setting the active connections there should also
be a step to reset or flush anchors they are no longer exists.
The script isn't finish, it'll be the next time.
You need in pf.conf with an anchor like
anchor "openvpn/*"
If there are any comments, they are welcome.
Regards
Karl-Heinz
# ---------------------------------------
# Wild Karl-Heinz (c) 2006-1-5
# Use it without any restrictions
# ---------------------------------------
Rules = {
"test.brandwand.domain" => [
%q{pass in log quick on tun proto { tcp, udp } from %IP% to 1.1.1.1 flags
S/SA tag RDR%IP% keep state
pass out log quick on int_if tagged RDR%IP%},
],
"world.brandwand.domain" => [
%q{pass in log quick on tun proto { tcp, udp } from %IP% to 1.1.1.1 flags
S/SA tag RDR%IP% keep state}
]
}
data = File.open( 'log.txt', 'r' ) { | io |
io.grep( /^[0-9]+/ ) { | l |
d = l.chomp.split( ',' )
}
}
s = ''
data.each { | ary |
s = 'anchor openvpn/' + ary[ 1 ].gsub( '.', '' ) + "\n"
s << Rules[ ary[ 1 ] ].to_s.gsub( '%IP%', ary[ 0 ] )
puts s
}
