On 04/08/17 10:39, Marina Ala wrote: > I heard that OpenBSD's pf can prevent Hole punching: > > https://en.wikipedia.org/wiki/Hole_punching_(networking) > > Is it true? I just cannot google on it, but if someone would answer this > thread then the world can google for it from that point :D
Yes and no. With a sufficiently restrictive rule set (eg https://home.nuug.no/~peter/pf/newest/simplest-secure.html just to do some blatant self-promotion) you could be fairly certain to have successfully prevented access of any kind via the network. Working from that baseline you can then selectively allow access to and from the specific hosts the application needs. If you restrict traffic only between hosts under your control (and with systems you have verified do only what they're supposed to do), you may be close to preventing any unwanted traffic. But most real-life setups do require at least *some* traffic to actually pass, and in some cases you would need to allow hosts inside your network to initiate connections to the outside. At that point it is almost certainly possible to set up some sort of tunneling. PF is no more a magic bullet than any of subsystems in the competing products are, but it *is* a very useful and capable tool for enforcing whatever policies you have in place. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
