On 2019/02/24 21:44, Frank Beuth wrote: > On Sun, Feb 24, 2019 at 09:56:12AM -0000, Stuart Henderson wrote: > > PF 'user' should do the trick. Note: it only works for TCP/UDP but for > > this you should be able to do something like > > > > block all > > pass inet proto tcp to 192.0.2.1 port 22 user sshtunnel > > Thanks. You say "only works for TCP/UDP", what other things should I be > aware of? ICMP?
Basically I'm trying to say, if you wanted to do it the other way round (pass by default, block certain traffic) you wouldn't be able to block everything. If you're trying to stop all possible paths something on the system might use to exfiltrate information then this is important (for example if ping(1) is available and you're not blocking ICMP, this could be used even as non-root with ping -p). > > However if possible I would suggest either ssh tun forwarding or a VPN. > > ssh socks forwarding is only for TCP which might be a bit restrictive, > > plus you'll need special setup for applications with socks that you won't > > need with tun forwarding or VPN. > > I had no idea there was such a thing as SSH tun forwarding, thanks for > telling me about it! :) A useful addition to the toolkit :)
