Hi misc,
I've been beating my head against the wall on and off for the last few
weeks - it's past time to ask for help.
I'm trying to tunnel all internet traffic from my internal network
(192.168.2.0/24) through another internet-facing machine (10.1.1.0/24)
using IKEv2. After trying what seems to be every possibility of pf.conf
and iked.conf combinations, I just can't seem to get it right. My
closest attempt is to NAT all traffic from 192.168.2.0/24 to appear as
virtual IP 10.1.1.2 on the other side, which is then NAT'd out to the
internet as usual. The problem with this config is that ALL traffic,
including local traffic to 192.168.2.0/24, is tunneled. This is not
desired because I can no longer access my local gateway (192.168.2.1),
or any locally hosted services.
What I think I need is to be able to specify something like "from
10.1.1.2 (192.168.2.0/24) to !192.168.2.0/24" instead of "...to
0.0.0.0/0" in my iked.conf, but this doesn't seem to be valid syntax.
Nor does limiting the tunnel to certain protos/ports, e.g. ... proto {
tcp udp } ... port { 53 80 443 }. It seems only one proto and port
combination is accepted by iked. I tried adding additional flows
manually - i.e. specifying only proto tcp ... port 80 in iked.conf and
feeding a file of additional flows via ipsecctl -F, but I receive errors
about bad syntax - even though I copied the lines from ipsecctl -sa. It
looks like only IKEv1 syntax is accepted there?
I appreciate any thoughts and assistance.
Regards,
Daniel
OpenBSD 6.2 (GENERIC.MP) #2: Sun Dec 10 21:14:42 CET 2017
r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17033199616 (16244MB)
avail mem = 16509960192 (15745MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecff0 (90 entries)
bios0: vendor American Megatrends Inc. version "2901" date 10/25/2015
bios0: ASUS All Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT BGRT UEFI
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4)
UAR1(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4)
RP05(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.89 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2498887240 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu6: 256KB 64b/line 8-way L2 cache
cpu6: smt 1, core 2, package 0
cpu7 at mainbus0: apid 7 (application processor)
cpu7: Intel(R) Xeon(R) CPU E3-1265L v3 @ 2.50GHz, 2498.56 MHz
cpu7:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu7: 256KB 64b/line 8-way L2 cache
cpu7: smt 1, core 3, package 0
ioapic0 at mainbus0: apid 8 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG0)
acpiprt2 at acpi0: bus -1 (PEG1)
acpiprt3 at acpi0: bus -1 (PEG2)
acpiprt4 at acpi0: bus 2 (RP01)
acpiprt5 at acpi0: bus -1 (RP02)
acpiprt6 at acpi0: bus -1 (RP03)
acpiprt7 at acpi0: bus -1 (RP05)
acpiprt8 at acpi0: bus -1 (RP06)
acpiprt9 at acpi0: bus -1 (RP07)
acpiprt10 at acpi0: bus -1 (RP08)
acpiprt11 at acpi0: bus 3 (RP04)
acpiprt12 at acpi0: bus 4 (PXSX)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu4 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu5 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu6 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpicpu7 at acpi0: C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: PG00, resource for PEG0
acpipwrres1 at acpi0: PG01, resource for PEG1
acpipwrres2 at acpi0: PG02, resource for PEG2
acpipwrres3 at acpi0: FN00, resource for FAN0
acpipwrres4 at acpi0: FN01, resource for FAN1
acpipwrres5 at acpi0: FN02, resource for FAN2
acpipwrres6 at acpi0: FN03, resource for FAN3
acpipwrres7 at acpi0: FN04, resource for FAN4
acpitz0 at acpi0: critical temperature is 95 degC
acpitz1 at acpi0: critical temperature is 95 degC
"INT3F0D" at acpi0 not configured
"PNP0400" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpibtn0 at acpi0: PWRB
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"PNP0A0A" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 2498 MHz: speeds: 2501, 2500, 2400, 2300, 2100, 2000,
1900, 1800, 1600, 1500, 1400, 1300, 1200, 1000, 900, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Xeon E3-1200 v3 Host" rev 0x06
ppb0 at pci0 dev 1 function 0 "Intel Core 4G PCIE" rev 0x06: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I350" rev 0x01: msi, address
a0:36:9f:a1:5d:98
em1 at pci1 dev 0 function 1 "Intel I350" rev 0x01: msi, address
a0:36:9f:a1:5d:99
em2 at pci1 dev 0 function 2 "Intel I350" rev 0x01: msi, address
a0:36:9f:a1:5d:9a
em3 at pci1 dev 0 function 3 "Intel I350" rev 0x01: msi, address
a0:36:9f:a1:5d:9b
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x06
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1024x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
azalia0 at pci0 dev 3 function 0 "Intel Core 4G HD Audio" rev 0x06: msi
azalia0: No codecs found
xhci0 at pci0 dev 20 function 0 "Intel 9 Series xHCI" rev 0x00: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00
addr 1
"Intel 9 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured
em4 at pci0 dev 25 function 0 "Intel I218-V" rev 0x00: msi, address
78:24:af:46:9d:0e
ehci0 at pci0 dev 26 function 0 "Intel 9 Series USB" rev 0x00: apic 8 int 16
usb1 at ehci0: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
azalia1 at pci0 dev 27 function 0 "Intel 9 Series HD Audio" rev 0x00: msi
azalia1: codecs: Realtek/0x0887
audio0 at azalia1
ppb1 at pci0 dev 28 function 0 "Intel 9 Series PCIE" rev 0xd0
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 3 "Intel 82801BA Hub-to-PCI" rev 0xd0: msi
pci3 at ppb2 bus 3
ppb3 at pci3 dev 0 function 0 "ASMedia ASM1083/1085 PCIE-PCI" rev 0x04
pci4 at ppb3 bus 4
ehci1 at pci0 dev 29 function 0 "Intel 9 Series USB" rev 0x00: apic 8 int 23
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
pcib0 at pci0 dev 31 function 0 "Intel Z97 LPC" rev 0x00
ahci0 at pci0 dev 31 function 2 "Intel 9 Series AHCI" rev 0x00: msi, AHCI 1.3
ahci0: port 0: 3.0Gb/s
ahci0: port 1: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST2000DL003-9VT1, CC98> SCSI3 0/direct
fixed naa.5000c5002f57b022
sd0: 1907729MB, 512 bytes/sector, 3907029168 sectors
sd1 at scsibus1 targ 1 lun 0: <ATA, INTEL SSDSC2KW51, LHF> SCSI3 0/direct fixed
naa.55cd2e414df07762
sd1: 488386MB, 512 bytes/sector, 1000215216 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 9 Series SMBus" rev 0x00: apic 8 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-12800
spdmem1 at iic0 addr 0x52: 8GB DDR3 SDRAM PC3-12800
spdmem2 at iic0 addr 0x53: 4GB DDR3 SDRAM PC3-12800
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
efifb at mainbus0 not configured
uhidev0 at uhub0 port 13 configuration 1 interface 0 "BTC USB Multimedia
Keyboard" rev 1.10/1.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 13 configuration 1 interface 1 "BTC USB Multimedia
Keyboard" rev 1.10/1.00 addr 2
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=3, output=0, feature=0
uhid2 at uhidev1 reportid 3: input=3, output=0, feature=8
uhub0: port 14, set config 0 at addr 3 failed
uhub0: device problem, disabling port 14
uhub3 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev
2.00/0.00 addr 2
uhub4 at uhub2 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev
2.00/0.00 addr 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd1a (9dd9fb93fdd48037.a) swap on sd1b dump on sd1bOpenBSD 6.2 (GENERIC.MP) #134: Tue Oct 3 21:22:29 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4278181888 (4079MB)
avail mem = 4141502464 (3949MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf1480 (13 entries)
bios0: vendor Bochs version "Bochs" date 01/01/2011
bios0: Bochs Bochs
acpi0 at bios0: rev 0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel KVM processor v2, 290.10 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,PERF,FSGSBASE,SMEP,ERMS
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel KVM processor v2, 459.08 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,PERF,FSGSBASE,SMEP,ERMS
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
"PNP0F13" at acpi0 not configured
"PNP0700" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 00:16:3e:f0:e1:e2
virtio0: msix shared
virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Memory" rev 0x00
viomb0 at virtio1
virtio1: apic 0 int 11
virtio2 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio2
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed
sd0: 5120MB, 512 bytes/sector, 10485760 sectors
virtio2: msix shared
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev
1.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 5114MB, 512 bytes/sector, 10473788 sectors
root on sd1a (dff50f8e47dd8b4f.a) swap on sd1b dump on sd1b
fd0 at fdc0 drive 1: density unknownikev2 "test" active ipcomp esp \
from 10.1.1.2 (192.168.2.0/24) to 0.0.0.0/0 \
from <client ext ip> to 0.0.0.0/0 \
peer <server ext ip> \
psk "test"ikev2 "test" ipcomp esp \
from 10.1.1.0/24 to <client ext ip> \
from <server ext ip> to <client ext ip> \
local <server ext ip> peer <client ext ip> \
psk "test"
# Options
set loginterface egress
set optimization normal
set block-policy drop
set skip on lo
# Queue assignment before NAT
queue outq on egress bandwidth 81M max 81M flows 1024 qlimit 1024 default
# Sanitize packets
match in all scrub (no-df random-id max-mss 1440)
# NAT
match out on enc0 from 192.168.2.0/24 to any nat-to 10.1.1.2
# Block unwanted traffic
antispoof log quick for { lan vether }
block log all
# Pass LAN traffic
pass quick on { lan vether } from any to any keep state
# Pass egress/VPN traffic
pass quick on enc from any to any keep state (if-bound)
pass out quick on egress from any to any keep state
pass in on egress proto esp from any to (egress:0)
pass in on egress proto udp from any to (egress:0) port { isakmp, ipsec-nat-t }
keep statetable <martians> const persist counters { \
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 \
198.51.100.0/24 203.0.113.0/24 240.0.0.0/4 255.255.255.255/32 }
table <adhosts> persist counters file "/etc/pf.adhosts"
table <malware> persist counters file "/etc/pf.malware"
# Options
set loginterface egress
set optimization normal
set block-policy drop
set skip on lo
# Queue assignment before NAT
queue outq on egress bandwidth 81M max 81M flows 1024 qlimit 1024 default
# Sanitize packets
match in all scrub (no-df random-id max-mss 1440)
# NAT
match out on egress from !(egress:network) to any nat-to (egress:0)
# Block unwanted traffic
block log all
block log quick proto tcp all flags SF/SFRA
block log quick proto tcp all flags FPU/SFRAUP
block log quick proto tcp all flags /SFRA
block log quick proto tcp all flags F/SFRA
block log quick proto tcp all flags U/SFRAU
block log quick proto tcp all flags FUP/FUP
block log quick inet proto icmp all icmp-type redir
block log quick from { <martians> no-route urpf-failed <adhosts> <malware> }
block return log quick to { <martians> no-route <adhosts> <malware> }
# https://datatracker.ietf.org/doc/draft-ietf-opsec-icmp-filtering/history/
# https://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04
pass log inet proto icmp icmp-type 3 code 0 keep state (max
32)
pass log inet proto icmp icmp-type 3 code 1 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 2 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 2 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 3 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 3 keep state (max
32)
pass log inet proto icmp icmp-type 3 code 4 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 5 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 5 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 7 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 11 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 11 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 12 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 12 keep state (max
32)
pass log inet proto icmp icmp-type 3 code 13 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 14 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 14 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 3 code 15 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 3 code 15 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 5 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 5 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 5 code 1 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 5 code 1 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 5 code 2 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 5 code 2 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 5 code 3 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 5 code 3 keep state (max
32)
pass log inet proto icmp icmp-type 11 code 0 keep state (max
32)
pass log inet proto icmp icmp-type 11 code 1 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 12 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 12 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 12 code 1 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 12 code 1 keep state (max
32)
pass log inet proto icmp icmp-type 8 code 0 keep state (max
32)
pass log inet proto icmp icmp-type 0 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 10 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 10 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 9 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 9 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 13 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 13 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 14 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 14 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 17 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 17 code 0 keep state (max
32)
pass in log inet proto icmp to (self) icmp-type 18 code 0 keep state (max
32)
pass out log inet proto icmp from (self) icmp-type 18 code 0 keep state (max
32)
# Allow traceroute
pass in log on egress inet proto udp to (egress) port { 33435:33525 } keep state
# Pass LAN traffic
pass quick on { lan vether } from any to any keep state
# Pass egress/VPN traffic
pass quick on enc from any to any keep state (if-bound)
pass out quick on egress from any to any keep state
pass in on egress proto esp from any to (egress:0) keep state
pass in on egress proto udp from any to (egress:0) port { isakmp, ipsec-nat-t }
keep state
# SSH
pass in on egress proto tcp udp from any to (egress:0) port ssh keep statenet.inet.ip.forwarding=1
net.inet.ah.enable=0
net.inet.ipcomp.enable=1
net.inet.tcp.ecn=1
net.inet.tcp.mssdflt=1440
kern.bufcachepercent=90
kern.splassert=2
machdep.kbdreset=1
ddb.panic=0
net.inet.ip.ifq.maxlen=4096
net.inet.ip.forwarding=1
net.inet.ah.enable=0
net.inet.ipcomp.enable=1
net.inet.tcp.ecn=1
net.inet.tcp.mssdflt=1440
kern.bufcachepercent=90
kern.splassert=2
machdep.kbdreset=1
ddb.panic=0
