On Mon, Aug 14, 2023 at 05:54:55PM +0530, SOUBHEEK NATH said:
2. Please have a look at the configuration I have implemented.
pass in quick on wg0 proto tcp from 10.0.8.3/32 to any port {22 80}
block in on wg0 proto tcp from any to any port {22 80}
block in quick on bwfm0 proto tcp from any to any port {22 80}
[ snip ]
I. I use the word "quick" in the first line to prevent the "block"
rules in the second line from taking precedence over it.
In general I prefer in my pf ruleset to block first and then explicitly
allow things through. I find this causes far less mistakes. The very
first rule in my ruleset is:
``block log all label "Default block"''
I try to avoid ``quick'' rules unless there is a really good reason to
use them. They can introduce some unintended side-effects if you aren't
careful and if you find yourself using many of them you probably should
re-think your rules. For example, directly after the default block I also
block bogon IP addresse from my WAN interface and I do it with quick so I
don't accidentally unblock them later:
``block drop in quick log on egress inet from <ipv4-bogons> to any''
(I have a table populated with bogon addresses)
You may wish to review the PF handbook, the filter section seems a good
place to start.
https://www.openbsd.org/faq/pf/filter.html
--
Please direct replies to the list.
