The setup is like that:<\/p>\n
Internet (public IP) — ISP router — FreeBSD 13.1 host — OpenBSD 7.2 virtual machine<\/p>\n
the OpenBSD is running a) ssh server with Yubikey authorization, b) Wireguard VPN server, c) L2TP VPN as a back-up on the Wireguard. The ISP router is forwarding ports tcp 22 (ssh), tcp 443 (Wireguard), udp 400 and 4500 for the L2TP VPN to the OpenBSD address directly.<\/p>\n
The pf.conf rules to make this setup work:<\/p>\n
[root@openbsd dilyan]$ cat \/etc\/pf.conf
\nset block-policy return
\nset limit table-entries 400000 #due to pfbadhost
\nset skip on lo
\next_if = “vio0”
\nvpn_if = “pppx”
\nvpn_net = “10.0.0.0\/24”
\nhome_net = “192.168.0.0\/24” #home network thru VPN
\noffice_net = “192.168.1.0\/24” # office network
\ntable <bruteforce> persist #table for ssh-attackers
\ntable <pfbadhost> persist file “\/etc\/pf-badhost.txt”<\/p>\n
antispoof for { $ext_if, $vpn_if }
\nmatch in all scrub (no-df random-id )<\/p>\n
block return # block stateless traffic
\nblock quick from <bruteforce> #block the ssh-attackers
\nblock in quick on egress from <pfbadhost>
\nblock out quick on egress to <pfbadhost><\/p>\n
# By default, do not permit remote connections to X11
\nblock return in on ! lo0 proto tcp to port 6000:6010
\n# Port build user does not need network
\nblock return out log proto {tcp udp} user _pbuild
\nblock all<\/p>\n
pass # establish keep-state
\npass inet proto icmp synproxy state #allow ICMP protocol – all
\npass proto { tcp, udp } from { wg0:network, $home_net, $vpn_net, $office_net } to port { ssh, domain }
\npass proto { tcp, udp } to port { ssh, 500, 4500 } keep state (max-src-conn 5, max-src-conn-rate 3\/60, overload <bruteforce> flush global)
\npass proto udp from {$ext_if, $office_net} to port { 123 } #allow network time protocol (NTP) port<\/p>\n
# Rule for WireGuard VPN to NAT traffic to public net#
\nmatch out on $ext_if from wg0:network to any nat-to $ext_if<\/p>\n
# Rules for L2TP VPN to work and NAT traffic #
\npass on $ext_if proto esp # allow ESP protocol on public interface
\npass on $ext_if proto udp to port { isakmp, ipsec-nat-t } # allow isakmpd UDP traffic through the public interface on ports 500 and 4500
\npass on enc0 keep state (if-bound) # filter all IPSec traffic on the enc interface
\npass on $vpn_if from { $vpn_net, $home_net } # allow all trafic in on and out to the VPN network
\npass on $vpn_if to { $vpn_net, $home_net }
\nmatch out on $ext_if from $vpn_net to any nat-to $ext_if # nat VPN traffic going out on the public interface with the public IP<\/p>\n
These rules will _not_ work on FreeBSD, as their implementation requires grouping the rules in particular order – Macros, Tables, Options, Normalization, NAT\/Redirections and then Filtering (i.e. you need to rearrange the rules).<\/p>\n
Once you open port 22 for ssh service on a public IP address, attackers will start attempts like ~17-20k tries per day. This is why I implemented the table, so an IP that tries to guess a username\/password more than 3 times per 60 minutes to be blocked for a day. This reduced the attacks to less than 12k per day. Then I followed this how-to https:\/\/geoghegan.ca\/pfbadhost.html to block malicious IPs thru the table and the attempts dropped below 9k per day.<\/p>\n","protected":false},"excerpt":{"rendered":"
The setup is like that: Internet (public IP) — ISP router — FreeBSD 13.1 host — OpenBSD 7.2 virtual machine the OpenBSD is running a) ssh server with Yubikey authorization, b) Wireguard VPN server, c) L2TP VPN as a back-up on the Wireguard. The ISP router is forwarding ports tcp 22 (ssh), tcp 443 (Wireguard), […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3],"tags":[],"class_list":["post-78","post","type-post","status-publish","format-standard","hentry","category-bsd","category-security"],"yoast_head":"\n