My understanding is that the host doesn't have an routable connection from rdomain 0 to rdomain 1. wg1 and lo1 are specific to that rdomain, and sshd is 'attached' to rdomain 0.
For the VM to interact directly with the host, you would have to add pair interfaces (see ifconfig man page) to route traffic between the rdomains.
VM ---- wg1 ---- wg network
|
host ----- wg1 endpoint
No traffic flows from rdomains 1 to 0 without explicitly making that possible, so pass in ssh to self is fine.
Sorry for what'll be screwed formatting; I'm at work w/o access to my normal rig.
On Fri, Feb 28, 2025, 09:37 alpha beta <leonixyz@gmail.com> wrote:
> > add 'wgrtable 0' to hostname.wg1, and search for wgrtable in `man ifconfig'. it
> > sets which rdomain the actual wireguard packets transit. the wireguard
> > network and interface will be isolated to rdomain 1 while the wireguard packets
> > will traverse through rdomain 0.
> >
> > this is also how you achieve a default route over wireguard in openbsd.
>
> exactly; depending on the use-case you can either put the wg interface
> itself in the default rdomain and a physical uplink interface in a
> non-default (using wgrtable <rdomain of uplink>), or vice-versa (using
> wgrtable 0).
Thank you both. This did the trick. I read the man pages and also plenty of
other online resources, but I missed this detail.
> > as a side note, your pf.conf could still use some work; one would traditionally
> > start with 'block all' as pf uses the last matching rule (except for matches
> > statements). the `quick' modifier causes pf to immediately match on that rule
> > and ignore anything further.
>
> I like that approach too. There's an implicit default rule equivalent to
> "pass flags any no state" - you don't want anything to match this in
> normal use as a stateful firewall - so a simple "block all" or "block log
> all" at the top of the ruleset makes that clear.
I agree. This was my first pf firewall attempt. Will keep on studying and
experimenting to improve my knowledge. My reasoning was the following:
I am aware that many examples start with a `block all` rule, however,
I don't always want to wait all rules to be evaluated to take most decisions,
therefore I try to "push up" as many quick rules as possible, to speed up
things.
Anyway, there is just a single thing in your rules that does not fit my case:
> # make sure you can ssh in
> pass in on any proto tcp from any to self port 22
This, unless I am missing something again, allows ssh access also from
within the wireguard network, which is why I was interested in moving them
to an isolated rdomain in the first place.
Wireguard networks should not have any access to SSH, etc.
No comments:
Post a Comment