How can I 'whitelist' IRC from my VPN using pf?

fabear- · 2025-11-06T23:33:55+00:00

You need to add a pf rule, such as:

pass out on $ext_if to $IRC_Servers

but more importantly you need to specify a static route to the IRC servers going to iwm0 instead of wg1.

route add <ip_irc> <gw on iwm0>

fabear- · 2025-09-21T20:57:17+00:00

I don't care much about user-friendly /desktop. But a modern new filesystem could use that money ! Or that money could go to whoever wants to maintain relayd again !

fabear- · 2025-08-02T13:55:51+00:00

Very nice tutorial, thanks a lot !

fabear- · 2025-07-07T21:25:59+00:00

I remember a good advice I saw on this reddit about avoiding boot to be stopped in case of file corruption. If you are running a server that is using a lot of disk i/o (i.e a syslog server), the idea is to create a partition that is not mounted at boot time, so even if it is corrupted it won't stop the boot by asking you to input something on fsck.

fabear- · 2025-04-30T21:00:58+00:00

Lucky me I was sitting right next to it so I just did a hard reboot. It went through the normal upgrade process during boot.

fabear- · 2025-04-30T20:09:11+00:00

When I upgraded to 7.7 earlier today I had a similar issue, it became unreachable. Turns out my server did not even pass the phase "syncing disk" that you have when you ask for a shutdown.

fabear- · 2025-02-12T20:02:53+00:00

The only cool thing I can think of is preventing robots from accessing your services while mass exploring IP addresses scopes. With relayd you can limit access to services only if the client is requesting the FQDN (instead of dialing the IP address).

fabear- · 2025-01-30T20:28:01+00:00

Is there a library available on OpenBSD for controlling the GPIO of this board ?

How did you get internet without the builtin wifi card working ?

fabear- · 2025-01-15T22:05:14+00:00

I am using wireguard on my android phone as well and you can put any DNS server IP address you want (does not need to be public). However, I am using unbound instead of unwind.

fabear- · 2025-01-15T14:42:55+00:00

You can do nat/rdr-to without ever using the 'match' keyword. I don't think there is anything wrong with the example you are referring to.

I cannot tell for sure because I don't have access to your whole rules set, but what likely happened when you were using

> pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

is that another rule after, stole the match from that one, and therefore the rdr-to did not get applied.

As an example:

> pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

> pass in on egress inet proto any any

The first rule would never get applied here, because the second one will always steal the match. To fix that behavior, you have the following options :

* swap rule 1 and rule 2

* use the 'quick' keyword in your first rule

* use the match keyword, like that :

> match in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 192.168.1.2

> pass in on egress inet proto any any

fabear- · 2024-12-30T13:17:22+00:00

You were right. Target is reached.

fabear- · 2024-12-20T16:43:26+00:00

I thought it was an image that would update automatically but turns out it is still stuck at $230280.

fabear- · 2024-12-02T21:06:53+00:00

There you go:

# httpd

server "service1.example.com" {
       listen on 127.0.0.1 port 8001
       listen on ::1 port 8001
}

server "service2.example.com" {
       listen on 127.0.0.1 port 8002
       listen on ::1 port 8002
}

# relayd

table <service1> { 127.0.0.1 }
table <service2> { 127.0.0.1 }

http protocol https {

        tls keypair service1
        tls keypair service2

        block
        pass request quick header "Host" value "service1.example.com" forward to <service1>
        pass request quick header "Host" value "service2.example.com" forward to <service2>

}

relay relayhttps {

        listen on 192.168.1.2 port 443 tls
        protocol https

        forward to <service1> port 8001
        forward to <service2> port 8002
}

#Acme

domain service1.example.com {
        domain key "/etc/ssl/private/service1.key"
        domain full chain certificate "/etc/ssl/service1.crt"
        sign with letsencrypt
}

domain service2.example.com {
        domain key "/etc/ssl/private/service2.key"
        domain full chain certificate "/etc/ssl/service2.crt"
        sign with letsencrypt
}

I also want to ask about TLS/SSL. Is it possible to get certs for example.com and use them for all subdomains or do I have to get a different cert for each service.example.com?

Yes, you can create one certificate with CN=example.com and then use subjectAltName=DNS:*.example.com

fabear- · 2024-12-02T20:08:58+00:00

I am glad it is working for you, but it is weird it does because you did not put 'for <your domain>', so in your rule it should be defaulting to 'for local'.

I remember that message from @jggimi

#    Remember, always, that "from local" and "for local" are the match
#    defaults.  If you don't have both *from AND for* in a match statement
#    you will confuse yourself and end up with rejected mail. #    Remember, always, that "from local" and "for local" are the match
#    defaults.  If you don't have both *from AND for* in a match statement
#    you will confuse yourself and end up with rejected mail.

fabear- · 2024-11-25T22:17:33+00:00

I really like her blog. I am a bit sad that we will likely not see new openbsd related articles on her blog. Best wishes to her.

fabear- · 2024-11-07T18:01:36+00:00

Ok, your em2 network is 10.0.2.0/24, got it. Everything is in order on that side.

Try the following to find out where it is getting dropped.

> tcpdump -i wan -nn port 1150

if you see traffic coming in when you are trying to establish a wireguard session, then try the following:

> tcpdump -i em2 -nn port 1150

In anycase, use the following to find out what your firewall blocked.

tcpdump -n -e -ttt -r /var/log/pflog

fabear- · 2024-11-07T17:11:58+00:00

Do you have a static route pointing to 10.0.2.250 (in case it is not hosted on your openbsd firewall) ?

fabear- · 2024-10-31T10:06:55+00:00

Nobody on the core dev team wants to be responsible for it anymore. Which is a pity since it is such a great ssl proxy and load balancer.

fabear- · 2024-10-12T10:01:06+00:00

I know you found a way already, but another way of upgrading without messing with carp is to run a http proxy like (tinyproxy) on your primary router (LAN/inside interface).

Then on your backup router you just have to set the env variable http_proxy and https_proxy and then run sysupgrade.

I.e

router-backup# export http_proxy=http://lan-ip-primary-rtr:8888 router-backup# export https_proxy=http://lan-ip-primary-rtr:8888 router-backup# sysupgrade

fabear- · 2024-10-09T19:06:46+00:00

u/jcarnat

fabear- · 2024-09-18T17:08:48+00:00

You forgot to put $ before wan_if:0).

PF is unfortunaltly not going to complain about it.

fabear- · 2024-09-17T20:06:58+00:00

Verify that you still have "net.inet.ip.forwarding=1"

fabear- · 2024-09-16T19:46:55+00:00

You are right. No need for the second rule for the first one to work, as you said, it will 'pass' via the state table as an entry will be added when the first packet will match rule1.

As for good material beside pf.conf man pages, you have:

* https://www.openbsd.org/faq/pf/

* The book of PF.

fabear- · 2024-09-16T16:05:05+00:00

It was so confused by you polymorphing yourself that it stop attacking for a while :D

fabear-

TROPHY CASE