Bizarro252
Dabbler
- Joined
- Jul 1, 2019
- Messages
- 36
Hello!
Running on FreeNAS 11.2-U5
I have my VPN working in a jail, and when testing it will change my outside IP, etc. However I can't seem to get the kill switch to work, it just keeps sending traffic down the default allow all rule, even though I have my deny rule much higher up in the order.
Below are my configs, as well as outputs, any help would be greatly appreciated.
IPFW Rules File (Local network is 172.16.0.1-172.16.0.255 on /24 netmask
IPFW List (ipfw list)
ifconfig
I stop OpenVPN and ping out, my IP changes to the non-VPN one but I still show all traffic routing to that last default rule, not hitting 00505 like I would think it should??? I dont see the VPN traffic being flagged (using ipfw -t list) as going through the tunnel rule when OpenVPN on either.
Running on FreeNAS 11.2-U5
I have my VPN working in a jail, and when testing it will change my outside IP, etc. However I can't seem to get the kill switch to work, it just keeps sending traffic down the default allow all rule, even though I have my deny rule much higher up in the order.
Below are my configs, as well as outputs, any help would be greatly appreciated.
IPFW Rules File (Local network is 172.16.0.1-172.16.0.255 on /24 netmask
Code:
# Allow internal traffic add 00501 allow IP from 172.16.0.50/24 to 172.16.0.0/24 keep-state add 00502 allow IP from 172.16.0.0/24 to 172.16.0.50/24 keep-state # Allow access to Entrace IP for VPN add 00503 allow IP from 172.16.0.50/24 to 209.95.36.146 keep-state # Allow any traffic over the VPN interface add 00504 allow IP from any to any via tun0 # Deny any other traffic add 00505 deny IP from any to any
IPFW List (ipfw list)
Code:
root@deluge:/config # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00501 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00502 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00503 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default 00504 allow ip from any to any via tun0 00505 deny ip from any to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65535 allow ip from any to any
ifconfig
Code:
root@deluge:/config # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether d0:50:99:56:71:78 hwaddr 02:4c:50:00:07:0b inet 172.16.0.50 netmask 0xffffff00 broadcast 172.16.0.255 nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active groups: epair tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet 10.8.1.5 --> 10.8.1.1 netmask 0xffffff00 nd6 options=1<PERFORMNUD> groups: tun Opened by PID 12397
I stop OpenVPN and ping out, my IP changes to the non-VPN one but I still show all traffic routing to that last default rule, not hitting 00505 like I would think it should??? I dont see the VPN traffic being flagged (using ipfw -t list) as going through the tunnel rule when OpenVPN on either.
Code:
root@deluge:/config # ipfw zero Accounting cleared. root@deluge:/config # ping goole.com PING goole.com (217.160.0.201): 56 data bytes 64 bytes from 217.160.0.201: icmp_seq=0 ttl=49 time=201.762 ms 64 bytes from 217.160.0.201: icmp_seq=1 ttl=49 time=198.979 ms 64 bytes from 217.160.0.201: icmp_seq=2 ttl=49 time=200.095 ms 64 bytes from 217.160.0.201: icmp_seq=3 ttl=49 time=200.100 ms ^Z Suspended root@deluge:/config # ipfw -t list 00100 Thu Jul 4 11:51:50 2019 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00501 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00502 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00503 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default 00504 allow ip from any to any via tun0 00505 deny ip from any to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65535 Thu Jul 4 11:51:52 2019 allow ip from any to any root@deluge:/config # service openvpn stop Stopping openvpn. Waiting for PIDS: 12397. root@deluge:/config # ipfw zero Accounting cleared. root@deluge:/config # ping google.com PING google.com (172.217.164.110): 56 data bytes 64 bytes from 172.217.164.110: icmp_seq=0 ttl=53 time=45.506 ms 64 bytes from 172.217.164.110: icmp_seq=1 ttl=53 time=46.444 ms 64 bytes from 172.217.164.110: icmp_seq=2 ttl=53 time=46.381 ms 64 bytes from 172.217.164.110: icmp_seq=3 ttl=53 time=45.853 ms ^C --- google.com ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 45.506/46.046/46.444/0.387 ms root@deluge:/config # ipfw -t list 00100 Thu Jul 4 11:52:40 2019 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00501 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00502 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default 00503 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default 00504 allow ip from any to any via tun0 00505 deny ip from any to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65535 Thu Jul 4 11:52:41 2019 allow ip from any to any