General ideas
Filtering happens at the server, which is the hub for all client connections, and the packet filter rules are per-client. A file should be provided for each client, containing the rules to apply to that client. The rules, in turn, are divided into rules allowing/denying connectivity to other clients (identified by common name), and rules generically allowing/denying connectivity to IP subnets. Here's a sample rule file for a client:
[CLIENTS ACCEPT] -john -nick [SUBNETS DROP] +10.0.4.0/24 [END]
The file must end with the [END] line. Note that since clients are identified by their common name, this feature cannot be used when duplicate-cn is in use (that, however, shouldn't be used anyway).
In this example, the client to which these rule are applied will be allowed to connect to any client by default ([CLIENTS ACCEPT] ), except john and nick, which are explicitly denied. Alternatively, one could set a default deny policy by using [CLIENTS DROP] and then explicitly allowing only certain clients using +client . The same syntax applies to subnet rules.
Rules apply to client traffic going in both directions so, for a client to be allowed to connect to another client, communication must be allowed by the rules of both clients.
If denying communication is not enough for you, it's also possible to use [KILL] to terminate the client instance in case it tries to do something it shouldn't do.
In our example, we will assume a simple deployment with four clients: their common names are john, nick, bob and max. Who can connect to who is shown in the following table:
| john | nick | bob | max | |
| john | - | yes | yes | no |
| nick | yes | - | no | yes |
| bob | yes | no | - | no |
| max | no | yes | no | - |
So here are the four rule templates:
$ cat /etc/openvpn/john.pf [CLIENTS DROP] +nick +bob [SUBNETS ACCEPT] [END] $ cat /etc/openvpn/nick.pf [CLIENTS DROP] +john +max [SUBNETS ACCEPT] [END] $ cat /etc/openvpn/bob.pf [CLIENTS DROP] +john [SUBNETS ACCEPT] [END] $ cat /etc/openvpn/max.pf [CLIENTS DROP] +nick [SUBNETS ACCEPT] [END]
No comments:
Post a Comment