northox · September 10, 2021 17:42
diff --git a/iked.conf b/iked.conf
 ikev2 "inet" passive ipcomp esp \
  from 0.0.0.0/0 to 10.0.1.0/24 \
  from 10.0.0.0/24 to 10.0.1.0/24 \
  local egress peer any \
  srcid egress \
  psk "strong-password" \
  config protected-subnet 0.0.0.0/0 \
  config address 10.0.1.0/24 \
  config name-server 10.0.0.1 \
  tag IKED
diff --git a/pf.conf b/pf.conf

 intra = "vio1"
 vpn = "enc0"

 set reassemble yes
 set block-policy return
 set loginterface egress
 set skip on { lo, enc }

 match in all scrub (no-df random-id max-mss 1440)

 table <ossec_fwtable> persist
 table <fuckers> persist file "/etc/fuckers"

 block in quick  on egress from <fuckers> label "bad"
 block out quick on egress to <fuckers> label "bad"
 block in quick  on egress from <ossec_fwtable> label "bad"
 block out quick on egress to <ossec_fwtable> label "bad"
 block in quick from urpf-failed label uRPF
 block return log

 pass out all modulate state

 pass in on egress proto { ah, esp }
 pass in on egress proto udp to (egress) port { isakmp, ipsec-nat-t }
 pass out on egress from 10.0.1.0/24 to any nat-to (egress)
 pass out on $intra from 10.0.1.0/24 to $intra:network nat-to ($intra)

 pass in quick inet proto icmp icmp-type { echoreq, unreach }

 pass in on egress proto tcp from any to (egress) port 22 keep state (max-src-conn 40, max-src-conn-rate 10/30, overload <fuckers> flush global)
 pass in on $intra proto { udp tcp } from any to ($intra) port 53
diff --git a/sysctl.conf b/sysctl.conf
 net.inet.esp.enable=1
 net.inet.ah.enable=1
 net.inet.ip.forwarding=1
 net.inet.ipcomp.enable=1
diff --git a/z_hostname.enc0 b/z_hostname.enc0
 inet 10.0.1.1 255.255.255.0 10.0.1.255
 up
	ikev2 "inet" passive ipcomp esp \
	from 0.0.0.0/0 to 10.0.1.0/24 \
	from 10.0.0.0/24 to 10.0.1.0/24 \
	local egress peer any \
	srcid egress \
	psk "strong-password" \
	config protected-subnet 0.0.0.0/0 \
	config address 10.0.1.0/24 \
	config name-server 10.0.0.1 \
	tag IKED

	intra = "vio1"
	vpn = "enc0"

	set reassemble yes
	set block-policy return
	set loginterface egress
	set skip on { lo, enc }

	match in all scrub (no-df random-id max-mss 1440)

	table <ossec_fwtable> persist
	table <fuckers> persist file "/etc/fuckers"

	block in quick on egress from <fuckers> label "bad"
	block out quick on egress to <fuckers> label "bad"
	block in quick on egress from <ossec_fwtable> label "bad"
	block out quick on egress to <ossec_fwtable> label "bad"
	block in quick from urpf-failed label uRPF
	block return log

	pass out all modulate state

	pass in on egress proto { ah, esp }
	pass in on egress proto udp to (egress) port { isakmp, ipsec-nat-t }
	pass out on egress from 10.0.1.0/24 to any nat-to (egress)
	pass out on $intra from 10.0.1.0/24 to $intra:network nat-to ($intra)

	pass in quick inet proto icmp icmp-type { echoreq, unreach }

	pass in on egress proto tcp from any to (egress) port 22 keep state (max-src-conn 40, max-src-conn-rate 10/30, overload <fuckers> flush global)
	pass in on $intra proto { udp tcp } from any to ($intra) port 53
	net.inet.esp.enable=1
	net.inet.ah.enable=1
	net.inet.ip.forwarding=1
	net.inet.ipcomp.enable=1