Fix #76; Fix ftpproxy6; Move DNS through relayd; Add SSH gateway

src/etc/hostname.vether0

@@ -1,7 +1,10 @@
 -inet
 -inet6
+description "services interface"
 # Thwart the virtual interface from taking the MAC address of the first physical interface
 lladdr random
 inet 10.10.10.10 255.255.255.0 10.10.10.255
+inet alias 10.10.10.11 255.255.255.255
 inet6 2001:470:b35c:1337::ace:face 64
 inet6 alias fd80:1fe9:fcee:1337::ace:face 64
+inet6 alias fd80:1fe9:fcee:1337::ace:babe 64

src/etc/iked-vedetta.conf

@@ -5,7 +5,7 @@ ikev2 "road-warrior-IPv4" passive ipcomp esp inet \
 	local em0 peer 0.0.0.0/0 \
 	srcid freedns.afraid.org \
 	config address 10.10.200.0/24 \
-	config name-server 10.10.10.10 \
+	config name-server 10.10.10.11 \
 	config access-server 10.10.200.1 \
 	config protected-subnet 0.0.0.0/0 \
 	tag VPN
@@ -15,7 +15,7 @@ ikev2 "road-warrior-IPv6" passive ipcomp esp inet6 \
 	local gif0 peer ::0/0 \
 	srcid freedns.afraid.org \
 	config address 2001:470:b35c:deaf::/64 \
-	config name-server fd80:1fe9:fcee:1337::ace:face \
+	config name-server fd80:1fe9:fcee:1337::ace:babe \
 	config access-server 2001:470:b35c:deaf::ace:face \
 	config protected-subnet ::0/0 \
 	tag VPN \

src/etc/npppd/npppd.conf

@@ -22,7 +22,7 @@ ipcp IPCP {
 	pool-address 10.10.100.150-10.10.100.180 for dynamic
 	pool-address 10.10.100.110-10.10.100.140 for static
 	allow-user-selected-address no
-	dns-servers 10.10.10.10
+	dns-servers 10.10.10.11
 }
 
 # use pppx(4) interface. use an interface per a ppp session.

src/etc/pf.conf

@@ -32,13 +32,13 @@ table <martians> const persist counters { \
  ::1/128 ::/128 ::/96 ::ffff:0:0/96 100::/64 2001::/32 2001:2::/48 \
  2001:db8::/32 fc00::/7 fe80::/10 }
 
-# full access (for test)
+# Full access table (for test)
 table <knownhosts> persist counters {}
 
 # Enable with: touch /etc/authpf/authpf.conf
 table <authpf_users> persist counters
 
-# block bad hosts for 10-11 minutes (!) see var/cron/tabs/root
+# Block bad hosts for 10-11 minutes (!) see var/cron/tabs/root
 table <temporaryban> persist counters
 table <permanentban> persist counters file "/etc/pf.permanentban"
 
@@ -54,16 +54,22 @@ table <portknock1> persist
 table <portknock2> persist
 table <portknock3> persist
 
+# relayd
+fallback="10.10.10.10"
+fallback6="fd80:1fe9:fcee:1337::ace:face"
+relay="10.10.10.11"
+relay6="fd80:1fe9:fcee:1337::ace:babe"
+table <relay> persist counters { $relay $relay6 }
+table <httpfilter> persist counters {}
+table <tlsinspect> persist counters {}
+
 # Options
 set loginterface egress
 set optimization normal
 set block-policy drop
 set skip on { lo0 }
 
-# Queues
-# http://man.openbsd.org/pf.conf#QUEUEING
-# queue assignment before nat-to http://marc.info/?l=openbsd-misc&m=149163915901383&w=2
-
+# Queue assignment before nat-to http://marc.info/?l=openbsd-misc&m=149163915901383&w=2
 # HFSC with FQ-CoDel (reduce bufferbloat and achieve fairness)
 # http://theapt.org/~mike/hfsc-fq/
 # www.reddit.com/r/openbsd/comments/6ttuhn/fq_codel_scheduling/
@@ -157,11 +163,11 @@ anchor "external" on egress {
 #   tag SELF_INET
    pass log (user) proto tcp \
     to port { http https } \
-    user { _ntp _pfetch _pkgfetch _syspatch root horia } \
+    user { _ntp _pfetch _pkgfetch _relayd _syspatch root horia } \
     tag SELF_INET
    pass log (user) proto tcp \
     to port ftp \
-    user _ftp_proxy
+    group _ftp_proxy
    pass log (user) proto tcp \
     to port { ssh whois } \
     user { root horia } \
@@ -185,15 +191,21 @@ anchor "external" on egress {
  }
 }
 
-# tftp-proxy
+# Trivial File Transfer Protocol proxy
 anchor "tftp-proxy/*"
 
+# Secure forward ftp proxy
+# http://man.openbsd.org/ftp-proxy
+anchor "ftp-proxy/*"
+pass log tagged FTP_PROXY
+pass log tagged FTP_PROXY6
+
 # Anchor rules for various authenticated peers
 # all child anchors (/*) within authpf anchor (loaded from
 # /etc/authpf/users/$USER/authpf.rules) will be evaluated
 anchor "authpf/*" from <authpf_users>
-match inet  tag LAN_INET   tagged AUTHPF_INET
-match inet6 tag LAN6_INET6 tagged AUTHPF_INET
+match inet  tagged AUTHPF_INET tag LAN_INET
+match inet6 tagged AUTHPF_INET tag LAN6_INET6
 
 anchor "internal" on { lan wlan enc tun } {
  anchor in {
@@ -207,63 +219,91 @@ anchor "internal" on { lan wlan enc tun } {
 
   # Incoming traffic from trusted peers to LAN (VPN:network hack)
   anchor from { <knownhosts> <authpf_users> } to { (self:network) (tun)/24 (enc)/64 (enc)/24 } {
-   anchor on { lan wlan } {
+   anchor ! tagged VPN {
     pass log proto { tcp udp } tag LAN
    }
-   anchor on { enc tun } {
-    pass log proto { tcp udp } keep state (if-bound) tag LAN tagged VPN
+   anchor tagged VPN {
+    pass log proto { tcp udp } keep state (if-bound) tag LAN
    }
   }
 
   # Incoming traffic from trusted peers to LAN_INET
   anchor from <knownhosts> ! tagged LAN {
-   pass log proto { tcp udp } tag LAN_INET
-   anchor on { enc tun } {
+   # nested tag check
+   anchor ! tagged VPN {
+    pass log proto { tcp udp } tag LAN_INET
+   }
+   anchor tagged VPN {
     pass log proto { tcp udp } keep state (if-bound) tag LAN_INET
    }
   }
 
   # ftp for trusted peers
-  anchor inet proto tcp to port ftp tagged LAN_INET {
-   pass log flags S/SAFR modulate state \
-    divert-to vether0 port 8021
-  }
-  anchor inet6 proto tcp to port ftp tagged LAN6_INET6 {
-   pass log flags S/SAFR modulate state \
-    divert-to fd80:1fe9:fcee:1337::ace:face port 8021
+  anchor proto tcp to port ftp tagged LAN_INET {
+   pass log inet \
+    divert-to $fallback port 8021 \
+    tag LAN_SELF
+   pass log inet6 \
+    divert-to $fallback6 port 8021 \
+    tag LAN6_SELF6
   }
 
   # and guests
 
-  # www to LAN_INET
-  anchor proto tcp to ! (self:network) port { http https } {
-   anchor on { lan wlan } {
+  # www (and Google Play) to LAN_INET
+  anchor proto tcp to ! (self:network) port { http https 5228 } {
+   anchor ! tagged VPN {
     pass log tag LAN_INET
    }
-   anchor on { enc tun } {
-    pass log keep state (if-bound) tag LAN_INET tagged VPN
+   anchor tagged VPN {
+    pass log keep state (if-bound) tag LAN_INET
    }
   }
 
+  # Transparent HTTP proxy (split IPv4/6)
+  anchor proto tcp from <httpfilter> to port http tagged LAN_INET {
+   pass log inet \
+    divert-to $relay port 8080 \
+    tag LAN_SELF
+   pass log inet6 \
+    divert-to $relay6 port 8080 \
+    tag LAN6_SELF6
+  }
+
   # ssh to LAN_SELF
   anchor proto tcp to (vether0) port ssh {
-   anchor on { lan wlan } {
+   anchor ! tagged VPN {
     pass log tag LAN_SELF
    }
-   anchor on { enc tun } {
-    pass log keep state (if-bound) tagged VPN
+   anchor tagged VPN {
+    pass log keep state (if-bound)
    }
   }
 
-  # tftp-proxy
-  anchor on { lan wlan } proto udp to boot.heta.lan port tftp {
+  # tftp-proxy (split IPv4/6)
+  anchor on { lan wlan } proto udp to <relay> port tftp {
     pass log inet \
      divert-to lo0 port 6969 \
      tag LAN_SELF
     pass log inet6 \
      divert-to lo0 port 6969 \
      tag LAN6_SELF6
   }
+
+  # Allow devices with hardcoded ntp servers to get local time (split IPv4/6)
+  anchor proto udp to ! <relay> port ntp {
+   match in log inet \
+    rdr-to <relay> port ntp \
+    tag RELAYD
+   match in log inet6 \
+    rdr-to <relay> port ntp \
+    tag RELAYD
+  }
+
+  # split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to)
+  anchor inet6 tagged LAN_INET {
+   match tag LAN6_INET6
+  }
  }
 
  anchor out {
@@ -272,36 +312,23 @@ anchor "internal" on { lan wlan enc tun } {
 #  from { (lan) (wlan) } to fe80::/10 port dhcpv6-client \
 #  tag SELF6_LAN6
 
-  # Open LAN for trusted peers
+  # Open LAN for trusted peers (keep tag)
   anchor tagged LAN {
    pass log proto { tcp udp }
    anchor on { enc tun } {
     pass log proto { tcp udp } keep state (if-bound)
    }
   }
-  # Open LAN for self, skip VPN
+  # Open LAN for self, skip VPN (keep tag)
   anchor proto { tcp udp } from (self) port { != isakmp, != ipsec-nat-t, != l2tp } {
    pass log proto { tcp udp }
    anchor on { enc tun } {
     pass log proto { tcp udp } keep state (if-bound)
    }
   }
-
- }
-
- # inet6 to LAN6_INET6
- anchor inet6 tagged LAN_INET {
-  match tag LAN6_INET6
  }
 }
 
-# Secure forward ftp proxy
-
-# http://man.openbsd.org/ftp-proxy
-anchor "ftp-proxy/*"
-pass log tagged FTP_PROXY
-pass log tagged FTP_PROXY6
-
 # VPN (IKEv1 and IKEv2)
 anchor "vpn" {
 
@@ -353,29 +380,34 @@ anchor "layer3_int" in tagged RELAYD {
 
 anchor "layer7" in {
  anchor "layer7_ext" on egress {
-  # Avoid interface certificate for egress
-  pass in log inet proto tcp to (egress) port https rdr-to (athn0)
-  pass in log inet6 proto tcp to (egress) port https rdr-to fd80:1fe9:fcee:cafe::ace:face
+  # Avoid interface certificate for egress (split inet(6) for redirect)
+  pass in log inet  proto tcp to (egress) port https rdr-to <relay>             
+  pass in log inet6 proto tcp to (egress) port https rdr-to <relay>                               
+
+  # Transparent HTTP proxy
+  #pass out log proto tcp from (egress) to port http user _relayd
  }
  anchor "layer7_int" on { lan wlan } {
-  pass log proto tcp to (athn0) port https
-  pass log proto udp to (vether0) port domain
+  pass log proto udp to <relay> port domain
+  pass log proto tcp to <relay> port https
+  pass log proto tcp from <authpf_users> to <relay> port 2222
  }
  anchor "layer7_vpn" on { enc tun } {
-  pass log proto tcp to (athn0) port https keep state (if-bound)
-  pass log proto udp to (vether0) port domain keep state (if-bound)
+  pass log proto udp to <relay> port domain keep state (if-bound)
+  pass log proto tcp to <relay> port https keep state (if-bound)
+  pass log proto tcp from <authpf_users> to <relay> port 2222 keep state (if-bound)
  }
 }
 
 # VLAN
 anchor "vlan" on vlan from (vlan:network) to (vlan:network) {
- # Example
+ # e.g.
  match log on vlan5 tag VLAN5
 }
 
 # SDN
 anchor "virtual" on { vether tap } {
- # Custom
+ # To Do
 }
 
 anchor "icmp" {