From owner-freebsd-pf@FreeBSD.ORG Mon Dec 16 11:06:52 2013 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E1995EEB for ; Mon, 16 Dec 2013 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD1B3134F for ; Mon, 16 Dec 2013 11:06:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBGB6qTj019450 for ; Mon, 16 Dec 2013 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBGB6q5X019448 for freebsd-pf@FreeBSD.org; Mon, 16 Dec 2013 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 16 Dec 2013 11:06:52 GMT Message-Id: <201312161106.rBGB6q5X019448@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Dec 2013 11:06:52 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/184485 pf [pf] pfioctl causing kernel panics in 10-BETA{3,4} o kern/182401 pf [pf] pf state for some IPs reaches 4294967295 suspicou o kern/182350 pf [pf] core dump with packet filter -- pf_overlad_task o kern/179392 pf [pf] [ip6] Incorrect TCP checksums in rdr return packe o kern/177810 pf [pf] traffic dropped by accepting rules is not counted o kern/177808 pf [pf] [patch] route-to rule forwarding traffic inspite o kern/176268 pf [pf] [patch] synproxy not working with route-to o kern/173659 pf [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test o bin/172888 pf [patch] authpf(8) feature enhancement o kern/172648 pf [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet o kern/171733 pf [pf] PF problem with modulate state in [regression] o kern/169630 pf [pf] [patch] pf fragment reassembly of padded (undersi o kern/168952 pf [pf] direction scrub rules don't work o kern/168190 pf [pf] panic when using pf and route-to (maybe: bad frag o kern/166336 pf [pf] kern.securelevel 3 +pf reload o kern/165315 pf [pf] States never cleared in PF with DEVICE_POLLING o kern/164402 pf [pf] pf crashes with a particular set of rules when fi o kern/164271 pf [pf] not working pf nat on FreeBSD 9.0 [regression] o kern/163208 pf [pf] PF state key linking mismatch o kern/160370 pf [pf] Incorrect pfctl check of pf.conf o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/87074 pf [pf] pf does not log dropped packets when max-* statef a kern/86752 pf [pf] pf does not use default timeouts when reloading c o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 57 problems total. From owner-freebsd-pf@FreeBSD.ORG Wed Dec 18 05:16:21 2013 Return-Path: Delivered-To: freebsd-pf@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9787B72B; Wed, 18 Dec 2013 05:16:21 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6C3F01385; Wed, 18 Dec 2013 05:16:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id rBI5GLBi024304; Wed, 18 Dec 2013 05:16:21 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id rBI5GKfV024303; Wed, 18 Dec 2013 05:16:20 GMT (envelope-from glebius) Date: Wed, 18 Dec 2013 05:16:20 GMT Message-Id: <201312180516.rBI5GKfV024303@freefall.freebsd.org> To: alex.wilkinson@cba.com.au, glebius@FreeBSD.org, freebsd-pf@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Subject: Re: kern/184485: [pf] pfioctl causing kernel panics in 10-BETA{3,4} X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Dec 2013 05:16:21 -0000 Synopsis: [pf] pfioctl causing kernel panics in 10-BETA{3,4} State-Changed-From-To: open->feedback State-Changed-By: glebius State-Changed-When: Wed Dec 18 05:01:09 UTC 2013 State-Changed-Why: Submitter asked for feedback. Responsible-Changed-From-To: freebsd-pf->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Wed Dec 18 05:01:09 UTC 2013 Responsible-Changed-Why: I'm going to fix that. http://www.freebsd.org/cgi/query-pr.cgi?pr=184485 From owner-freebsd-pf@FreeBSD.ORG Wed Dec 18 16:24:07 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 777F24BC for ; Wed, 18 Dec 2013 16:24:07 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4D76F1CDE for ; Wed, 18 Dec 2013 16:24:06 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1VtJuh-0004fo-5O for freebsd-pf@freebsd.org; Wed, 18 Dec 2013 08:23:59 -0800 Date: Wed, 18 Dec 2013 08:23:59 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387383838536-5869777.post@n5.nabble.com> Subject: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Dec 2013 16:24:07 -0000 I'd like to run some proxies in a jail (with only one service per jail). Internal Net and localhost traffic will be diverted to the jailed proxies. Also, jail traffic AND traffic for non-jailed services should be NATted on the router NIC (ExtIf). *The setup:* Three interfaces: $ExtIf (192.168.1.10/24), $IntIf (192.168.2.1/26), lo0 (127.0.0.1/8). One cloned interface $JailIf to be used as Jail NIC. No IP or netmask assigned to lo2. lo2 aliases: 192.168.2.97/32, 192.168.2.98/32, 192.168.2.99/32, 192.168.2.100/32 (four jails). * Jails need to send and receive traffic to a) each other b) {lo0, $IntIF} c) $ExtIF * Each jail has in /etc/rc.conf: defaultrouter="ExtIF's IP" * Traffic for jailed services originating from {lo0, $IntIF} should be redirected to the $JailIf. We should also make sure that no packets try to escape through $ExtIF without our consent. *Relevant pf.conf entries:* # ExtIf, IntIf, JailIf defined, also each jail and gateway IP's jdns="192.168.2.97" # Jail for unbound-DNS & dnscrypt-proxy using 443 jprvx="192.168.2.99" # Jail for Privoxy jhttp="192.168.2.100" # Jail for squid-like http cache gate="192.168.1.10" # IP of ExtIf. forwarding gateway IP is 192.168.1.1 # Define jailed ports & service numbers JailTCP="{53,80,443,8080,8118}" # NAT & RDR rules ## NO SKIP on lo0 ## # On $JailIf, NAT all traffic defined as to be hosted, and only that traffic nat on $JailIf proto {tcp,udp} from !($JailIf) to any port $JailTCP -> $JailIf # Since (all packets) in the $JailTCP set have already been forwarded to $JailIf, NAT everything else arriving on the gateway normally. nat on $ExtIf from any to $ExtIf -> $gate # I need all DNS lookup queries to got to the jail running unbound. NAT already does this I think, so not needed any longer? # rdr on $JailIf proto {tcp,udp} from any port domain -> $jdns ## NOW re-direct by port, traffic exiting each jail to the gateway IP # Unbound DNS on .97 rdr on $JailIf proto {tcp,udp} from $jdns to any port {domain,443} -> $gate # Privoxy on .99 rdr on $JailIf proto {tcp} from $jprvx to any port {80,443} -> $gate # HTTP Cache on .100 = Not needed? Since jhttp (cache) -> jprvx (privoxy) traffic will be defined from http-cache config file. # rdr on $JaIf proto tcp from any to $JaIf port 8118 -> $jhttp # Ntpd time server for the LAN rdr on $IntIf proto udp from $IntNet to $IntIf port ntp -> $IntIf *The problem:* 1) NAT and redirect rules fail. Traffic originating from inside jails does not reach the external network. For example, the DNS jail sends traffic out, but it looks like it's not routed to the gate. tcpdump shows: 192.168.2.97.57472 > 208.67.220.220.443: [udp sum ok] UDP, length 45 Where :443 is the traffic generated by dnscrypt-proxy. Also, unrelated (?). ethertype IPv4 (0x0800), length 74: (tos 0x1c, ttl 64, id 61312, offset 0, flags [DF], proto TCP (6), length 60, *bad cksum* 0 (->72d6)!) 2) The aim of the first NAT rule, is to capture on $ExtIf any rogue packets trying to escape without passing through the jail gauntlet. A solution would need to take that concern into account. Maybe a "block ou" filter for packets NOT originating from $JailIf would be simpler? 3) I try to monitor traffic on lo2 or pflog0 using tcpdump -nettvv and the above ruleset. Nothing shows up when I try to access the HTTP cache (192.168.2.100) although the cache responds on the browser (nothing to the outside, just cache internal page). I'm basically stuck in a logic loop and have failed to find my error. Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 20 13:36:00 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C7E5B20 for ; Fri, 20 Dec 2013 13:36:00 +0000 (UTC) Received: from mail.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DE5E41536 for ; Fri, 20 Dec 2013 13:35:58 +0000 (UTC) Received: from [10.10.0.6] (unknown [10.10.0.6]) (Authenticated sender: csf@innolan.dk) by mail.innomanslan.tf (Postfix) with ESMTPA id 83DC812C1CC2; Fri, 20 Dec 2013 14:29:42 +0100 (CET) Message-ID: <52B4463F.3080900@innolan.dk> Date: Fri, 20 Dec 2013 21:29:35 +0800 From: Carsten Larsen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: zaphod@berentweb.com Subject: Re: NAT & RDR rules for jailed proxy services References: <1387383838536-5869777.post@n5.nabble.com> In-Reply-To: <1387383838536-5869777.post@n5.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2013 13:36:00 -0000 Hi there, Beeblebrox wrote: > I'd like to run some proxies in a jail (with only one service per jail). > Internal Net and localhost traffic will be diverted to the jailed proxies. > Also, jail traffic AND traffic for non-jailed services should be NATted on > the router NIC (ExtIf). > > *The setup:* Three interfaces: $ExtIf (192.168.1.10/24), $IntIf > (192.168.2.1/26), lo0 (127.0.0.1/8). One cloned interface $JailIf to be > used as Jail NIC. No IP or netmask assigned to lo2. lo2 aliases: > 192.168.2.97/32, 192.168.2.98/32, 192.168.2.99/32, 192.168.2.100/32 (four > jails). > * Jails need to send and receive traffic to a) each other b) {lo0, $IntIF} > c) $ExtIF > * Each jail has in /etc/rc.conf: defaultrouter="ExtIF's IP" > * Traffic for jailed services originating from {lo0, $IntIF} should be > redirected to the $JailIf. We should also make sure that no packets try to > escape through $ExtIF without our consent. > > *Relevant pf.conf entries:* > # ExtIf, IntIf, JailIf defined, also each jail and gateway IP's > jdns="192.168.2.97" # Jail for unbound-DNS & dnscrypt-proxy using 443 > jprvx="192.168.2.99" # Jail for Privoxy > jhttp="192.168.2.100" # Jail for squid-like http cache > gate="192.168.1.10" # IP of ExtIf. forwarding gateway IP is 192.168.1.1 > > # Define jailed ports & service numbers > JailTCP="{53,80,443,8080,8118}" > > # NAT & RDR rules ## NO SKIP on lo0 ## > # On $JailIf, NAT all traffic defined as to be hosted, and only that traffic > nat on $JailIf proto {tcp,udp} from !($JailIf) to any port $JailTCP -> > $JailIf > > # Since (all packets) in the $JailTCP set have already been forwarded to > $JailIf, NAT everything else arriving on the gateway normally. > nat on $ExtIf from any to $ExtIf -> $gate > The NAT logic should simply be: nat on $ExtIf from any to !($ExtIf) -> ($ExtIf) > # I need all DNS lookup queries to got to the jail running unbound. NAT > already does this I think, so not needed any longer? # rdr on $JailIf proto > {tcp,udp} from any port domain -> $jdns > > ## NOW re-direct by port, traffic exiting each jail to the gateway IP > # Unbound DNS on .97 > rdr on $JailIf proto {tcp,udp} from $jdns to any port {domain,443} -> $gate > > # Privoxy on .99 > rdr on $JailIf proto {tcp} from $jprvx to any port {80,443} -> $gate > > # HTTP Cache on .100 = Not needed? Since jhttp (cache) -> jprvx (privoxy) > traffic will be defined from http-cache config file. > # rdr on $JaIf proto tcp from any to $JaIf port 8118 -> $jhttp > > # Ntpd time server for the LAN > rdr on $IntIf proto udp from $IntNet to $IntIf port ntp -> $IntIf > > *The problem:* > 1) NAT and redirect rules fail. Traffic originating from inside jails does > not reach the external network. For example, the DNS jail sends traffic out, > but it looks like it's not routed to the gate. tcpdump shows: > 192.168.2.97.57472 > 208.67.220.220.443: [udp sum ok] UDP, length 45 > Where :443 is the traffic generated by dnscrypt-proxy. Also, unrelated > (?). To my experience it is easier to do filtering while NAT'ing: nat on $ExtIf from any to !($ExtIf) port https -> ($ExtIf) If you need to account for traffic then add tags and use those tags in filter rules. For example. nat on $ExtIf from any to !($ExtIf) port https tag NAT_HTTPS -> ($ExtIf) .. pass on $ExtIf inet tagged NAT_HTTPS > ethertype IPv4 (0x0800), length 74: (tos 0x1c, ttl 64, id 61312, offset 0, > flags [DF], proto TCP (6), length 60, *bad cksum* 0 (->72d6)!) > 2) The aim of the first NAT rule, is to capture on $ExtIf any rogue packets > trying to escape without passing through the jail gauntlet. A solution would > need to take that concern into account. Maybe a "block ou" filter for > packets NOT originating from $JailIf would be simpler? For jails I use rules in this form: nat on $wan_if from $j_www to !$wan_ip port HTTP tag NAT_WWW_3 -> $wan_ip port $nat_ports Also for accounting to work make sure you apply tagged filter rules in top of the rule set and to apply the keyword *quick* to these rules. > 3) I try to monitor traffic on lo2 or pflog0 using tcpdump -nettvv and the > above ruleset. Nothing shows up when I try to access the HTTP cache > (192.168.2.100) although the cache responds on the browser (nothing to the > outside, just cache internal page). > > I'm basically stuck in a logic loop and have failed to find my error. > > Regards. > > > > ----- > FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777.html > Sent from the freebsd-pf mailing list archive at Nabble.com. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Fri Dec 20 15:36:42 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A77D44A0 for ; Fri, 20 Dec 2013 15:36:42 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 88DA41E95 for ; Fri, 20 Dec 2013 15:36:42 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1Vu27u-0004u7-G7 for freebsd-pf@freebsd.org; Fri, 20 Dec 2013 07:36:34 -0800 Date: Fri, 20 Dec 2013 07:36:34 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387553794487-5870320.post@n5.nabble.com> In-Reply-To: <52B4463F.3080900@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2013 15:36:42 -0000 Hello and thanks for your answer. I would like to make sure that I was able to explain myself correctly: 1. (lo0 + IntIF:network) for (JaTCP ports) --> $JailIf (lo2) --> ExtIf 2. (lo0 + IntIF:network) for !(JaTCP ports) --> ExtIf This is let's say a "reverse jail" problem. While most pf.confs aim to provide jailed services to the outside arriving traffic, I'm trying to provide jailed services to traffic originating from the inside, then forwarded to the outside. I had some dificulty understanding the packet flow logic in your explanation, so forgive me for asking once more. As an example from what you indicated does this ruleset do the job? # Begin NAT & RDR rules # For the privoxy jail nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag NAT_PRVX -> $j_privoxy port 8118 nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag NAT_PRVX -> $JailIf port 80 # For the unbound jail, there's a problem. Other jailed IP's on $JailIf will want a DNS server they can query. nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain tag NAT_DNS -> $j_dns nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port domain tag NAT_PRVX -> $ExtIf # Lastly nat on $ExtIf from any to !($ExtIf) -> ($ExtIf) It looks to me like it still does not quite make complete sense. Thanks for your time. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 20 16:55:05 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A43CFF1E for ; Fri, 20 Dec 2013 16:55:05 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 85618151B for ; Fri, 20 Dec 2013 16:55:05 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1Vu3Ls-0003MJ-33 for freebsd-pf@freebsd.org; Fri, 20 Dec 2013 08:55:04 -0800 Date: Fri, 20 Dec 2013 08:55:04 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387558504074-5870346.post@n5.nabble.com> In-Reply-To: <1387553794487-5870320.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Dec 2013 16:55:05 -0000 Good news is I have some progress and it seems to work like this: # Begin NAT & RDR rules # For the dns jail nat on $JaIf proto {tcp,udp} from !($JaIf) to $JaIf port domain tag NAT_DNS -> $jdns port domain nat on $JaIf proto {tcp,udp} from $jdns to !($JaIf) port domain tag NAT_DNS -> $JaIf port domain # For the privoxy jail nat on $JaIf proto tcp from !($JaIf) to $JaIf port 8118 tag NAT_PRVX -> $jprvx port 8118 nat on $JaIf proto tcp from $jprvx to !($JaIf) port 80 tag NAT_PRVX -> $JaIf port 80 Now the bad news: 1. "nat pass in/out quick on " gives syntax error - probably my misunderstanding of your message content 2. Unless the client's /etc/resolv.conf for dns and proxy settings from browser are changed, packets are not "forced" into the jailed proxy structure. I will have to place pass/block filters on ExtIf, and each client will have to make adjustment to their machine. I don't get a "silent redirect" for these packets, UNLESS I tested incorrectly. Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870346.html Sent from the freebsd-pf mailing list archive at Nabble.com. From owner-freebsd-pf@FreeBSD.ORG Sat Dec 21 15:36:09 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECD5ADA6 for ; Sat, 21 Dec 2013 15:36:09 +0000 (UTC) Received: from mail.innomanslan.tf (0126800067.1.fullrate.dk [95.166.204.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AB3701DC8 for ; Sat, 21 Dec 2013 15:36:08 +0000 (UTC) Received: from [10.8.0.10] (unknown [10.8.0.10]) (Authenticated sender: csf@innolan.dk) by mail.innomanslan.tf (Postfix) with ESMTPA id 9117112C1CC2; Sat, 21 Dec 2013 16:35:52 +0100 (CET) Message-ID: <52B5B556.3070209@innolan.dk> Date: Sat, 21 Dec 2013 23:35:50 +0800 From: Carsten Larsen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: Beeblebrox , freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> In-Reply-To: <1387553794487-5870320.post@n5.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Dec 2013 15:36:10 -0000 Hi again, Beeblebrox wrote: > I had some dificulty understanding the packet flow logic in your > explanation, so forgive me for asking once more. As an example from what you > indicated does this ruleset do the job? > > # Begin NAT & RDR rules > # For the privoxy jail > nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag > NAT_PRVX -> $j_privoxy port 8118 > nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag > NAT_PRVX -> $JailIf port 80 NAT is only for outbound rules. Use rdr rules for inbound traffic. Here is a rewrite: Allow traffic from DNS jail to leave on external interface. All ports open outbound. Reserve ports on external interface below 10000 for inbound traffic. nat on $ExtIf from $j_dns to !$($ExtIf) tag NAT_DNS_JAIL -> $($ExtIf) port 10000:65535 Thats it. The rest is to allow routing between jails and maybe local networks. NAT is only needed for traffic leaving on the external interface. If you need to serve incoming traffic arriving on the external interface then use the rdr rules. > > # For the unbound jail, there's a problem. Other jailed IP's on $JailIf will > want a DNS server they can query. > nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain > tag NAT_DNS -> $j_dns > nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port > domain tag NAT_PRVX -> $ExtIf > > # Lastly > nat on $ExtIf from any to !($ExtIf) -> ($ExtIf) > Lastly should be filter rules. Example: block on $ExtIf # Allow all traffic regardless source and destination port originating # from the dns jail pass quick on $ExtIf inet tagged NAT_DNS_JAIL # Allow all traffic originating from the host pass quick on $ExtIf ... Also add scrub to ensure no packet fragmentation. This is needed for pf to work. > It looks to me like it still does not quite make complete sense. > > Thanks for your time. > > > > > ----- > FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html > Sent from the freebsd-pf mailing list archive at Nabble.com. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >