From owner-freebsd-pf@FreeBSD.ORG Sun Dec 22 18:04:50 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B98E36A8 for ; Sun, 22 Dec 2013 18:04:50 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9952F1E61 for ; Sun, 22 Dec 2013 18:04:50 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1VunOR-00033B-Uy for freebsd-pf@freebsd.org; Sun, 22 Dec 2013 10:04:47 -0800 Date: Sun, 22 Dec 2013 10:04:47 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1387735487942-5870782.post@n5.nabble.com> In-Reply-To: <52B5B556.3070209@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> Subject: Re: NAT & RDR rules for jailed proxy services MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Dec 2013 18:04:50 -0000 Hi Carsten, Thanks very much for your ideas & input. I have it working mostly as you advised. Nat rules: nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS -> $ExtIf # I use dnscrypt-proxy nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag NAT_PRVX -> $ExtIf nat on $ExtIf from any to !($ExtIf) -> $ExtIf I don't have to use different ports, it works as is. Tagging does help distinguish between "same port, different jail" (for port 443 as example). That said, I seem to have run into a strange filter rule problem. I aim to block all ports that each jail is not using. Partial filter rules: block drop log (all) on $ExtIf block drop log (all) on $JaIf ##_PRIVOXY pass in quick on $JaIf proto tcp from any to $jprvx port 8118 pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO The strangeness: When I comment out the block code (rules lines 1 & 2 above), the privoxy jail stops working. tcpdump shows: 1387731935.321882 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.321927 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322052 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322084 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 Is the problem with the port that privoxy is using, or do I need to allow some other pass rule for each jail (like jail's lo0 must be able to pass to :8118)? >> Also add scrub to ensure no packet fragmentation. This is needed for pf >> to work. I have a bunch of code I have ommited so as to keep the messages short. Thanks and Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html Sent from the freebsd-pf mailing list archive at Nabble.com.