From owner-freebsd-pf@freebsd.org Sun Dec 18 13:33:21 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8148EC86482 for ; Sun, 18 Dec 2016 13:33:21 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 206E1C54 for ; Sun, 18 Dec 2016 13:33:20 +0000 (UTC) (envelope-from zaphod@berentweb.com) Received: by mail-wm0-x242.google.com with SMTP id m203so13888820wma.3 for ; Sun, 18 Dec 2016 05:33:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=berentweb-com.20150623.gappssmtp.com; s=20150623; h=sender:date:from:to:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=L5X7+COCA/z6HvL7EC8Vz7w7VA3mwkPiDUt+IHapkrU=; b=cX5x9oU9csvwPH8/ABOWBcecQDuuUAL1jt7ECtbagapK7zZrnLzJUFbMXBj2K0WTH8 N7Pt47VRHenKgitvABSp7KoojWwHkQPVo7wT2TqLwMgZcJbrwdKtjEUpjy1ayB/AwA68 XxvXeuBFlw55aHDIiM3wOYU8WEmTtE/jA2ONwv+8zZA4y3F0HEafshWIcbNQ8hLSxEvb iBZIB9g2f+0fNVraFdY0QoiCvo7ErSW0dHOqkeybDZxEDKuExPrmBNlQB0xHu5SpdrmP FfqzkgSgU4REr9+X51k9iKCTk/hjjXhZeDkQ1KKP+Hh6JjB31XNf2mCiDtnv6NkvaWG/ o9LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:from:to:subject:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=L5X7+COCA/z6HvL7EC8Vz7w7VA3mwkPiDUt+IHapkrU=; b=IqtyySx9PoYpbvfg3ZVRLwjhbsEKsJiHaEw5U+0XP2jJ6yAQtsqQbm+Lg7WSmFsuPO KTklJFQoo0D7Gq+Z20MLKe5QkNtLBmqxKOKDzZmFoJ6Fw6kOvJujXqojV1TS8ii+VeEm 85Hg4XFfvWvHxzqXZE+mS3Alh9XEoAKEfstcJp8zU/0KHH/qc9vbDmaerCe2ysown2iA ZG2e4TnJYwzfZY0phca6krlgfbIw4PrImd7vsJ9KXtyKU779pOJpUo/+A+XZAFb1UzXt 5ETYhoQ/vU7ZtRHGS6dLfn4srHcNkH4MyM6APj3UeZfFiqpnkPH6jDxHaBIkwl4PMMyK GHSg== X-Gm-Message-State: AIkVDXKSZxVe8BFk6gqYY4MUx8TZjRe0AxhXVuPJU3ZkJXe6+lqMnP3bn1zoDL9MW6N6VA== X-Received: by 10.28.12.80 with SMTP id 77mr10830147wmm.106.1482067999035; Sun, 18 Dec 2016 05:33:19 -0800 (PST) Received: from rsbsd.rsb ([78.183.218.80]) by smtp.gmail.com with ESMTPSA id 135sm12590265wmh.14.2016.12.18.05.33.17 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 18 Dec 2016 05:33:17 -0800 (PST) Sender: "Raif S. Berent" Date: Sun, 18 Dec 2016 16:33:13 +0300 From: Beeblebrox To: freebsd-pf@freebsd.org Subject: PF TAGged jail traffic fails pass rule on egress Message-ID: <20161218163313.01fbc51e@rsbsd.rsb> In-Reply-To: <20161207171021.607579ea@rsbsd.rsb> References: <20161207171021.607579ea@rsbsd.rsb> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2016 13:33:21 -0000 Ian - thanks for the answer. I already have pflog enabled on wan0 (egress), but nothing of value there. After your ide re " no actual packets on lo2" I ran tcpdump on that interfa= ce; indeed no traffic shows up. I moved the jails to a new vlan1 with /24 subnet, with x.x.0.1 empty and ja= ils starting from x.x.0.2/32. This obviously facilitates NAT from pf in tha= t NAT is now not needed for inter-jail communication. However, nothing changes for the greater problem of packet tagging as "tcpd= ump -i vlan1" shows no packet traversal as was the case on lo2. I also real= ised that since pf.conf has: nat on wan0 from !(wan0) to any -> wan0 Attempts to tag packets post-nat is useless because source-ip (jail) has be= en replaced by the ip of wan0. This seems to leave me with limited choices 1. NAT & TAG each jail separately (ie: nat pass on wan0 from $jdns to any t= ag TD -> wan0) 2. Use a single tag for all packets leaving vlan1 so as to simplify the nat= rules Neither which offers a satisfactory configuration because of other complica= tions each solution causes. As reminder: Ultimate goal is to allow only pre= -defined port traffic per jail. I can't find a simpler way than TAGGING to = accomplish this. PS I've also found that the OpenBSD syntax "!(tagged )" is not recognised = on FreeBSD... Thanks & Regards --=20 FreeBSD_amd64_11-Stable_RadeonKMS Please CC my email when responding, mail from list is not delivered.