From owner-freebsd-pf@freebsd.org  Tue Feb 25 19:50:16 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 939EA23D994
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue, 25 Feb 2020 19:50:16 +0000 (UTC)
 (envelope-from kisscoolandthegangbang@hotmail.fr)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com
 (mail-oln040092074037.outbound.protection.outlook.com [40.92.74.37])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48RqKL1QZcz4LmN
 for <freebsd-pf@freebsd.org>; Tue, 25 Feb 2020 19:50:13 +0000 (UTC)
 (envelope-from kisscoolandthegangbang@hotmail.fr)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=jWz2Zu2U3cPyuAOeYbW54HxBGgSfZjvvI581H7N22QyrzuUPj8ao4EAzvOfY/QyWvkQLAYG2SB4wHfnifd3GdmHf4CdTHqAYg3CVU2iHC+3ZTTj8Oej+lmsThTNfE4BIkCb1cYZRNyhWpjVx9cNFiIXAhMm+Kml4WRcPR9kEh7NFRMZRQahyLmeR90KHGW5TWGKLQDHwbRC+1Vm+jkt3/khN4I9DwW2B6oN4SeXTpQlYOyEW+eYXv8lCVVKz67vmWINhB65SKwPqt03UDuMOQSBa+hI353+x8ppq14EPZngOjTWMYVgNI0mtwUBZBXwfQX8m6Q9tE1XNYTx+1t6y5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=JphQHs2xqdscIil8K0SmrBlH5H6DAVXNyYGFKysZsVs=;
 b=AfqtwIxcD1EAKl/VJFpThKf0Xnxh2NZbhP2/Yvhrn9zKlttpvGFiWVAs/cZxrB0cHcajhNGffY1nU9prGwH1OjtB3Mad0sExtU1PmXlUfPUZZkfxCW5HCSTA3ZC5SgUd0zqcht1F8qugbGsmZOxPxE3zJ4zpjxtTA5Aa6HiwM76nHAk8JlV7/YgKhVSE5aLCDhcrW8mx5FDcoGWjDvzOrq0NdcfutHYYr+DqxxrW1lq2jIigTD81VUR64npvwqtXNECAB5KETDAol8/nCuxbAslelhToWLoIQcLaDxoI59jG46bK9g7yul1zhAS9eaJKwvhqGcySZ/SSjhcfDeUdDw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
Received: from VI1EUR04FT037.eop-eur04.prod.protection.outlook.com
 (10.152.28.58) by VI1EUR04HT164.eop-eur04.prod.protection.outlook.com
 (10.152.28.196) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.19; Tue, 25 Feb
 2020 19:50:11 +0000
Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (10.152.28.51) by
 VI1EUR04FT037.mail.protection.outlook.com (10.152.29.182) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2750.18 via Frontend Transport; Tue, 25 Feb 2020 19:50:11 +0000
Received: from VE1PR03MB5629.eurprd03.prod.outlook.com
 ([fe80::157c:e8c6:4788:a521]) by VE1PR03MB5629.eurprd03.prod.outlook.com
 ([fe80::157c:e8c6:4788:a521%7]) with mapi id 15.20.2750.021; Tue, 25 Feb 2020
 19:50:11 +0000
Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by
 LNXP265CA0007.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5e::19) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2750.18 via Frontend Transport; Tue, 25 Feb 2020 19:50:11 +0000
Received: from slackstro.home.lan ([172.16.93.12])	(authenticated bits=0)	by
 mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id
 01PJo9PT026250	(version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128
 verify=NO)	for <freebsd-pf@freebsd.org>;
 Tue, 25 Feb 2020 20:50:09 +0100 (CET)	(envelope-from
 kisscoolandthegangbang@hotmail.fr)
From: kaycee gb <kisscoolandthegangbang@hotmail.fr>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject: usage of rdr and pass validation
Thread-Topic: usage of rdr and pass validation
Thread-Index: AQHV7BTK93gfeOMNTUCzAPORpfn2zQ==
Date: Tue, 25 Feb 2020 19:50:11 +0000
Message-ID: <VE1PR03MB562975D8603E19240682F41FA0ED0@VE1PR03MB5629.eurprd03.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-clientproxiedby: LNXP265CA0007.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:600:5e::19) To VE1PR03MB5629.eurprd03.prod.outlook.com
 (2603:10a6:803:11e::30)
x-incomingtopheadermarker: OriginalChecksum:FE136F6C10B0EE3F4052D75CC4600FD4392C796AC32ABEBD54BC7A556C6E3420;
 UpperCasedChecksum:D5AF5567410D842805D7350E1BC8D2CE74CAB3EBE1F6E916622F2BFAAFD600B8;
 SizeAsReceived:7763; Count:49
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-unknown-linux-gnu)
x-tmn: [gv9Sm182wi9mYL6QeHEgOeibdZtxVqk2]
x-microsoft-original-message-id: <20200225205009.626863dd@slackstro.home.lan>
x-ms-publictraffictype: Email
x-incomingheadercount: 49
x-eopattributedmessage: 0
x-ms-office365-filtering-correlation-id: 62036127-edf9-4b84-951a-08d7ba2becaf
x-ms-traffictypediagnostic: VI1EUR04HT164:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: w0/KGNwiZirIWCnm5bGlJtIFTbjKn9q6EeT5xYa/eC/K/B4K/M1TdNDHUOzjcqkSWO+30hBDFIm/2QytzHjQj/iMY7dm+Usp0Lslckh9OGZbYBnTvmH4DVUxfYpeYSga9Ja9CARgQ2HsGKr80KBuPMJyFdewT84iESmitrElHFkzN+KR0QJnUWelDvRzqe0h
x-ms-exchange-antispam-messagedata: MCvpc+8UQ/Lj/cVH3f8nhklgHWJNzSQH/PHbF2fjyu4yDG1EHqX1p0RY4q6bmZFlXZdMW9zmrSnKTCu+v82KQg+VRBXWyPvmgWaf3TpmwgXADHM1LUnIaPPl3EnzipOlhwf5Y41tDmFx/AitjOYlJQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E903721C7E82E04FB56D8D0EABE371D3@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 62036127-edf9-4b84-951a-08d7ba2becaf
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2020 19:50:11.6612 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1EUR04HT164
X-Rspamd-Queue-Id: 48RqKL1QZcz4LmN
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org; dkim=none;
 dmarc=pass (policy=none) header.from=hotmail.fr;
 spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr
 designates 40.92.74.37 as permitted sender)
 smtp.mailfrom=kisscoolandthegangbang@hotmail.fr
X-Spamd-Result: default: False [-3.80 / 15.00]; MIME_TRACE(0.00)[0:+];
 RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:40.92.0.0/15];
 FREEMAIL_FROM(0.00)[hotmail.fr]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[];
 RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none];
 RCVD_IN_DNSWL_NONE(0.00)[37.74.92.40.list.dnswl.org : 127.0.3.0];
 TO_DN_EQ_ADDR_ALL(0.00)[];
 IP_SCORE(0.00)[ipnet: 40.64.0.0/10(-3.83), asn: 8075(-3.12), country:
 US(-0.05)]; 
 RECEIVED_SPAMHAUS_PBL(0.00)[139.37.1.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net
 : 127.0.0.11]; R_DKIM_NA(0.00)[];
 FREEMAIL_ENVFROM(0.00)[hotmail.fr];
 ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US];
 ARC_ALLOW(-1.00)[i=1]; FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2020 19:50:16 -0000

Hi,

First, sorry english is not my native language. I will try to be as precise=
 as
possible.=20

And also I am not sure it is only pf related. Let me know in this case plea=
se.
Maybe it would be for net an jail too.=20

So, I have two cases maybe related.=20

First one is for using rdr translation rule.=20
I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
one service from the outside. Using one rdr rule like this one, all seems t=
o
work fine. I have acces to the service.

> rdr pass on $ext_if inet proto tcp from any to $ext_if port 443      ->
> $j_one port 443=20

But in case I want to apply some options to this, I have to split it in 3. =
This
is the relevant part of my config that makes it work=20

> # Emulate skip on lo0
> pass            quick   on lo0                  from 127.0.0.1  to
> 127.0.0.1
> # jail internal  comms
> pass            quick   on lo0                  from $j_one     to $j_one
>=20
># other traffic ( do not know yet why it is necessary and why no interface
>specified in mandatory )
> pass    in      quick           proto tcp from any to $j_one port 443
>
> # block all on lo0
> block   log     quick   on lo0
>
> rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> $j_one port 443
> pass    in      quick   on $ext_if proto tcp from any to $j_one port 443

See the two lines at the end which are the first two parts. The third part =
is
the line after the "other traffic comment". After a lot of error and retry,
this line have to be wrote like that. I can not add "on lo0" on this line o=
r the
service is not reachable.=20

I'm using jails since some time now and remember having jail traffic bound =
to
lo0 before even in my configuration jails have another interface defined (a
bridge generally).=20

So I would like to know why isn't it possible to limit more this rule ? I
tried all other interfaces present in my system, and that do not work eithe=
r.
Using tcpdump, I can't see the traffic related to this service on any
interface except the external one. It's a little bit strange for me.=20

Finally, I will write another mail for the other case.=20

kaycee,