Date: Sun, 22 Dec 2013 10:04:47 -0800 (PST) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services Message-ID: <1387735487942-5870782.post@n5.nabble.com> In-Reply-To: <52B5B556.3070209@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Carsten, Thanks very much for your ideas & input. I have it working mostly as you advised. Nat rules: nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS -> $ExtIf # I use dnscrypt-proxy nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag NAT_PRVX -> $ExtIf nat on $ExtIf from any to !($ExtIf) -> $ExtIf I don't have to use different ports, it works as is. Tagging does help distinguish between "same port, different jail" (for port 443 as example). That said, I seem to have run into a strange filter rule problem. I aim to block all ports that each jail is not using. Partial filter rules: block drop log (all) on $ExtIf block drop log (all) on $JaIf ##_PRIVOXY pass in quick on $JaIf proto tcp from any to $jprvx port 8118 pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO The strangeness: When I comment out the block code (rules lines 1 & 2 above), the privoxy jail stops working. tcpdump shows: 1387731935.321882 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.321927 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322052 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 1387731935.322084 rule 13..16777216/0(match): block out on lo2: 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 Is the problem with the port that privoxy is using, or do I need to allow some other pass rule for each jail (like jail's lo0 must be able to pass to <jail-ip>:8118)? >> Also add scrub to ensure no packet fragmentation. This is needed for pf >> to work. I have a bunch of code I have ommited so as to keep the messages short. Thanks and Regards. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html Sent from the freebsd-pf mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1387735487942-5870782.post>