Date: Sun, 22 Dec 2013 10:04:47 -0800 (PST) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services Message-ID: <1387735487942-5870782.post@n5.nabble.com> In-Reply-To: <52B5B556.3070209@innolan.dk> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Carsten,
Thanks very much for your ideas & input. I have it working mostly as you
advised. Nat rules:
nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS ->
$ExtIf # I use dnscrypt-proxy
nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag
NAT_PRVX -> $ExtIf
nat on $ExtIf from any to !($ExtIf) -> $ExtIf
I don't have to use different ports, it works as is. Tagging does help
distinguish between "same port, different jail" (for port 443 as example).
That said, I seem to have run into a strange filter rule problem. I aim to
block all ports that each jail is not using. Partial filter rules:
block drop log (all) on $ExtIf
block drop log (all) on $JaIf
##_PRIVOXY
pass in quick on $JaIf proto tcp from any to $jprvx port 8118
pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO
The strangeness: When I comment out the block code (rules lines 1 & 2
above), the privoxy jail stops working. tcpdump shows:
1387731935.321882 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
1387731935.321927 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535,
options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0
1387731935.322052 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
1387731935.322084 rule 13..16777216/0(match): block out on lo2:
192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win
65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
0
Is the problem with the port that privoxy is using, or do I need to allow
some other pass rule for each jail (like jail's lo0 must be able to pass to
<jail-ip>:8118)?
>> Also add scrub to ensure no packet fragmentation. This is needed for pf
>> to work.
I have a bunch of code I have ommited so as to keep the messages short.
Thanks and Regards.
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1387735487942-5870782.post>