Date: Tue, 25 Feb 2020 19:50:11 +0000 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: usage of rdr and pass validation Message-ID: <VE1PR03MB562975D8603E19240682F41FA0ED0@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | raw e-mail | index | archive | help
Hi, First, sorry english is not my native language. I will try to be as precise= as possible.=20 And also I am not sure it is only pf related. Let me know in this case plea= se. Maybe it would be for net an jail too.=20 So, I have two cases maybe related.=20 First one is for using rdr translation rule.=20 I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join one service from the outside. Using one rdr rule like this one, all seems t= o work fine. I have acces to the service. > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 -> > $j_one port 443=20 But in case I want to apply some options to this, I have to split it in 3. = This is the relevant part of my config that makes it work=20 > # Emulate skip on lo0 > pass quick on lo0 from 127.0.0.1 to > 127.0.0.1 > # jail internal comms > pass quick on lo0 from $j_one to $j_one >=20 ># other traffic ( do not know yet why it is necessary and why no interface >specified in mandatory ) > pass in quick proto tcp from any to $j_one port 443 > > # block all on lo0 > block log quick on lo0 > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> > $j_one port 443 > pass in quick on $ext_if proto tcp from any to $j_one port 443 See the two lines at the end which are the first two parts. The third part = is the line after the "other traffic comment". After a lot of error and retry, this line have to be wrote like that. I can not add "on lo0" on this line o= r the service is not reachable.=20 I'm using jails since some time now and remember having jail traffic bound = to lo0 before even in my configuration jails have another interface defined (a bridge generally).=20 So I would like to know why isn't it possible to limit more this rule ? I tried all other interfaces present in my system, and that do not work eithe= r. Using tcpdump, I can't see the traffic related to this service on any interface except the external one. It's a little bit strange for me.=20 Finally, I will write another mail for the other case.=20 kaycee,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB562975D8603E19240682F41FA0ED0>