From owner-freebsd-pf@FreeBSD.ORG Sat Nov 22 09:20:11 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A164A874 for ; Sat, 22 Nov 2014 09:20:11 +0000 (UTC) Received: from mail.kulturflatrate.net (mail.kulturflatrate.net [46.163.119.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1D5548C7 for ; Sat, 22 Nov 2014 09:20:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.kulturflatrate.net (Postfix) with ESMTP id 6C66DF5AC0E2; Sat, 22 Nov 2014 10:13:24 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at kulturflatrate.net X-Spam-Flag: NO X-Spam-Score: -2.9 X-Spam-Level: X-Spam-Status: No, score=-2.9 required=6.31 tests=[ALL_TRUSTED=-1, BAYES_00=-1.9] autolearn=ham Received: from mail.kulturflatrate.net ([127.0.0.1]) by localhost (mail.kulturflatrate.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mlFRIRRiHg1I; Sat, 22 Nov 2014 10:13:21 +0100 (CET) Received: from len-x61s.klaas (15.210.broadband18.iol.cz [109.81.210.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.kulturflatrate.net (Postfix) with ESMTPSA id 96B2EF5AC04A; Sat, 22 Nov 2014 10:13:21 +0100 (CET) Received: by len-x61s.klaas (Postfix, from userid 1000) id 5CF00E05B0; Sat, 22 Nov 2014 10:14:26 +0100 (CET) Date: Sat, 22 Nov 2014 10:14:26 +0100 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Configuring PF with Jails only having IPv6 Message-ID: <20141122091426.GA2833@len-x61s.klaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: http://www.kulturflatrate.net/niklaas/niklaas-baudet-von-gersdorff.asc User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Nov 2014 09:20:11 -0000 Dear list members, I have been struggling to properly set-up PF for some days. I am renting a root server that has one public IPv4 address and a /64 IPv6 subnet. It is the first time that I am using FreeBSD 10. I got attracted by the jails concept and successfully set-up the root server itself as well as one jail with ezjail using one IPv6 address. It is possible to connect to the jail via SSH when PF is _disabled_. The network configuration looks as follows. I censored some information. The information that is censored is explained after each output: # ifconfig re0: flags=8843 metric 0 mtu 1500 options=8209b ether [# MAC address] inet [#1 ] netmask 0xffffffff broadcast [#2 ] inet6 fe80::6e62:6dff:fe60:74fb%re0 prefixlen 64 scopeid 0x1 inet6 [#3 ] prefixlen 64 inet6 [#4 ] prefixlen 64 nd6 options=8021 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.1 netmask 0xff000000 nd6 options=21 pflog0: flags=141 metric 0 mtu 33160 [#1] = IPv4 address of root server [#2] = IPv4 address of root server's gateway [#3] = IPv6 address of root server [#4] = IPv6 address of jail # netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default static.[#2] UGS 0 110615 re0 localhost link#2 UH 0 1614 lo0 static.[#2] [some MAC address] UHS 0 0 re0 static.[#1] link#1 UHS 0 8898 lo0 => [#4 ]/32 link#1 U 0 0 re0 Internet6: Destination Gateway Flags Netif Expire :: localhost UGRS lo0 => default fe80::1%re0 UGS re0 localhost link#2 UH lo0 ::ffff:0.0.0.0 localhost UGRS lo0 [#3 ] link#1 U re0 [#3 ] link#1 UHS lo0 [#3 ] link#1 UHS lo0 [#3 ] link#1 UHS lo0 fe80:: localhost UGRS lo0 fe80::%re0 link#1 U re0 fe80::6e62:6dff:fe link#1 UHS lo0 fe80::%lo0 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 ff01::%re0 fe80::6e62:6dff:fe U re0 ff01::%lo0 localhost U lo0 ff02:: localhost UGRS lo0 ff02::%re0 fe80::6e62:6dff:fe U re0 ff02::%lo0 localhost U lo0 [#1] = IPv4 address of the root server in reverse order [#2] = IPv4 address of the gateway of the root server in reverse order [#3] = IPv6 subnet [#4] = IPv4 address of the root server The network configuration is taken from http://wiki.hetzner.de/index.php/FreeBSD_installieren/en#IPv6 and provided by the provider where I am renting the root server which results in the following configuration in `/etc/rc.conf`: ifconfig_re0="inet [#1 ]/32" gateway_if="re0" gateway_ip="[#2 ]" static_routes="gateway default" route_gateway="-host $gateway_ip -interface $gateway_if" route_default="default $gateway_ip" ipv6_default_interface="re0" ifconfig_re0_ipv6="[#3 ]/64" # set a static local interface-route ipv6_defaultrouter="fe80::1%re0" ifconfig_re0_alias0="inet6 [#4 ]/64" [#1] = IPv4 address of the root server [#2] = IPv4 address of the gateway of the root server [#3] = IPv6 address of the root server [#4] = IPv6 address of the jail The following configuration I basically took from pf.conf(5): # pfctl -vnf /etc/pf.conf ext_if = "re0" services = "{ ssh }" table persist { [#1] [#2] [#3] } set skip on { lo0 } scrub in on re0 all fragment reassemble block return log on re0 all block drop in from no-route to any block drop in from urpf-failed to any block drop out log quick on re0 from ! to any block drop in quick on re0 inet from any to 255.255.255.255 block drop in log quick on re0 inet from 10.0.0.0/8 to any block drop in log quick on re0 inet from 172.16.0.0/12 to any block drop in log quick on re0 inet from 192.168.0.0/16 to any block drop in log quick on re0 inet from 255.255.255.255 to any pass out on re0 proto udp all keep state pass in on re0 proto udp from any to any port = domain keep state pass on re0 inet proto icmp all icmp-type echoreq code 0 keep state pass out on re0 proto tcp all flags S/SA modulate state pass in on re0 proto tcp from any to any port = ssh flags S/SA keep state block drop in on re0 proto tcp from any os "nomatch" to any port = smtp [#1] = IPv4 address of the root server [#2] = IPv6 address of the root server [#2] = IPv6 address of the jail As a start I would like to block everything and only open the SSH port so that I can connect to the root server itself as well as the jails that I set-up. Although I did lots of research on the web, I haven't found any solution to connect to the jail while PF is enabled yet. I guess this comes from the somehow "weird" set-up of the routing in `/etc/rc.conf` and the fact that I do not understand it. The following excerpt is from `pflog0` which I get when I try to connect to the jail via SSH. 00:00:01.043975 rule 0..16777216/0(match): block out on re0: (hlim 255, next-header ICMPv6 (58) payload length: 32) [#1 ] > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1 source link-address option (1), length 8 (1): [# MAC address ] [#1] = IPv6 address of jail So it looks like ICMPv6 traffic is blocked but I am not sure about this. Maybe I also need to add the "routing information" to PF's configuration but I do not know how to do this. Any help is very much appreciated. Best, -- Niklaas Baudet von Gersdorff niklaas@kulturflatrate.net http://www.twitter.com/NBvGersdorff http://www.kulturflatrate.net/niklaas