Date: Tue, 25 Feb 2020 13:43:50 -0800 From: Chris <bsd-lists@BSDforge.com> To: kaycee gb <kisscoolandthegangbang@hotmail.fr> Cc: <freebsd-pf@freebsd.org> Subject: Re: usage of rdr and pass validation Message-ID: <ca4a54cb0a0cf7f7fda8ca5243975e2c@udns.ultimatedns.net> In-Reply-To: <VE1PR03MB562975D8603E19240682F41FA0ED0@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb kisscoolandthegangbang@hotmail=
=2Efr said
> Hi,
>=20
> First, sorry english is not my native language=2E I will try to be as preci=
se
> as
> possible=2E=20
>=20
> And also I am not sure it is only pf related=2E Let me know in this case
> please=2E
> Maybe it would be for net an jail too=2E=20
>=20
> So, I have two cases maybe related=2E=20
>=20
> First one is for using rdr translation rule=2E=20
> I have a host with FreeBSD 11=2E3 amd64 hosting some jails=2E I want to join
> one service from the outside=2E Using one rdr rule like this one, all seems=
to
> work fine=2E I have acces to the service=2E
>=20
> > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > $j_one port 443=20
>=20
> But in case I want to apply some options to this, I have to split it in 3=
=2E
> This
> is the relevant part of my config that makes it work=20
>=20
> > # Emulate skip on lo0
> > pass quick on lo0 from 127=2E0=2E0=2E1 to
> > 127=2E0=2E0=2E1
> > # jail internal comms
> > pass quick on lo0 from $j_one to $j_o=
ne
> >=20
> ># other traffic ( do not know yet why it is necessary and why no interfa=
ce
> >specified in mandatory )
> > pass in quick proto tcp from any to $j_one port 443
> >
> > # block all on lo0
> > block log quick on lo0
> >
> > rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > $j_one port 443
> > pass in quick on $ext_if proto tcp from any to $j_one port 44=
3
>=20
> See the two lines at the end which are the first two parts=2E The third par=
t
> is
> the line after the "other traffic comment"=2E After a lot of error and retr=
y,
> this line have to be wrote like that=2E I can not add "on lo0" on this line=
or
> the
> service is not reachable=2E=20
>=20
> I'm using jails since some time now and remember having jail traffic boun=
d
> to
> lo0 before even in my configuration jails have another interface defined =
(a
> bridge generally)=2E=20
>=20
> So I would like to know why isn't it possible to limit more this rule ? I
> tried all other interfaces present in my system, and that do not work
> either=2E
> Using tcpdump, I can't see the traffic related to this service on any
> interface except the external one=2E It's a little bit strange for me=2E=20
>=20
> Finally, I will write another mail for the other case=2E
FWIW I simply add additional lo interfaces (lo0, lo1, lo2, =2E=2E=2E)
when I attempt these sort of things=2E As it seems to simplify things in my
head=2E
For example, rc=2Econf
cloned_interfaces=3D"lo1 lo2"
ifconfig_lo1=3D"inet 127=2E0=2E0=2E2"
ifconfig_lo2=3D"inet 127=2E0=2E0=2E3"
This allows me to treat them as any other NIC=2E I route as necessary to my
NIC to the outside world; pf=2Econf(5):
EXT_ADDR=3D"ou=2Ets=2Eide=2Eip"
# contains 127=2E0=2E0=2E0/24 and other trusted IPs=2E Sometimes helpful=2E
table <trusted> persist file "/etc/TRUSTED"
set skip on { lo0, lo1, lo2 }
# this only represents the rule(s) for lo1 but should be helpful for
# additional rules on lo2 (or more)
nat pass on re0 from { lo1 } to any -> $EXT_ADDR
rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR
block in
pass out
HTH
--Chris
>=20
> kaycee,
> _______________________________________________
> freebsd-pf@freebsd=2Eorg mailing list
> https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ca4a54cb0a0cf7f7fda8ca5243975e2c>