Date: Mon, 16 Aug 2021 16:31:06 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Jails: pf blocks access to localhost of host system Message-ID: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
next in thread | raw e-mail | index | archive | help
Dear Experts in pf and jails.
I was recent refugee from to pf from ipfw which I was happily using for
decade (why is different story). I seem to be able to configure all I
need from pf, except one thing, which is jail access to localhost of
host system.
I configure jails "by the book" (i.e FreeBSD handbook), I do not use any
scripts facilitating simple enough for me process. My jail configuration
is like the following:
# cat /etc/jail.conf
jailname {
host.hostname = "hostname.domainname";
ip4.addr = X.Y.Z.W; # address on public address space
devfs_ruleset=7; // integer number of devfsrules_jail_bpf ruleset
// in /etc/devfs.rules
persist; // Required because there are no processes
exec.start = "/etc/rc.d/cron start; /etc/rc.d/syslogd start;
/usr/local/etc/rc.d/apache24 start";
exec.stop = "/usr/local/etc/rc.d/apache24 stop; /etc/rc.d/syslogd
stop; /etc/rc.d/cron stop";
}
As you see, there is no lo0 configured in jail. (I do have lo0
configured in jails on some machines, but I do not feel it necessary in
this case). Now if script from apache in that jail connects port 25 on
localhost to send email, the connection goes ho postfix I run on host
system.
While I was using ipfw having the rule allowing all traffic on lo0 to
pass (I figure) at the top of rules did the trick. I can not achieve the
same with pf. Searching on we web didn't help either.
Here if my simplified to necessary minimum for debugging pf.conf:
# cat /etc/pf.conf
##################### BEGIN
# macro name(s) for external interface(s).
ext_if = "bce0"
int_if = "bce1"
services = "{ 80 443 3306 5432 9102 }"
icmp_types = "{ echoreq unreach }"
# set a default deny everything policy.
block all
# Allow all traffic on trusted interfaces
pass quick from { lo0 $int_if } to any keep state
# keep state on any outbound tcp, udp or icmp traffic.
# modulate the isn of
# outgoing packets. (initial sequence number) broken operating systems
# sometimes don’t randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any \
modulate state
# set a rule that allows inbound ssh traffic
pass in on $ext_if proto tcp to port { 22 } \
keep state
# On workstation we will pass all outgoing traffic
pass out all keep state
# We pass what comes to our services (but DHCP taken care os above)
pass in on $ext_if proto { tcp udp } to port $services
# and icmp types we want
pass inet proto icmp icmp-type $icmp_types
##################### END
If I am inside jail the command
telnet localhost 25
successfully connects to postfix run on host system. When I enable pf
with rules as above, similar connection from inside jail just hangs.
I was assuming the rule:
pass quick from { lo0 $int_if } to any keep state
will do the trick, but no, the connection from inside jail to host
system localhost port 25 is blocked by pf.
Can someone give me any pointers for this particular case?
Thanks a lot in advance for your pointers!
Valeri
PS I know, I can do the following and it will work: configure lo0 in
jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and
run postfix is jail. But being able to tell pf what I want it to [not]
do will be preferable.
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8f6aa4f4-f361-e6eb-985b-291b7be631e0>