From owner-freebsd-questions@freebsd.org Tue Mar 29 09:00:01 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83F41AE1BEA for ; Tue, 29 Mar 2016 09:00:01 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 091891C9F for ; Tue, 29 Mar 2016 09:00:01 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x22f.google.com with SMTP id p65so129468807wmp.1 for ; Tue, 29 Mar 2016 02:00:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=ZBRP6LalqkIBIMKEfHNj+l9loj2WmHKOYHne+qKHRvg=; b=Yx7GzWCZ8D1ygXqoIVq/llLQuQchGWdaUu68a5TOXDKM6FDlGk80b2hgWCZEPhla9d ngArEFbxVFmdpOO7ccEf8DUjV1ieW9QoTt66GATmtPN4xXxK34ByeSypWbQOfsOTGG7N xqPp4HzccMn9Vyp5mDWnkwMA3qgEAIKFtQNcD/tRS57i4j2vBkfjlvsuA/IcKhJ0zmxU MDm/YCNDyPTNw+S+x/xYfGlEkwJ6dbovoRQjAEZvtiKiDo47KEisxQ/sg3/a/fI0EvNU kUui12bgVB8G6iEp31ZquZCpt2SE48M3L7KYN4i/VKQrk3tXG/wA8vKM/9Mp+nFKSpex KGfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=ZBRP6LalqkIBIMKEfHNj+l9loj2WmHKOYHne+qKHRvg=; b=Wqp9WrHsm0YqYrlzcPWvlcSQD298MaT0UWcSD0DuWJ6MnM02qUbXYwlUpNyyGbDPfr J3crQdYpty5lvZKsFsnFCOspZI14dJkr6dhVyomdT63lul0GrR5bd0itn7tyvMLhxR1c k/8ohdPCE+80/PEHDeiY7UsmHWNik6LzwTkdIndK9Am+4rZ8sHV4uWPnXqDNgcAqo3kx vVwHaxxvrrsiATaY6QrPgfgoza89iP/1krx7noD0Lguv60z+7VzdQz0TjwuWuuhtWFaa nNL6RhS4GMWJMUD2WRaJM48H3UHPiRrlQobfJ5Cx/+noImazvAhw+2Zwu7gt0wk8pRNn py4g== X-Gm-Message-State: AD7BkJK/8D7NsG2lBoKTK6NLzHhsVQ9SV0FhDYRu2COzbXjNje1TvO73fvmqkObftqCACIeZQiJgQa9Qh1oeZw== MIME-Version: 1.0 X-Received: by 10.195.13.115 with SMTP id ex19mr1369291wjd.56.1459241999301; Tue, 29 Mar 2016 01:59:59 -0700 (PDT) Received: by 10.28.46.67 with HTTP; Tue, 29 Mar 2016 01:59:59 -0700 (PDT) In-Reply-To: <56F992AA.7070409@tysdomain.com> References: <56F992AA.7070409@tysdomain.com> Date: Tue, 29 Mar 2016 09:59:59 +0100 Message-ID: Subject: Re: question re: PF and forwarding From: krad To: tyler@tysdomain.com Cc: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2016 09:00:01 -0000 what network topology are the jails nics on? I presume its not vnet as that doesnt play well with PF. Your rules hint at the jails being on loopback. If so can you put them on a separate ip on your subnet as pf can still filter them fine there, and you will find the ruleset a bit easier to manage. If those 192 addresses arent on loopback and are on the same subnet as the hosts ip on igb0, why are you natting them, this will probably cause issues? On 28 March 2016 at 21:23, Littlefield, Tyler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > All, > sorry for the multiple emails recently. I'm working to get my server > set up here so I can begin doing some dev on BHyve once that is all > finalized. > I am jailing my services like minidlna samba and unbound and am using > PF to forward those. > For whatever reason I do not see the ports I specify as open ports, > but the individual addresses show them when I connect from within my > server. For example, I can telnet 192.168.0.2 445 and that works fine > in terms of establishing a connection. I was hoping that someone might > see any connection here. Here is my pf.conf. > *** > if="igb0" > addr="10.21.96.128" > samba_addr="192.168.0.2" > dlna_addr="192.168.0.3" > unbound_addr="192.168.0.4" > tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}" > udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}" > > set skip on lo > set loginterface $if > scrub in all > > #allow jails through > nat on $if inet from $samba_addr to any tag jail_samba -> $addr > nat on $if inet from $dlna_addr to any tag jail_dlna -> $addr > nat on $if inet from $unbound_addr to any tag jail_unbound -> $addr > #portforward to jails. > #unbound > rdr pass on $if proto tcp from any to $addr port 53 -> $unbound_addr > port 53 > rdr pass on $if proto udp from any to $addr port 53 -> $unbound_addr > port 53 > #samba > rdr pass on $if proto tcp from any to $addr port 137 -> $samba_addr > port 137 > rdr pass on $if proto tcp from any to $addr port 138 -> $samba_addr > port 138 > rdr pass on $if proto tcp from any to $addr port 139 -> $samba_addr > port 139 > rdr pass on $if proto tcp from any to $addr port 445 -> $samba_addr > port 445 > rdr pass on $if proto udp from any to $addr port 137 -> $samba_addr > port 137 > rdr pass on $if proto udp from any to $addr port 138 -> $samba_addr > port 138 > rdr pass on $if proto udp from any to $addr port 139 -> $samba_addr > port 139 > rdr pass on $if proto udp from any to $addr port 445 -> $samba_addr > port 445 > > #rules > pass quick on lo1 > pass from igb0:network to any keep state > > #default policy: deny > antispoof quick for { $if lo } > block in all > #accept TCP ports. > pass in on $if proto tcp from any to any port $tcp_services > pass in on $if proto udp from any to any port $udp_services > *** > - -- > Take care, > Ty > Twitter: @sorressean > Web: https://tysdomain.com > Pubkey: https://tysdomain.com/files/pubkey.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJW+ZKqAAoJEAdP60+BYxejccoIAJXdhyvB15PtXyBeA7K0e5tR > MIP6SVWmdWpv/9AxPAodPvHgTiyJF4A50VsJ9Tcnq8v0gnulIKXytlBHwuJe0goI > b8vJT+Sqq6d6ystnhGddh1npgHbwD8LwP5s7AA6LIhFxq84GIprC22+HCi/tTHXF > AGX408PNJbNXXwA5F/tzBQH2uFXUA28d6NKkeOjrKkIn5ZwCB57ehmDO/3yNhZHT > ONvzK83QbyYU2q+BRYIkqPNzpXIQgPGIULMHj57jymOZqdjDd6llSvmWdKWkhv9d > BIRDcd513n+GjYc4fCzwTh110EOhC47IbBTK09l3SCgcvbztTKx0m1vQvNQk73Y= > =Lvnv > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >