Date: Fri, 8 Jan 2010 00:29:36 -0700 From: "Peter" <fbsdq@peterk.org> To: "Max Laier" <max@love2party.net> Cc: freebsd-pf@freebsd.org Subject: Re: setfib + pf + synproxy not working Message-ID: <ef0235efb1bee512b72fba859b8f5e82.squirrel@pop.pknet.net> In-Reply-To: <201001080655.43652.max@love2party.net> References: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net> <201001080655.43652.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Friday 08 January 2010 06:04:34 Peter wrote:
>> iH,
>> Playing around with FIBs and jails.
>>
>> The host system is on a private 172.xxx network with a gateway of
>> 172.xxx
>> going through a NAT box for internet. [fib 0]
>>
>> The jail has only a public IP, on fib 1 [with gateway being ISP router]
>>
>> With this, the jail is working fine.
>>
>> What I'm trying to accomplish is portknocking for 'ssh' access:
>>
>> pass in log quick proto tcp from any to any port {1234} synproxy state \
>> (max-src-conn-rate 5/15, overload <portknock_ssh>)
>>
>> Because the jail is on 'fib 1', the connection is never established to
>> overload the rule. The 'synproxy state' is communicating via the
>> 172.xxxx/default gateway [of fib 0] instead of via the public "fib 1"
>>
>> I can ssh into the jail if I do
>> pass in log quick proto tcp from any to any port {22} keep state
>>
>> I CANNOT ssh into the jail if I do
>> pass in log quick proto tcp from any to any port {22} synproxy state
>>
>> Anyway I can force 'synproxy' to communicate via fib 1 ?
>
> I don't think I understand your setup and intent completely, but you can
> select a fib with the "rtable" filter parameter. It *should* be used for
> the
> synproxy communication, as well. Please report if this helps.
>
> --
> Max
>
host: 172.xxx -> gateway = 172.xxx.1 [NAT] -> 216.241.167.YY [fib 0/default]
jail: 216.241.167.XX -> gateway = 216.241.167.1 [jail started on fib 1]
fib0: gateway = 172.xxx.1 [host]
fib1: gateway = 216.241.167.1 [jail]
With jail on fib 1, and different gateway vs. the host system itself,
'synproxy' does not work.
With rtable, I'm still NOT able to connect to jail from outside:
pass in log quick proto tcp from any to any port = ssh synproxy state
rtable 1
[/sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf]
If I remove 'synproxy state' and put in 'keep state' it works.
FreeBSD stable/8
]Peter[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef0235efb1bee512b72fba859b8f5e82.squirrel>