From owner-freebsd-pf@FreeBSD.ORG Fri Jan 8 07:29:34 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C48B1065676 for ; Fri, 8 Jan 2010 07:29:34 +0000 (UTC) (envelope-from fbsdq@peterk.org) Received: from poshta.pknet.net (poshta.pknet.net [216.241.167.213]) by mx1.freebsd.org (Postfix) with ESMTP id 3735A8FC18 for ; Fri, 8 Jan 2010 07:29:33 +0000 (UTC) Received: (qmail 81893 invoked by uid 89); 8 Jan 2010 07:29:36 -0000 Received: from poshta.pknet.net (HELO pop.pknet.net) (216.241.167.213) by poshta.pknet.net with SMTP; 8 Jan 2010 07:29:36 -0000 Received: from 216.241.167.213 (SquirrelMail authenticated user fbsdq@peterk.org) by pop.pknet.net with HTTP; Fri, 8 Jan 2010 00:29:36 -0700 Message-ID: In-Reply-To: <201001080655.43652.max@love2party.net> References: <25cb73eeb5cb6830aefd1164b23e82b8.squirrel@pop.pknet.net> <201001080655.43652.max@love2party.net> Date: Fri, 8 Jan 2010 00:29:36 -0700 From: "Peter" To: "Max Laier" User-Agent: SquirrelMail/1.4.20-RC2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-pf@freebsd.org Subject: Re: setfib + pf + synproxy not working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 07:29:34 -0000 > On Friday 08 January 2010 06:04:34 Peter wrote: >> iH, >> Playing around with FIBs and jails. >> >> The host system is on a private 172.xxx network with a gateway of >> 172.xxx >> going through a NAT box for internet. [fib 0] >> >> The jail has only a public IP, on fib 1 [with gateway being ISP router] >> >> With this, the jail is working fine. >> >> What I'm trying to accomplish is portknocking for 'ssh' access: >> >> pass in log quick proto tcp from any to any port {1234} synproxy state \ >> (max-src-conn-rate 5/15, overload ) >> >> Because the jail is on 'fib 1', the connection is never established to >> overload the rule. The 'synproxy state' is communicating via the >> 172.xxxx/default gateway [of fib 0] instead of via the public "fib 1" >> >> I can ssh into the jail if I do >> pass in log quick proto tcp from any to any port {22} keep state >> >> I CANNOT ssh into the jail if I do >> pass in log quick proto tcp from any to any port {22} synproxy state >> >> Anyway I can force 'synproxy' to communicate via fib 1 ? > > I don't think I understand your setup and intent completely, but you can > select a fib with the "rtable" filter parameter. It *should* be used for > the > synproxy communication, as well. Please report if this helps. > > -- > Max > host: 172.xxx -> gateway = 172.xxx.1 [NAT] -> 216.241.167.YY [fib 0/default] jail: 216.241.167.XX -> gateway = 216.241.167.1 [jail started on fib 1] fib0: gateway = 172.xxx.1 [host] fib1: gateway = 216.241.167.1 [jail] With jail on fib 1, and different gateway vs. the host system itself, 'synproxy' does not work. With rtable, I'm still NOT able to connect to jail from outside: pass in log quick proto tcp from any to any port = ssh synproxy state rtable 1 [/sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf] If I remove 'synproxy state' and put in 'keep state' it works. FreeBSD stable/8 ]Peter[