From owner-freebsd-pf@freebsd.org  Sat Mar  4 05:49:56 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 30DF7CF85A3
 for <freebsd-pf@mailman.ysv.freebsd.org>; Sat,  4 Mar 2017 05:49:56 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com
 [IPv6:2a00:1450:400c:c0c::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C7095107E
 for <freebsd-pf@freebsd.org>; Sat,  4 Mar 2017 05:49:55 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: by mail-wr0-x22c.google.com with SMTP id u108so85773036wrb.3
 for <freebsd-pf@freebsd.org>; Fri, 03 Mar 2017 21:49:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=1VPu6JbJhidPYY+ansVP1DYWx2Q4eBiahDOyCgaq4GQ=;
 b=J1GSwxt2EOhW8iads8T0prG/QYxHC4EC/FPz63JqdA1IFVnEgTSn0DJEaAY3xoCHI/
 S4HQHvBhFdK54YR1mMzGh5dTlYCbSO/paXqkxEdzYHyBSIdyAgaQLeC5AJqjrooib62V
 Nwfy8YctRFM3noF68BL3d/hlsAukKO94eaPYSagNRIqlwCqdeM4EkU1lNU0tq8AQEcjw
 iGgJZNCx0iOqNQdi/XUC1Cc947pU0Tst6TPr83G0qQYD0+dPqXJ6t12lfQl+5RMGxwGW
 fxMlBdMMpyKLsQyAjlzfPCd01iIuebAn1I9Ep3gr1FBpNslLcSkfwgi52pTZpEMZoHLp
 Q+Dg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=1VPu6JbJhidPYY+ansVP1DYWx2Q4eBiahDOyCgaq4GQ=;
 b=sOVILDykqxB+EIuXJlM73zSa9iBiJsj3uvvBGaA2NUaiEwC0Kmmni/qwyDCnFV+yEa
 5QittOr2Sd+QUTGmW1btMGJP+H4J7O9Vu7pT3JuypGAl1rmawVpUvOos2gnknQgI7KSj
 Hqi7fFHuKRtm83f0VSJCn3j6yk79glfyDlLr9o+PaGudfpbGgGuQZOrmStDD0iQdbhk2
 9L6C1urMMRAnCslxSbGE0vX/cuRX+krMmId7dP9eT6UfMxAqnaHfKtmSMObmm2X0o+9I
 S2MimWvH9WYnj2Exi4Wo4BtuDy/T4CvxSxLArfBW/kp21HGDMehMwYsIHn5QkS9YmF6q
 0GaA==
X-Gm-Message-State: AMke39nyn5c6xTEsYy+nURfW/ez0dV6HmhRiS+VQ85iyh3cM4CnsOuqN1WEZ5ftAbYprUhjg/CzzC9qdZ4m60g==
X-Received: by 10.223.156.2 with SMTP id f2mr6349037wrc.4.1488606593275; Fri,
 03 Mar 2017 21:49:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.148.35 with HTTP; Fri, 3 Mar 2017 21:49:52 -0800 (PST)
From: David Mehler <dave.mehler@gmail.com>
Date: Sat, 4 Mar 2017 00:49:52 -0500
Message-ID: <CAPORhP7T+dsBhWNpB8-eEKqSZvDsbKk34H+djDsLCSfSU3dF7g@mail.gmail.com>
Subject: pf rules sanity check
To: freebsd-pf <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2017 05:49:56 -0000

Hello,

Can someone take a look at these rules and let me know where I'm going wron=
g?

I'm running a 10.3 system that was working great, but now I've added
some jails to it and am noticing two behaviors.

The first is that whenever I bring up a new jail and it gets an ip
address I have to do a pfctl -f pf.conf in order to get that new host
out to the internet, otherwise it just sits there.

Secondly and more urgent is that while traffic outbound from both the
host and the jails is passing fine, (the jail traffic is natted), the
reverse is not true. Traffic can come in from the host, but if I try
to get traffic through to the jail just hangs finally timing out.

Thanks.
Dave.

pf.conf:
ext_if=3D"vtnet0"
int_if =3D "lo1"
jailnet =3D $int_if:network
icmp_types=3D"echoreq"
icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }"
synstate =3D"flags S/SA synproxy state"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"

webmail=3D"192.168.52.22"

tcp_services=3D"{bootpc, bootps, ftp-data, ftp, ssh, domain, smtp, http,
https, imap, imaps, 3690, 7, 2703, 587, 8080}"
udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}"

set block-policy return
set skip on lo0

# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi=
nd
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble

# NAT
nat on $ext_if inet from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port 8080 or 4430 to jailed webserver
rdr on $ext_if inet proto tcp from any to $ext_if port 8080 ->
$webmail port 8080
#rdr pass on $ext_if inet proto tcp to port 8080 -> $webmail port http
#rdr pass on $ext_if inet proto tcp to port 4430 -> $webmail port https

table <bruteforce> persist file "/etc/pf/bruteforce"
table <fail2ban> persist file "/etc/pf/fail2ban"

pass quick on lo0 all

# Block by default
block all

# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>

# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>

# Pass out only the desired ports from host and jails
pass quick proto tcp from {self} to port $tcp_services keep state
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto tcp from $jailnet to port $tcp_services keep state
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto {tcp, udp} from {self} to port $udp_services keep state
pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state

# allow ping
pass inet proto icmp icmp-type $icmp_types keep state

# Traceroute
# allow out the default range for traceroute(8):
  # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4

# allow https traffic out from the jails
pass out proto tcp from $jailnet port https to any keep state

 # Allow ssh connections in from the internet
pass in proto tcp from any to $ext_if port ssh keep state

# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 keep state

# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 keep state

# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 keep state

# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 keep state

# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 keep state

# Pass in port 8080 to the jailed web server
pass in inet proto tcp to $webmail port 80 keep state

# IPv6
pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st=
ate
pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ),
ff02::/16 } icmp6-type $icmp6_types_ext_if keep state