Date: Wed, 26 Feb 2020 10:31:59 +0000 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: usage of rdr and pass validation Message-ID: <VE1PR03MB5629241E3A50263429C448DCA0EA0@VE1PR03MB5629.eurprd03.prod.outlook.com> In-Reply-To: <ca4a54cb0a0cf7f7fda8ca5243975e2c@udns.ultimatedns.net> References: <VE1PR03MB562975D8603E19240682F41FA0ED0@VE1PR03MB5629.eurprd03.prod.outlook.com> <ca4a54cb0a0cf7f7fda8ca5243975e2c@udns.ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Tue, 25 Feb 2020 13:43:50 -0800,
Chris <bsd-lists@BSDforge.com> a =E9crit :
> On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> kisscoolandthegangbang@hotmail.fr said
> =20
> > Hi,
> >=20
> > First, sorry english is not my native language. I will try to be as pre=
cise
> > as
> > possible.=20
> >=20
> > And also I am not sure it is only pf related. Let me know in this case
> > please.
> > Maybe it would be for net an jail too.=20
> >=20
> > So, I have two cases maybe related.=20
> >=20
> > First one is for using rdr translation rule.=20
> > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to joi=
n
> > one service from the outside. Using one rdr rule like this one, all see=
ms to
> > work fine. I have acces to the service.
> > =20
> > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 =
->
> > > $j_one port 443 =20
> >=20
> > But in case I want to apply some options to this, I have to split it in=
3.
> > This
> > is the relevant part of my config that makes it work=20
> > =20
> > > # Emulate skip on lo0
> > > pass quick on lo0 from 127.0.0.1 to
> > > 127.0.0.1
> > > # jail internal comms
> > > pass quick on lo0 from $j_one to $j=
_one
> > >=20
> > ># other traffic ( do not know yet why it is necessary and why no inter=
face
> > >specified in mandatory )
> > > pass in quick proto tcp from any to $j_one port 443
> > >
> > > # block all on lo0
> > > block log quick on lo0
> > >
> > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > > $j_one port 443
> > > pass in quick on $ext_if proto tcp from any to $j_one port =
443 =20
> >=20
> > See the two lines at the end which are the first two parts. The third p=
art
> > is
> > the line after the "other traffic comment". After a lot of error and re=
try,
> > this line have to be wrote like that. I can not add "on lo0" on this li=
ne or
> > the
> > service is not reachable.=20
> >=20
> > I'm using jails since some time now and remember having jail traffic bo=
und
> > to
> > lo0 before even in my configuration jails have another interface define=
d (a
> > bridge generally).=20
> >=20
> > So I would like to know why isn't it possible to limit more this rule ?=
I
> > tried all other interfaces present in my system, and that do not work
> > either.
> > Using tcpdump, I can't see the traffic related to this service on any
> > interface except the external one. It's a little bit strange for me.=20
> >=20
> > Finally, I will write another mail for the other case. =20
> FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> when I attempt these sort of things. As it seems to simplify things in my
> head.
> For example, rc.conf
> cloned_interfaces=3D"lo1 lo2"
> ifconfig_lo1=3D"inet 127.0.0.2"
> ifconfig_lo2=3D"inet 127.0.0.3" =20
IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces=
"
that helps with jail configuration file. Jail traffic is in reality going
through lo0.=20
When I started using jails, I was using lo1 lo2 ... too but after trying on=
e
time or two with bridge interfaces, I decided to stay with bridges, it was =
more
in my head more like a switch for jails, and that worked in the same way. J=
ust
a matter of preference.=20
>=20
> This allows me to treat them as any other NIC. I route as necessary to my
> NIC to the outside world; pf.conf(5):
> EXT_ADDR=3D"ou.ts.ide.ip"
> # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> table <trusted> persist file "/etc/TRUSTED"
>=20
>=20
> set skip on { lo0, lo1, lo2 } =20
You could just write set skip on lo0, that would have the same effect. I
emulate this for host traffic because I filter inter jails communications.
>=20
> # this only represents the rule(s) for lo1 but should be helpful for
> # additional rules on lo2 (or more)
> nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20
Funny how you write this one. Maybe I'm used to split it in nat and pass as
a second rule. IIUC the doc, that's possible to write like this.=20
> rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20
Funny for this one too. I suppose in this case re0 is the external interfac=
e.
Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missing
something ?=20
>=20
>=20
> block in
> pass out
>=20
> =20
With pass in rdr translation rule, like said above that work. My question w=
as
for when I use rdr translation splited rules.=20
kaycee,
P.S. Resent because in first mail forgot pf list
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB5629241E3A50263429C448DCA0EA0>