From owner-freebsd-questions@freebsd.org Tue Mar 29 15:40:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AEB1DAE20A1 for ; Tue, 29 Mar 2016 15:40:18 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (tds-solutions.net [174.136.96.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9C98E1BA2 for ; Tue, 29 Mar 2016 15:40:18 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (localhost [127.0.0.1]) by tds-solutions.net (Postfix) with ESMTP id 70EF3208783D; Tue, 29 Mar 2016 11:40:17 -0400 (EDT) X-Virus-Scanned: amavisd-new at tds-solutions.net Received: from tds-solutions.net ([127.0.0.1]) by tds-solutions.net (tds-solutions.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 8N89BZ1LLpMV; Tue, 29 Mar 2016 11:40:16 -0400 (EDT) Received: from [10.200.119.198] (unknown [69.43.66.12]) (Authenticated sender: sorressean) by tds-solutions.net (Postfix) with ESMTPSA id 4DCD420877BA; Tue, 29 Mar 2016 11:40:16 -0400 (EDT) Reply-To: tyler@tysdomain.com Subject: Re: question re: PF and forwarding References: <56F992AA.7070409@tysdomain.com> To: krad Cc: FreeBSD Questions From: "Littlefield, Tyler" Message-ID: <56FAA1CD.4070808@tysdomain.com> Date: Tue, 29 Mar 2016 11:39:57 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2016 15:40:18 -0000 On 3/29/2016 4:59 AM, krad wrote: > what network topology are the jails nics on? I presume its not vnet > as that doesnt play well with PF. Your rules hint at the jails > being on loopback. If so can you put them on a separate ip on your > subnet as pf can still filter them fine there, and you will find > the ruleset a bit easier to manage. If those 192 addresses arent on > loopback and are on the same subnet as the hosts ip on igb0, why > are you natting them, this will probably cause issues? > I have tried with them as aliases on IGB0 (my subnet for external is 10.21.96.0/24 and my jails subnet is 192.168.0.1/24. This should worrk fine. I also have put them on loopback, just for giggles to see if they would still forrward. I can connect through just fine (from jail->host->outside), but I can not connect to port 445/etc on the host. I have gateway enabled in rc.conf and ip4 and ipv6 (although not relevant) have forwarding enabled via sysctl. I'm unclear as to why the ports would not be forwarded through from host->jail and not really sure how to test that. Thanks, > > > On 28 March 2016 at 21:23, Littlefield, Tyler > wrote: > > All, sorry for the multiple emails recently. I'm working to get my > server set up here so I can begin doing some dev on BHyve once that > is all finalized. I am jailing my services like minidlna samba and > unbound and am using PF to forward those. For whatever reason I do > not see the ports I specify as open ports, but the individual > addresses show them when I connect from within my server. For > example, I can telnet 192.168.0.2 445 and that works fine in terms > of establishing a connection. I was hoping that someone might see > any connection here. Here is my pf.conf. *** if="igb0" > addr="10.21.96.128" samba_addr="192.168.0.2" > dlna_addr="192.168.0.3" unbound_addr="192.168.0.4" > tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn > microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn > microsoft-ds}" > > set skip on lo set loginterface $if scrub in all > > #allow jails through nat on $if inet from $samba_addr to any tag > jail_samba -> $addr nat on $if inet from $dlna_addr to any tag > jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag > jail_unbound -> $addr #portforward to jails. #unbound rdr pass on > $if proto tcp from any to $addr port 53 -> $unbound_addr port 53 > rdr pass on $if proto udp from any to $addr port 53 -> > $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to > $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp > from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if > proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr > pass on $if proto tcp from any to $addr port 445 -> $samba_addr > port 445 rdr pass on $if proto udp from any to $addr port 137 -> > $samba_addr port 137 rdr pass on $if proto udp from any to $addr > port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any > to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp > from any to $addr port 445 -> $samba_addr port 445 > > #rules pass quick on lo1 pass from igb0:network to any keep state > > #default policy: deny antispoof quick for { $if lo } block in all > #accept TCP ports. pass in on $if proto tcp from any to any port > $tcp_services pass in on $if proto udp from any to any port > $udp_services *** _______________________________________________ > freebsd-questions@freebsd.org > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org > " > > -- Take care, Ty Twitter: @sorressean Web: https://tysdomain.com Pubkey: https://tysdomain.com/files/pubkey.asc