From owner-freebsd-net@FreeBSD.ORG Sun Nov 30 23:46:22 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B177CFA for ; Sun, 30 Nov 2014 23:46:22 +0000 (UTC) Received: from mail.ignoranthack.me (ignoranthack.me [199.102.79.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5CB8F388 for ; Sun, 30 Nov 2014 23:46:22 +0000 (UTC) Received: from [192.168.200.212] (unknown [50.136.155.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: sbruno@ignoranthack.me) by mail.ignoranthack.me (Postfix) with ESMTPSA id 01EAD19422F for ; Sun, 30 Nov 2014 23:46:14 +0000 (UTC) Message-ID: <547BAC45.4050706@ignoranthack.me> Date: Sun, 30 Nov 2014 15:46:13 -0800 From: Sean Bruno Reply-To: sbruno@freebsd.org User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: pf(4) changes recently? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2014 23:46:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I use pf and jails on a host to redirect port 80 to the correct jail. I only use 1 routeable IP and have been running this configuration for over a year now. I run nginx in jailA (10.0.0.2) and have it capture port 80 requests and forward them to either jailB (10.0.0.3) or jailC(10.0.0.4) based on hostname in the http request. Recently(last 3 months), pf has started blocking the ability of jailA to send these requests to the other two jails and I don't know why. my nginx config and pf.conf are unchanged. When I enter jailA and attempt to telnet to jailB port 80, I get rejected. So, I assume something is wrong with my current pf implementation. pf.conf: - -------------------------------------------------------------------------= --------------------------- jailA_if =3D "lo1" JailAnet =3D $jailA_if:network jailB_if =3D "lo2" jailBnet =3D $jailB_if:network jailC_if =3D "lo3" jailCnet =3D $jailC_if:network jailA=3D"10.0.0.2" jailB=3D"10.0.0.3" jailC=3D"10.0.0.4" #NAT nat on $ext_if from $jailAnet to any -> ($ext_if) nat on $ext_if from $jailBnet to any -> ($ext_if) nat on $ext_if from $jailCnet to any -> ($ext_if) # Redirect 80 rdr pass on $ext_if inet proto tcp to port http -> $jailA port http - -------------------------------------------------------------------------= --------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQF8BAEBCgBmBQJUe6xAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwAAoJEBIB78oecn5k3wwIAJA/WHdR+1F9sgfpx+LkgIWf ghS+57DINlt3fuMR5TTZ6lP9yLtYAPt+bf/PaJzgBn10waVrw9RmmZucCGySf+cu 92HGPi9fchyALplpeyPR3qD5bne8lnx9xQhYhh/gNIpkX7K/+hW+j1xGG5AsNwjr uQwoFq2IMwitFRdx4fSpttERbUEWDX7q333/QYkcLTpGoiouADzmlM9kqtSLGuvG +oRXl+lI83A3q4G+ec4r7sSmRc4Ou7J1YMiiWlaSqAZCRlPWhcWnQTVwQCHhYGgC 5FX26CV7akFmGCy1OykZJBRvQjozZp4t7FL7Jv0mvavMTX8ZalST3LRqqV7aBBM=3D =3DXqEl -----END PGP SIGNATURE-----