From owner-freebsd-questions@freebsd.org  Mon Aug 16 21:41:24 2021
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 76EA96556DF
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 16 Aug 2021 21:41:24 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4GpSKJ2gm1z3kk4
 for <freebsd-questions@freebsd.org>; Mon, 16 Aug 2021 21:41:24 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
 [81.2.117.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.infracaninophile.co.uk", Issuer "R3" (verified OK))
 (Authenticated sender: matthew/mail)
 by smtp.freebsd.org (Postfix) with ESMTPSA id 06A397409
 for <freebsd-questions@freebsd.org>; Mon, 16 Aug 2021 21:41:24 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from misophist.local (unknown
 [IPv6:2001:8b0:151:1:44f7:bc5d:f1b5:8bfd])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (No client certificate requested)
 (Authenticated sender: m.seaman@infracaninophile.co.uk)
 by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id D09FC1B725
 for <freebsd-questions@freebsd.org>; Mon, 16 Aug 2021 21:41:21 +0000 (UTC)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none (p=none dis=none) header.from=FreeBSD.org
Authentication-Results: smtp.infracaninophile.co.uk/D09FC1B725;
 dkim=none; dkim-atps=neutral
Subject: Re: Jails: pf blocks access to localhost of host system
To: freebsd-questions@freebsd.org
References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
From: Matthew Seaman <matthew@FreeBSD.org>
Message-ID: <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org>
Date: Mon, 16 Aug 2021 22:41:21 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
 Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR"
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Aug 2021 21:41:24 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR
Content-Type: multipart/mixed; boundary="gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org>
Subject: Re: Jails: pf blocks access to localhost of host system
References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
In-Reply-To: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>

--gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 16/08/2021 22:31, Valeri Galtsev wrote:
> Dear Experts in pf and jails.
>=20
> I was recent refugee from to pf from ipfw which I was happily using for=
=20
> decade (why is different story). I seem to be able to configure all I=20
> need from pf, except one thing, which is jail access to localhost of=20
> host system.
>=20
> I configure jails "by the book" (i.e FreeBSD handbook), I do not use an=
y=20
> scripts facilitating simple enough for me process. My jail configuratio=
n=20
> is like the following:
>=20
> # cat /etc/jail.conf
>=20
> jailname {
>  =C2=A0=C2=A0=C2=A0 host.hostname =3D "hostname.domainname";
>  =C2=A0=C2=A0=C2=A0 ip4.addr =3D X.Y.Z.W; # address on public address s=
pace
>  =C2=A0=C2=A0=C2=A0 devfs_ruleset=3D7;=C2=A0 // integer number of devfs=
rules_jail_bpf ruleset
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // in /etc/devfs.r=
ules
>  =C2=A0=C2=A0=C2=A0 persist;=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =
// Required because there are no processes
>  =C2=A0=C2=A0=C2=A0 exec.start =3D "/etc/rc.d/cron start; /etc/rc.d/sys=
logd start;=20
> /usr/local/etc/rc.d/apache24 start";
>  =C2=A0=C2=A0=C2=A0 exec.stop =3D "/usr/local/etc/rc.d/apache24 stop; /=
etc/rc.d/syslogd=20
> stop; /etc/rc.d/cron stop";
> }
>=20
> As you see, there is no lo0 configured in jail. (I do have lo0=20
> configured in jails on some machines, but I do not feel it necessary in=
=20
> this case). Now if script from apache in that jail connects port 25 on =

> localhost to send email, the connection goes ho postfix I run on host=20
> system.
>=20
> While I was using ipfw having the rule allowing all traffic on lo0 to=20
> pass (I figure) at the top of rules did the trick. I can not achieve th=
e=20
> same with pf. Searching on we web didn't help either.
>=20
> Here if my simplified to necessary minimum for debugging pf.conf:
>=20
>=20
> # cat /etc/pf.conf
> ##################### BEGIN
> # macro name(s) for external interface(s).
> ext_if =3D "bce0"
> int_if =3D "bce1"
>=20
> services =3D "{ 80 443 3306 5432 9102 }"
>=20
> icmp_types =3D "{ echoreq unreach }"
>=20
> # set a default deny everything policy.
> block all
>=20
> # Allow all traffic on trusted interfaces
> pass quick from { lo0 $int_if } to any keep state
>=20
> # keep state on any outbound tcp, udp or icmp traffic.
> # modulate the isn of
> # outgoing packets. (initial sequence number) broken operating systems
> # sometimes don=E2=80=99t randomize this number, making it guessable.
> pass out on $ext_if proto { tcp, udp, icmp } from any to any \
>  =C2=A0=C2=A0=C2=A0 modulate state
>=20
> # set a rule that allows inbound ssh traffic
> pass in on $ext_if proto tcp to port { 22 } \
>  =C2=A0=C2=A0=C2=A0 keep state
>=20
> # On workstation we will pass all outgoing traffic
> pass out all keep state
>=20
> #=C2=A0 We pass what comes to our services (but DHCP taken care os abov=
e)
> pass in on $ext_if proto { tcp udp } to port $services
>=20
> # and icmp types we want
> pass inet proto icmp icmp-type $icmp_types
>=20
> ##################### END
>=20
>=20
> If I am inside jail the command
>=20
> telnet localhost 25
>=20
> successfully connects to postfix run on host system. When I enable pf=20
> with rules as above, similar connection from inside jail just hangs.
>=20
> I was assuming the rule:
>=20
> pass quick from { lo0 $int_if } to any keep state
>=20
> will do the trick, but no, the connection from inside jail to host=20
> system localhost port 25 is blocked by pf.
>=20
>=20
> Can someone give me any pointers for this particular case?
>=20
> Thanks a lot in advance for your pointers!
>=20
> Valeri
>=20
>=20
> PS I know, I can do the following and it will work: configure lo0 in=20
> jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and=20
> run postfix is jail. But being able to tell pf what I want it to [not] =

> do will be preferable.
>=20

Try:

set skip on { lo0 $int_if }

(and delete any filtering rules on lo0 or $int_if)

which says to pf not to touch any packets traversing those interfaces.

	Cheers,

	Matthew



--gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB--

--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAmEa24EFAwAAAAAACgkQAFE/EOCp5OcN
xw/+NLbCLwSrIda2bSldM08ZSfnkyS+BY5Sigb2DSqSusWGugQ8hGcJ86yNkXBnN3QAjJ/h2D1yB
M6KBAnnhy76yvah/TakjhQ+ek4I+DDYR8fz3XeLZhRpU5dZy3fvzLbbFgwoKoZbpMw+sEerEuunH
UFNWIOh+3vRznaFJiHDxeTHt2V1FNx2FuSwNl49ZYMlrjpfOUz1RYFylx4x8VP3OUuU4KktYzT06
Tm2N5NbQNb1RFiXIlLOYs13rV0jPdIqBkgq1PXowiIOxU+mOj1s3AjALkK9puSyA7iZQZs+fpOeE
gxmdCNtKEUaI9rRpZA3ymI674KVC9boV9Vp4zFUgeGuwN4NkcQnfPVRSyGP1zAEjFkQaJOcpwVlw
ed65S4ufNsvmMs83G+7PxIrhMB1v+k2bV6t2jACYLGvEKMCXXBpJjpPljw4EFZsO15pZ2VwiJWkZ
8AJySWSVULqfhLBHlpUYUDcNIC2rgH7ctOWK8MreGEpjY8JAEYUXN9hxgT01CZ+Fo19x/0I9YmHQ
6yGvlCWdZ0epJAO8oNmyjrWKejSqMlMiK5Qr1lXitz3XNCgG8TBSY8yrIkKiXqfGNMhf8k8W1WBE
vCItb8i9n9T4omCbbC0OgwE8aYmo2tWVHYSLgMgREsMQeSJn7g3UzPx4CiaSrGw9ad33+M1EVHzW
oDM=
=LGhK
-----END PGP SIGNATURE-----

--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR--