Date: Mon, 16 Aug 2021 16:54:17 -0500 From: Valeri Galtsev <galtsev@kicp.uchicago.edu> To: freebsd-questions@freebsd.org Subject: Re: Jails: pf blocks access to localhost of host system Message-ID: <8a330aeb-fccf-f8bd-1154-15288e3f0a9d@kicp.uchicago.edu> In-Reply-To: <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org> References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu> <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/16/21 4:41 PM, Matthew Seaman wrote:
> On 16/08/2021 22:31, Valeri Galtsev wrote:
>> Dear Experts in pf and jails.
>>
>> I was recent refugee from to pf from ipfw which I was happily using
>> for decade (why is different story). I seem to be able to configure
>> all I need from pf, except one thing, which is jail access to
>> localhost of host system.
>>
>> I configure jails "by the book" (i.e FreeBSD handbook), I do not use
>> any scripts facilitating simple enough for me process. My jail
>> configuration is like the following:
>>
>> # cat /etc/jail.conf
>>
>> jailname {
>> host.hostname = "hostname.domainname";
>> ip4.addr = X.Y.Z.W; # address on public address space
>> devfs_ruleset=7; // integer number of devfsrules_jail_bpf ruleset
>> // in /etc/devfs.rules
>> persist; // Required because there are no processes
>> exec.start = "/etc/rc.d/cron start; /etc/rc.d/syslogd start;
>> /usr/local/etc/rc.d/apache24 start";
>> exec.stop = "/usr/local/etc/rc.d/apache24 stop; /etc/rc.d/syslogd
>> stop; /etc/rc.d/cron stop";
>> }
>>
>> As you see, there is no lo0 configured in jail. (I do have lo0
>> configured in jails on some machines, but I do not feel it necessary
>> in this case). Now if script from apache in that jail connects port 25
>> on localhost to send email, the connection goes ho postfix I run on
>> host system.
>>
>> While I was using ipfw having the rule allowing all traffic on lo0 to
>> pass (I figure) at the top of rules did the trick. I can not achieve
>> the same with pf. Searching on we web didn't help either.
>>
>> Here if my simplified to necessary minimum for debugging pf.conf:
>>
>>
>> # cat /etc/pf.conf
>> ##################### BEGIN
>> # macro name(s) for external interface(s).
>> ext_if = "bce0"
>> int_if = "bce1"
>>
>> services = "{ 80 443 3306 5432 9102 }"
>>
>> icmp_types = "{ echoreq unreach }"
>>
>> # set a default deny everything policy.
>> block all
>>
>> # Allow all traffic on trusted interfaces
>> pass quick from { lo0 $int_if } to any keep state
>>
>> # keep state on any outbound tcp, udp or icmp traffic.
>> # modulate the isn of
>> # outgoing packets. (initial sequence number) broken operating systems
>> # sometimes don’t randomize this number, making it guessable.
>> pass out on $ext_if proto { tcp, udp, icmp } from any to any \
>> modulate state
>>
>> # set a rule that allows inbound ssh traffic
>> pass in on $ext_if proto tcp to port { 22 } \
>> keep state
>>
>> # On workstation we will pass all outgoing traffic
>> pass out all keep state
>>
>> # We pass what comes to our services (but DHCP taken care os above)
>> pass in on $ext_if proto { tcp udp } to port $services
>>
>> # and icmp types we want
>> pass inet proto icmp icmp-type $icmp_types
>>
>> ##################### END
>>
>>
>> If I am inside jail the command
>>
>> telnet localhost 25
>>
>> successfully connects to postfix run on host system. When I enable pf
>> with rules as above, similar connection from inside jail just hangs.
>>
>> I was assuming the rule:
>>
>> pass quick from { lo0 $int_if } to any keep state
>>
>> will do the trick, but no, the connection from inside jail to host
>> system localhost port 25 is blocked by pf.
>>
>>
>> Can someone give me any pointers for this particular case?
>>
>> Thanks a lot in advance for your pointers!
>>
>> Valeri
>>
>>
>> PS I know, I can do the following and it will work: configure lo0 in
>> jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and
>> run postfix is jail. But being able to tell pf what I want it to [not]
>> do will be preferable.
>>
>
> Try:
>
> set skip on { lo0 $int_if }
>
Tried that (replaced what I had for lo0 with):
set skip on { lo0 $int_if }
Does not help: the connection from inside jail to localhost:25 [on host
system] still hangs after I enable pf.
I figure, the order of statements in pf.conf shouldn't matter, right?
Thanks anyway. I have a feeling that _I_ do something gravely wrong, but...
Valeri
> (and delete any filtering rules on lo0 or $int_if)
>
> which says to pf not to touch any packets traversing those interfaces.
>
> Cheers,
>
> Matthew
>
>
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8a330aeb-fccf-f8bd-1154-15288e3f0a9d>