Date: Sat, 21 Jan 2012 16:13:58 +0200 From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= <artemrts@ukr.net> To: other@ahhyes.net Cc: freebsd-jail@freebsd.org Subject: Re: nat + pf, network weirdness Message-ID: <22966.1327155238.9808034899287998464@ffe8.ukr.net> In-Reply-To: <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net> References: <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Original message --- From: other@ahhyes.net To: freebsd-jail@freebsd.org Date: 21 January 2012, 10:57:48 Subject: nat + pf, network weirdness > Hi Guys, > > I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of > services that are public facing in an effort to improve security. > > Firstly a breakdown of how things are setup: > > srv# ifconfig > pflog0: flags=0<> metric 0 mtu 33152 > pfsync0: flags=0<> metric 0 mtu 1500 > syncpeer: 0.0.0.0 maxupd: 128 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 127.0.0.1 netmask 0xff000000 > xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > options=503<RXCSUM,TXCSUM,TSO4,LRO> > ether 00:16:3e:85:8a:12 > inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255 > media: Ethernet manual > status: active > lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 10.1.1.IP netmask 0xffffff00 > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > > srv# jls > JID IP Address Hostname Path > 1 10.1.1.IP www.mydomain.net > /somepath/jails/www > 2 10.1.1.IP sql.mydomain.net > /somepath/jails/db > 3 10.1.1.IP ns.mydomain.net > /somepath/jails/ns > 5 10.1.1.IP mail.mydomain.net > /somepath/jails/mail > > Interface xn0 is my public facing interface, with my public IP. > > Everything appears to work as it should, I have a PF running on the > host with a default deny all policy. I have the following NAT rule in my > pf.conf: > > nat on xn0 from 10.1.1.0/24 to any -> (xn0) > You should use Packet Tagging (Policy Filtering). Something like this: nat on $ext_if tag WWW tagged WWW -> ($ext_if) nat on $ext_if tag SQL tagged SQL -> ($ext_if) ...... block in block out pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark traffic from jail to world ..... pass out quick on $ext_if inet from ($ext_if) tagged WWW <- dispatch only marked WWW PF is very well in situations like this. With PF it is possible to divide LAN traffic and router traffic easily.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22966.1327155238.9808034899287998464>