Date: Sat, 21 Jan 2012 16:13:58 +0200 From: =?WINDOWS-1251?B?wujy4Ovo6SDC6+Dk6Ozo8O7i6Pc=?= <artemrts@ukr.net> To: other@ahhyes.net Cc: freebsd-jail@freebsd.org Subject: Re: nat + pf, network weirdness Message-ID: <22966.1327155238.9808034899287998464@ffe8.ukr.net> In-Reply-To: <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net>
index | next in thread | previous in thread | raw e-mail
--- Original message --- From: other@ahhyes.net To: freebsd-jail@freebsd.org Date: 21 January 2012, 10:57:48 Subject: nat + pf, network weirdness > Hi Guys, > > I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of > services that are public facing in an effort to improve security. > > Firstly a breakdown of how things are setup: > > srv# ifconfig > pflog0: flags=0<> metric 0 mtu 33152 > pfsync0: flags=0<> metric 0 mtu 1500 > syncpeer: 0.0.0.0 maxupd: 128 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 127.0.0.1 netmask 0xff000000 > xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > options=503<RXCSUM,TXCSUM,TSO4,LRO> > ether 00:16:3e:85:8a:12 > inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255 > media: Ethernet manual > status: active > lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet 10.1.1.IP netmask 0xffffff00 > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > inet 10.1.1.IP netmask 0xffffffff > > srv# jls > JID IP Address Hostname Path > 1 10.1.1.IP www.mydomain.net > /somepath/jails/www > 2 10.1.1.IP sql.mydomain.net > /somepath/jails/db > 3 10.1.1.IP ns.mydomain.net > /somepath/jails/ns > 5 10.1.1.IP mail.mydomain.net > /somepath/jails/mail > > Interface xn0 is my public facing interface, with my public IP. > > Everything appears to work as it should, I have a PF running on the > host with a default deny all policy. I have the following NAT rule in my > pf.conf: > > nat on xn0 from 10.1.1.0/24 to any -> (xn0) > You should use Packet Tagging (Policy Filtering). Something like this: nat on $ext_if tag WWW tagged WWW -> ($ext_if) nat on $ext_if tag SQL tagged SQL -> ($ext_if) ...... block in block out pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark traffic from jail to world ..... pass out quick on $ext_if inet from ($ext_if) tagged WWW <- dispatch only marked WWW PF is very well in situations like this. With PF it is possible to divide LAN traffic and router traffic easily.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22966.1327155238.9808034899287998464>