From owner-freebsd-questions@freebsd.org Wed Mar 30 02:57:00 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A7D81ADFF0A for ; Wed, 30 Mar 2016 02:57:00 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (tds-solutions.net [174.136.96.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 95539195B for ; Wed, 30 Mar 2016 02:57:00 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (localhost [127.0.0.1]) by tds-solutions.net (Postfix) with ESMTP id B5BA2208783D; Tue, 29 Mar 2016 22:56:54 -0400 (EDT) X-Virus-Scanned: amavisd-new at tds-solutions.net Received: from tds-solutions.net ([127.0.0.1]) by tds-solutions.net (tds-solutions.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id SuSVdXXfG7wB; Tue, 29 Mar 2016 22:56:54 -0400 (EDT) Received: from [10.21.96.50] (c-24-147-10-153.hsd1.ma.comcast.net [24.147.10.153]) (Authenticated sender: sorressean) by tds-solutions.net (Postfix) with ESMTPSA id C98A8208779C; Tue, 29 Mar 2016 22:56:53 -0400 (EDT) Reply-To: tyler@tysdomain.com Subject: Re: question re: PF and forwarding References: <56F992AA.7070409@tysdomain.com> To: krad Cc: FreeBSD Questions From: "Littlefield, Tyler" Message-ID: <56FB4076.3040501@tysdomain.com> Date: Tue, 29 Mar 2016 22:56:54 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2016 02:57:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A bit more info: A bit more info: I've tried a bunch of different configurations and still can't get this to forward through. when I use tcpdump to debug, I get client->syn server->syn client->ack *hang* - From there nothing actually happens. If anyone has any other info I'd really appreciate it. I'm not sure where to go from here/how to troubleshoot farther. Thanks, On 3/29/2016 4:59 AM, krad wrote: > what network topology are the jails nics on? I presume its not vnet > as that doesnt play well with PF. Your rules hint at the jails > being on loopback. If so can you put them on a separate ip on your > subnet as pf can still filter them fine there, and you will find > the ruleset a bit easier to manage. If those 192 addresses arent on > loopback and are on the same subnet as the hosts ip on igb0, why > are you natting them, this will probably cause issues? > > > > On 28 March 2016 at 21:23, Littlefield, Tyler > wrote: > > All, sorry for the multiple emails recently. I'm working to get my > server set up here so I can begin doing some dev on BHyve once that > is all finalized. I am jailing my services like minidlna samba and > unbound and am using PF to forward those. For whatever reason I do > not see the ports I specify as open ports, but the individual > addresses show them when I connect from within my server. For > example, I can telnet 192.168.0.2 445 and that works fine in terms > of establishing a connection. I was hoping that someone might see > any connection here. Here is my pf.conf. *** if="igb0" > addr="10.21.96.128" samba_addr="192.168.0.2" > dlna_addr="192.168.0.3" unbound_addr="192.168.0.4" > tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn > microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn > microsoft-ds}" > > set skip on lo set loginterface $if scrub in all > > #allow jails through nat on $if inet from $samba_addr to any tag > jail_samba -> $addr nat on $if inet from $dlna_addr to any tag > jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag > jail_unbound -> $addr #portforward to jails. #unbound rdr pass on > $if proto tcp from any to $addr port 53 -> $unbound_addr port 53 > rdr pass on $if proto udp from any to $addr port 53 -> > $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to > $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp > from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if > proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr > pass on $if proto tcp from any to $addr port 445 -> $samba_addr > port 445 rdr pass on $if proto udp from any to $addr port 137 -> > $samba_addr port 137 rdr pass on $if proto udp from any to $addr > port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any > to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp > from any to $addr port 445 -> $samba_addr port 445 > > #rules pass quick on lo1 pass from igb0:network to any keep state > > #default policy: deny antispoof quick for { $if lo } block in all > #accept TCP ports. pass in on $if proto tcp from any to any port > $tcp_services pass in on $if proto udp from any to any port > $udp_services *** >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To >> unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > - -- Take care, Ty Twitter: @sorressean Web: https://tysdomain.com Pubkey: https://tysdomain.com/files/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJW+0B2AAoJEAdP60+BYxejJ0YH/0YTGHQD4UVaAausYfXxNXRQ cIjsNKqxco/v+EhmbfS51xKIe27yFouyuuREsZvztkks9QnAJ2X3/kYBLsNGfRsy tGe0I23Pe56DYOQqnB2+AmonpyL9Nay0DOACpvZR2eWSEn78NKENtffA7o8E+Swo J/NF4/yiU/mVw6+h9qqekT9mMz1aqykdKJtPWGHvR2QYRBPdrQymaNg6rlFACtl8 XPrOIJD0PCyZXgCBg2S5hLCDGPaqDcHUbA1Bw8noIAQvIYrH8eBwPZ2hihKfD8On 1eouqzD2jpneCUVQUKAm3nfax25b54Itn6VSlrOyOXPtaZsny+DnuzSgbJw52ck= =mXEX -----END PGP SIGNATURE-----