Date: Wed, 26 Feb 2020 07:39:27 -0800 From: Chris <bsd-lists@BSDforge.com> To: kaycee gb <kisscoolandthegangbang@hotmail.fr> Cc: <freebsd-pf@freebsd.org> Subject: Re: usage of rdr and pass validation Message-ID: <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net> In-Reply-To: <VE1PR03MB5629241E3A50263429C448DCA0EA0@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb kisscoolandthegangbang@hotmail= =2Efr said > Le Tue, 25 Feb 2020 13:43:50 -0800, > Chris <bsd-lists@BSDforge=2Ecom> a =C3=A9crit : >=20 > > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb > > kisscoolandthegangbang@hotmail=2Efr said > > =20 > > > Hi, > > >=20 > > > First, sorry english is not my native language=2E I will try to be as > > precise > > > as > > > possible=2E=20 > > >=20 > > > And also I am not sure it is only pf related=2E Let me know in this cas= e > > > please=2E > > > Maybe it would be for net an jail too=2E=20 > > >=20 > > > So, I have two cases maybe related=2E=20 > > >=20 > > > First one is for using rdr translation rule=2E=20 > > > I have a host with FreeBSD 11=2E3 amd64 hosting some jails=2E I want to j= oin > > > one service from the outside=2E Using one rdr rule like this one, all s= eems > > to > > > work fine=2E I have acces to the service=2E > > > =20 > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 = -> > > > > $j_one port 443 =20 > > >=20 > > > But in case I want to apply some options to this, I have to split it = in 3=2E > > > This > > > is the relevant part of my config that makes it work=20 > > > =20 > > > > # Emulate skip on lo0 > > > > pass quick on lo0 from 127=2E0=2E0=2E1 to > > > > 127=2E0=2E0=2E1 > > > > # jail internal comms > > > > pass quick on lo0 from $j_one to > > $j_one > > > >=20 > >> ># other traffic ( do not know yet why it is necessary and why no > >interface > >> >specified in mandatory ) > > > > pass in quick proto tcp from any to $j_one port 4= 43 > > > > > > > > # block all on lo0 > > > > block log quick on lo0 > > > > > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> > > > > $j_one port 443 > > > > pass in quick on $ext_if proto tcp from any to $j_one por= t 443=20 > >=20 > > >=20 > > > See the two lines at the end which are the first two parts=2E The third= part > > > is > > > the line after the "other traffic comment"=2E After a lot of error and > > retry, > > > this line have to be wrote like that=2E I can not add "on lo0" on this = line > > or > > > the > > > service is not reachable=2E=20 > > >=20 > > > I'm using jails since some time now and remember having jail traffic = bound > > > to > > > lo0 before even in my configuration jails have another interface defi= ned > > (a > > > bridge generally)=2E=20 > > >=20 > > > So I would like to know why isn't it possible to limit more this rule= ? I > > > tried all other interfaces present in my system, and that do not work > > > either=2E > > > Using tcpdump, I can't see the traffic related to this service on any > > > interface except the external one=2E It's a little bit strange for me=2E= =20 > > >=20 > > > Finally, I will write another mail for the other case=2E =20 > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, =2E=2E=2E) > > when I attempt these sort of things=2E As it seems to simplify things in = my > > head=2E > > For example, rc=2Econf > > cloned_interfaces=3D"lo1 lo2" > > ifconfig_lo1=3D"inet 127=2E0=2E0=2E2" > > ifconfig_lo2=3D"inet 127=2E0=2E0=2E3" =20 >=20 > IIRC, lo1 lo2 =2E=2E=2E like bridges bridge0 bridge1 are just "virtual interfac= es" > that helps with jail configuration file=2E Jail traffic is in reality going > through lo0=2E=20 > When I started using jails, I was using lo1 lo2 =2E=2E=2E too but after trying = one > time or two with bridge interfaces, I decided to stay with bridges, it wa= s > more > in my head more like a switch for jails, and that worked in the same way=2E > Just > a matter of preference=2E Sure=2E Understood=2E :) The server I excerpt these from has a *much* larger pf=2Econf(1), and manages (filters mostly) ~50 million IPs=2E I chose things as they are, because somehow they made it easier in my head at the time=2E :) > >=20 > > This allows me to treat them as any other NIC=2E I route as necessary to = my > > NIC to the outside world; pf=2Econf(5): > > EXT_ADDR=3D"ou=2Ets=2Eide=2Eip" > > # contains 127=2E0=2E0=2E0/24 and other trusted IPs=2E Sometimes helpful=2E > > table <trusted> persist file "/etc/TRUSTED" > >=20 > >=20 > > set skip on { lo0, lo1, lo2 } =20 >=20 > You could just write set skip on lo0, that would have the same effect=2E I > emulate this for host traffic because I filter inter jails communications= =2E *Actually* it is enough to simply use lo, and in fact I still do=2E But there were some changes to pf(4), (some I think should not have been made) that currently prevent me from using that=2E I had to roll back one of our 12=2Ex servers because of the changes=2E > >=20 > > # this only represents the rule(s) for lo1 but should be helpful for > > # additional rules on lo2 (or more) > > nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20 >=20 > Funny how you write this one=2E Maybe I'm used to split it in nat and pass = as > a second rule=2E IIUC the doc, that's possible to write like this=2E=20 >=20 > > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20 >=20 > Funny for this one too=2E I suppose in this case re0 is the external > interface=2E > Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missin= g > something ? To be honest, I've migrated many of my rules from ~releng8=2E It's what worked at the time, and even tho pf(4) has changed=2E I haven't=2E ;) > >=20 > >=20 > > block in > > pass out > >=20 > > =20 >=20 > With pass in rdr translation rule, like said above that work=2E My question > was > for when I use rdr translation splited rules=2E Sorry=2E I had difficulty fully determining your goal=2E As the rule lines got wrapped in the email messages=2E >=20 > kaycee, >=20 > P=2ES=2E Resent because in first mail forgot pf list NP=2E :) --Chris > _______________________________________________ > freebsd-pf@freebsd=2Eorg mailing list > https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dd501547161575a050f3dc8ad9ca9f6c>