Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 26 Feb 2020 07:39:27 -0800
From:      Chris <bsd-lists@BSDforge.com>
To:        kaycee gb <kisscoolandthegangbang@hotmail.fr>
Cc:        <freebsd-pf@freebsd.org>
Subject:   Re: usage of rdr and pass validation
Message-ID:  <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net>
In-Reply-To: <VE1PR03MB5629241E3A50263429C448DCA0EA0@VE1PR03MB5629.eurprd03.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb kisscoolandthegangbang@hotmail=
=2Efr said

> Le Tue, 25 Feb 2020 13:43:50 -0800,
> Chris <bsd-lists@BSDforge=2Ecom> a =C3=A9crit :
>=20
> > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> > kisscoolandthegangbang@hotmail=2Efr said
> >  =20
> > > Hi,
> > >=20
> > > First, sorry english is not my native language=2E I will try to be as
> > precise
> > > as
> > > possible=2E=20
> > >=20
> > > And also I am not sure it is only pf related=2E Let me know in this cas=
e
> > > please=2E
> > > Maybe it would be for net an jail too=2E=20
> > >=20
> > > So, I have two cases maybe related=2E=20
> > >=20
> > > First one is for using rdr translation rule=2E=20
> > > I have a host with FreeBSD 11=2E3 amd64 hosting some jails=2E I want to j=
oin
> > > one service from the outside=2E Using one rdr rule like this one, all s=
eems
> > to
> > > work fine=2E I have acces to the service=2E
> > >  =20
> > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443    =
  ->
> > > > $j_one port 443  =20
> > >=20
> > > But in case I want to apply some options to this, I have to split it =
in 3=2E
> > > This
> > > is the relevant part of my config that makes it work=20
> > >  =20
> > > > # Emulate skip on lo0
> > > > pass            quick   on lo0                  from 127=2E0=2E0=2E1  to
> > > > 127=2E0=2E0=2E1
> > > > # jail internal  comms
> > > > pass            quick   on lo0                  from $j_one     to
> > $j_one
> > > >=20
> >> ># other traffic ( do not know yet why it is necessary and why no
> >interface
> >> >specified in mandatory )
> > > > pass    in      quick           proto tcp from any to $j_one port 4=
43
> > > >
> > > > # block all on lo0
> > > > block   log     quick   on lo0
> > > >
> > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > > > $j_one port 443
> > > > pass    in      quick   on $ext_if proto tcp from any to $j_one por=
t 443=20
> >=20
> > >=20
> > > See the two lines at the end which are the first two parts=2E The third=
 part
> > > is
> > > the line after the "other traffic comment"=2E After a lot of error and
> > retry,
> > > this line have to be wrote like that=2E I can not add "on lo0" on this =
line
> > or
> > > the
> > > service is not reachable=2E=20
> > >=20
> > > I'm using jails since some time now and remember having jail traffic =
bound
> > > to
> > > lo0 before even in my configuration jails have another interface defi=
ned
> > (a
> > > bridge generally)=2E=20
> > >=20
> > > So I would like to know why isn't it possible to limit more this rule=
 ? I
> > > tried all other interfaces present in my system, and that do not work
> > > either=2E
> > > Using tcpdump, I can't see the traffic related to this service on any
> > > interface except the external one=2E It's a little bit strange for me=2E=
=20
> > >=20
> > > Finally, I will write another mail for the other case=2E =20
> > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, =2E=2E=2E)
> > when I attempt these sort of things=2E As it seems to simplify things in =
my
> > head=2E
> > For example, rc=2Econf
> > cloned_interfaces=3D"lo1 lo2"
> > ifconfig_lo1=3D"inet 127=2E0=2E0=2E2"
> > ifconfig_lo2=3D"inet 127=2E0=2E0=2E3" =20
>=20
> IIRC, lo1 lo2 =2E=2E=2E like bridges bridge0 bridge1 are just "virtual interfac=
es"
> that helps with jail configuration file=2E Jail traffic is in reality going
> through lo0=2E=20
> When I started using jails, I was using lo1 lo2 =2E=2E=2E too but after trying =
one
> time or two with bridge interfaces, I decided to stay with bridges, it wa=
s
> more
> in my head more like a switch for jails, and that worked in the same way=2E
> Just
> a matter of preference=2E
Sure=2E Understood=2E :) The server I excerpt these from has a *much*
larger pf=2Econf(1), and manages (filters mostly) ~50 million IPs=2E I
chose things as they are, because somehow they made it easier in my head
at the time=2E :)
> >=20
> > This allows me to treat them as any other NIC=2E I route as necessary to =
my
> > NIC to the outside world; pf=2Econf(5):
> > EXT_ADDR=3D"ou=2Ets=2Eide=2Eip"
> > # contains 127=2E0=2E0=2E0/24 and other trusted IPs=2E Sometimes helpful=2E
> > table <trusted> persist file "/etc/TRUSTED"
> >=20
> >=20
> > set skip on { lo0, lo1, lo2 } =20
>=20
> You could just write set skip on lo0, that would have the same effect=2E I
> emulate this for host traffic because I filter inter jails communications=
=2E
*Actually* it is enough to simply use lo, and in fact I still do=2E But there
were some changes to pf(4), (some I think should not have been made) that
currently prevent me from using that=2E I had to roll back one of our 12=2Ex
servers because of the changes=2E
> >=20
> > # this only represents the rule(s) for lo1 but should be helpful for
> > # additional rules on lo2 (or more)
> > nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20
>=20
> Funny how you write this one=2E Maybe I'm used to split it in nat and pass =
as
> a second rule=2E IIUC the doc, that's possible to write like this=2E=20
>=20
> > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20
>=20
> Funny for this one too=2E I suppose in this case re0 is the external
> interface=2E
> Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missin=
g
> something ?

To be honest, I've migrated many of my rules from ~releng8=2E It's what
worked at the time, and even tho pf(4) has changed=2E I haven't=2E ;)
> >=20
> >=20
> > block in
> > pass out
> >=20
> >  =20
>=20
> With pass in rdr translation rule, like said above that work=2E My question
> was
> for when I use rdr translation splited rules=2E
Sorry=2E I had difficulty fully determining your goal=2E As the rule lines
got wrapped in the email messages=2E
>=20
> kaycee,
>=20
> P=2ES=2E Resent because in first mail forgot pf list
NP=2E :)

--Chris
> _______________________________________________
> freebsd-pf@freebsd=2Eorg mailing list
> https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd=2Eorg"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dd501547161575a050f3dc8ad9ca9f6c>