Date: Tue, 24 Dec 2013 19:37:50 +0800 From: Carsten Larsen <csf@innolan.dk> To: Beeblebrox <zaphod@berentweb.com> Cc: freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services Message-ID: <52B9720E.1090304@innolan.dk> In-Reply-To: <1387735487942-5870782.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com> <52B5B556.3070209@innolan.dk> <1387735487942-5870782.post@n5.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Beeblebrox, I took a look at your configuration on google docs and I must say it is a rather complex strategy you have chosen. I wont try to fix your configuration but instead give some general advice based on my own experience. -> Instead of relying heavily on nat and redirect rules try to use routing between your addresses. This would work just by allowing routing in the kernel. Examine routing tables using netstat -rn. -> Use the tool pftop accessible from the ports collection and examine the state table. This usually give an indication of where to look for the missing responses. It will also show you which IP is being used as gateway while doing NAT. -> Verify your rules looks as expected with 'pfctl -s rules' and 'pfctl -s nat'. -> Be sure you understand how filtering work. I would recommend to read the online tutorials by Peter N. M. Hansteen at http://home.nuug.no/~peter/pf/en/ -> If you really want to dig deep buy the "Book of PF". I read it myself and it helped a lot to understand the possibilities but also the constraints of pf. The book does not specifically treat the subject of jails though. God luck with the rules (and merry Christmas) Carsten Larsen --- Beeblebrox wrote: > Hi Carsten, > Thanks very much for your ideas & input. I have it working mostly as you > advised. Nat rules: > nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS -> > $ExtIf # I use dnscrypt-proxy > nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag > NAT_PRVX -> $ExtIf > nat on $ExtIf from any to !($ExtIf) -> $ExtIf > I don't have to use different ports, it works as is. Tagging does help > distinguish between "same port, different jail" (for port 443 as example). > > That said, I seem to have run into a strange filter rule problem. I aim to > block all ports that each jail is not using. Partial filter rules: > block drop log (all) on $ExtIf > block drop log (all) on $JaIf > ##_PRIVOXY > pass in quick on $JaIf proto tcp from any to $jprvx port 8118 > pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO > > The strangeness: When I comment out the block code (rules lines 1 & 2 > above), the privoxy jail stops working. tcpdump shows: > 1387731935.321882 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > 1387731935.321927 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535, > options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0 > 1387731935.322052 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > 1387731935.322084 rule 13..16777216/0(match): block out on lo2: > 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win > 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length > 0 > > Is the problem with the port that privoxy is using, or do I need to allow > some other pass rule for each jail (like jail's lo0 must be able to pass to > <jail-ip>:8118)? > >>> Also add scrub to ensure no packet fragmentation. This is needed for pf >>> to work. > I have a bunch of code I have ommited so as to keep the messages short. > > Thanks and Regards. > > > > > ----- > FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html > Sent from the freebsd-pf mailing list archive at Nabble.com. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52B9720E.1090304>