From owner-freebsd-questions@freebsd.org Wed Mar 30 08:27:59 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A04AAE2B74 for ; Wed, 30 Mar 2016 08:27:59 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9BE131F11 for ; Wed, 30 Mar 2016 08:27:58 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x233.google.com with SMTP id p65so171908780wmp.1 for ; Wed, 30 Mar 2016 01:27:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=3zQbLVEnN0RbHOBb7ZnyVbidfhNRl2MhNzY/r4IJC40=; b=Rh4RH7+GHUCwxZO8pGxzFp/SJUvxJtNhXP0Uc1Uoak7kyug6MPBhYGk6xG3pZpIqsN WFoY2nj+P+Ca1pOB3mb/V1P65z1kiNJmCful3dIP7CB2hNxpc+b1rsUrZ6X37r3lij9r AhSi3FwYeuUZ/OjoyO2iMoQEuY0FSrdocLwQKcOs4Mfotcsb0D3J321ROfMd+ogj/0SI HdTCupflXX+YM++D9B57fNSTbUBOrU5KOfvTCVKLmptIEHoEjEUVZzymBLx77Rd2/TzA XdeizKnXfA7Sc/cNHmcYMjB2nfo4PF5JQBjK9maVqd8TLf/zUvKweXAz51X1+nRq4Nmq a3gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=3zQbLVEnN0RbHOBb7ZnyVbidfhNRl2MhNzY/r4IJC40=; b=SxIKNotJ6F1U7UcFcS+1AHWYIydN3a++E4TM6oGgQ8ZWatN/nmZxeluX9IeYBXbqo9 +/2eNm1UBHnPqzFmQmNGdaLxWCkIQtDkB5ul2ASsqwxyDT9tRXvM7OpD2E7mG+GFsNBB R6FOY7d3Ln3Ryv/nx8voihBjvrPYAZMeG/L0V3DnoQjbLEWNU/7WiIjz9B/5kGhuyyY/ lVdvvzdAbqSQsPeuiAuoG5fUueFuXJpQcwHps5KAP3LIhMSqpjwkzSeZ9rEfx9cV+859 UAj0vSHnygQXTHAm/xf70bHXpwwmJsebsKFnExl/GYf+nInjS1fzcTS5amrDpcx0Mi+b 6oNA== X-Gm-Message-State: AD7BkJIGhYiBuxwohVfcDw4Py7ZQOcbuRo+ysJwysIWUVdTjO1sW7LrYIVTxaS8yAXsEvqqonu949h01JvFANg== MIME-Version: 1.0 X-Received: by 10.195.13.115 with SMTP id ex19mr7806372wjd.56.1459326475932; Wed, 30 Mar 2016 01:27:55 -0700 (PDT) Received: by 10.28.46.67 with HTTP; Wed, 30 Mar 2016 01:27:55 -0700 (PDT) In-Reply-To: <56FB4076.3040501@tysdomain.com> References: <56F992AA.7070409@tysdomain.com> <56FB4076.3040501@tysdomain.com> Date: Wed, 30 Mar 2016 09:27:55 +0100 Message-ID: Subject: Re: question re: PF and forwarding From: krad To: sorressean Cc: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2016 08:27:59 -0000 I think your service lines have to the comma delimited, check the output of pfctl -sr as this will tell you want rules actually made it in, and all macros will be expanded On 30 March 2016 at 03:56, Littlefield, Tyler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > A bit more info: > A bit more info: > I've tried a bunch of different configurations and still can't get > this to forward through. when I use tcpdump to debug, I get client->syn > server->syn > client->ack > *hang* > - From there nothing actually happens. > If anyone has any other info I'd really appreciate it. I'm not sure > where to go from here/how to troubleshoot farther. > Thanks, > On 3/29/2016 4:59 AM, krad wrote: > > what network topology are the jails nics on? I presume its not vnet > > as that doesnt play well with PF. Your rules hint at the jails > > being on loopback. If so can you put them on a separate ip on your > > subnet as pf can still filter them fine there, and you will find > > the ruleset a bit easier to manage. If those 192 addresses arent on > > loopback and are on the same subnet as the hosts ip on igb0, why > > are you natting them, this will probably cause issues? > > > > > > > > On 28 March 2016 at 21:23, Littlefield, Tyler > > wrote: > > > > All, sorry for the multiple emails recently. I'm working to get my > > server set up here so I can begin doing some dev on BHyve once that > > is all finalized. I am jailing my services like minidlna samba and > > unbound and am using PF to forward those. For whatever reason I do > > not see the ports I specify as open ports, but the individual > > addresses show them when I connect from within my server. For > > example, I can telnet 192.168.0.2 445 and that works fine in terms > > of establishing a connection. I was hoping that someone might see > > any connection here. Here is my pf.conf. *** if="igb0" > > addr="10.21.96.128" samba_addr="192.168.0.2" > > dlna_addr="192.168.0.3" unbound_addr="192.168.0.4" > > tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn > > microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn > > microsoft-ds}" > > > > set skip on lo set loginterface $if scrub in all > > > > #allow jails through nat on $if inet from $samba_addr to any tag > > jail_samba -> $addr nat on $if inet from $dlna_addr to any tag > > jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag > > jail_unbound -> $addr #portforward to jails. #unbound rdr pass on > > $if proto tcp from any to $addr port 53 -> $unbound_addr port 53 > > rdr pass on $if proto udp from any to $addr port 53 -> > > $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to > > $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp > > from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if > > proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr > > pass on $if proto tcp from any to $addr port 445 -> $samba_addr > > port 445 rdr pass on $if proto udp from any to $addr port 137 -> > > $samba_addr port 137 rdr pass on $if proto udp from any to $addr > > port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any > > to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp > > from any to $addr port 445 -> $samba_addr port 445 > > > > #rules pass quick on lo1 pass from igb0:network to any keep state > > > > #default policy: deny antispoof quick for { $if lo } block in all > > #accept TCP ports. pass in on $if proto tcp from any to any port > > $tcp_services pass in on $if proto udp from any to any port > > $udp_services *** > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > >> unsubscribe, send any mail to " > >> freebsd-questions-unsubscribe@freebsd.org" > >> > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To > > unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > > - -- > Take care, > Ty > Twitter: @sorressean > Web: https://tysdomain.com > Pubkey: https://tysdomain.com/files/pubkey.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBAgAGBQJW+0B2AAoJEAdP60+BYxejJ0YH/0YTGHQD4UVaAausYfXxNXRQ > cIjsNKqxco/v+EhmbfS51xKIe27yFouyuuREsZvztkks9QnAJ2X3/kYBLsNGfRsy > tGe0I23Pe56DYOQqnB2+AmonpyL9Nay0DOACpvZR2eWSEn78NKENtffA7o8E+Swo > J/NF4/yiU/mVw6+h9qqekT9mMz1aqykdKJtPWGHvR2QYRBPdrQymaNg6rlFACtl8 > XPrOIJD0PCyZXgCBg2S5hLCDGPaqDcHUbA1Bw8noIAQvIYrH8eBwPZ2hihKfD8On > 1eouqzD2jpneCUVQUKAm3nfax25b54Itn6VSlrOyOXPtaZsny+DnuzSgbJw52ck= > =mXEX > -----END PGP SIGNATURE----- >