From owner-freebsd-questions@freebsd.org Wed Mar 30 15:24:59 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB3C4AE2FCD for ; Wed, 30 Mar 2016 15:24:59 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (tds-solutions.net [174.136.96.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D814D105D for ; Wed, 30 Mar 2016 15:24:59 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (localhost [127.0.0.1]) by tds-solutions.net (Postfix) with ESMTP id AE74E208783D; Wed, 30 Mar 2016 11:24:58 -0400 (EDT) X-Virus-Scanned: amavisd-new at tds-solutions.net Received: from tds-solutions.net ([127.0.0.1]) by tds-solutions.net (tds-solutions.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id oZ-wsE8BwX1u; Wed, 30 Mar 2016 11:24:57 -0400 (EDT) Received: from [10.200.119.198] (unknown [69.43.66.12]) (Authenticated sender: sorressean) by tds-solutions.net (Postfix) with ESMTPSA id ADA0920877BA; Wed, 30 Mar 2016 11:24:57 -0400 (EDT) Reply-To: tyler@tysdomain.com Subject: Re: question re: PF and forwarding References: <56F992AA.7070409@tysdomain.com> <56FB4076.3040501@tysdomain.com> To: krad Cc: FreeBSD Questions From: "Littlefield, Tyler" Message-ID: <56FBEFB7.2010704@tysdomain.com> Date: Wed, 30 Mar 2016 11:24:39 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Mar 2016 15:25:00 -0000 On 3/30/2016 4:27 AM, krad wrote: > I think your service lines have to the comma delimited, check the > output of pfctl -sr as this will tell you want rules actually made > it in, and all macros will be expanded > > I forget the command, but it's -sl or -sn. I added that to my pf.conf on a note from someone in IRC and didn't get anywhere. The port is still refusing to forrward. I've also changed subnets as well. I'm not really sure what else to try, I've moved the jails from running on igb0 to lo1 to see if that worked and back again. > On 30 March 2016 at 03:56, Littlefield, Tyler > wrote: > > A bit more info: A bit more info: I've tried a bunch of different > configurations and still can't get this to forward through. when I > use tcpdump to debug, I get client->syn server->syn client->ack > *hang* - From there nothing actually happens. If anyone has any > other info I'd really appreciate it. I'm not sure where to go from > here/how to troubleshoot farther. Thanks, On 3/29/2016 4:59 AM, > krad wrote: >> what network topology are the jails nics on? I presume its not >> vnet as that doesnt play well with PF. Your rules hint at the >> jails being on loopback. If so can you put them on a separate ip >> on your subnet as pf can still filter them fine there, and you >> will find the ruleset a bit easier to manage. If those 192 >> addresses arent on loopback and are on the same subnet as the >> hosts ip on igb0, why are you natting them, this will probably >> cause issues? > > > >> On 28 March 2016 at 21:23, Littlefield, Tyler >> > wrote: > >> All, sorry for the multiple emails recently. I'm working to get >> my server set up here so I can begin doing some dev on BHyve once >> that is all finalized. I am jailing my services like minidlna >> samba and unbound and am using PF to forward those. For whatever >> reason I do not see the ports I specify as open ports, but the >> individual addresses show them when I connect from within my >> server. For example, I can telnet 192.168.0.2 445 and that works >> fine in terms of establishing a connection. I was hoping that >> someone might see any connection here. Here is my pf.conf. *** >> if="igb0" addr="10.21.96.128" samba_addr="192.168.0.2" >> dlna_addr="192.168.0.3" unbound_addr="192.168.0.4" >> tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn >> microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm >> netbios-ssn microsoft-ds}" > >> set skip on lo set loginterface $if scrub in all > >> #allow jails through nat on $if inet from $samba_addr to any tag >> jail_samba -> $addr nat on $if inet from $dlna_addr to any tag >> jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag >> jail_unbound -> $addr #portforward to jails. #unbound rdr pass >> on $if proto tcp from any to $addr port 53 -> $unbound_addr port >> 53 rdr pass on $if proto udp from any to $addr port 53 -> >> $unbound_addr port 53 #samba rdr pass on $if proto tcp from any >> to $addr port 137 -> $samba_addr port 137 rdr pass on $if proto >> tcp from any to $addr port 138 -> $samba_addr port 138 rdr pass >> on $if proto tcp from any to $addr port 139 -> $samba_addr port >> 139 rdr pass on $if proto tcp from any to $addr port 445 -> >> $samba_addr port 445 rdr pass on $if proto udp from any to $addr >> port 137 -> $samba_addr port 137 rdr pass on $if proto udp from >> any to $addr port 138 -> $samba_addr port 138 rdr pass on $if >> proto udp from any to $addr port 139 -> $samba_addr port 139 rdr >> pass on $if proto udp from any to $addr port 445 -> $samba_addr >> port 445 > >> #rules pass quick on lo1 pass from igb0:network to any keep >> state > >> #default policy: deny antispoof quick for { $if lo } block in >> all #accept TCP ports. pass in on $if proto tcp from any to any >> port $tcp_services pass in on $if proto udp from any to any port >> $udp_services *** >>> _______________________________________________ >>> freebsd-questions@freebsd.org >>> > mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org > " >>> >> _______________________________________________ >> freebsd-questions@freebsd.org >> > mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To >> unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org > " > > > > -- Take care, Ty Twitter: @sorressean Web: https://tysdomain.com Pubkey: https://tysdomain.com/files/pubkey.asc