Date: Wed, 7 Dec 2016 16:32:44 -0500 From: Ian FREISLICH <ian.freislich@capeaugusta.com> To: freebsd-pf@freebsd.org Subject: Re: PF TAGged jail traffic fails pass rule on egress Message-ID: <36395078-e9fe-64ce-5506-7ddf82d63c48@capeaugusta.com> In-Reply-To: <20161207171021.607579ea@rsbsd.rsb> References: <20161207171021.607579ea@rsbsd.rsb>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/07/16 09:10, Beeblebrox via freebsd-pf wrote: > Hello, > > I have a PF problem with TAG evaluation and am completely stumped. It should be very straight forward, but it's not working. Here's what I'm trying to do: > * I have several jails on cloned lo2 > * Allow only specified port traffic to and from each jail > * Block all out-going traffic at egress interface (wan0) unless allowed (use tags here) > > I've tested with a very simplified PF ruleset, with consistent failure: > > nat on wan0 from !(wan0) -> wan0 > ## Filters > block drop log on wan0 all > # tested with both combinations below > block drop log on lo2 all \ # set skip on lo0 > set skip on lo0 \ # block drop log on lo2 all > > ## Jail for Unbound + dns-crypt > pass in quick on lo2 proto udp from any to <jail-ip> port 53 tag TD > pass out quick on lo2 proto udp from <jail-ip> to any (or wan0) port {53,443,2053} tag TD > ## PASSING TAGGED PACKETS ## > pass out quick on $ExtIf keep state tagged TD You can add a log parameter to tag rules and watch your pflog0 for evidence of a match. You might find that the packets aren't actually received by the lo2 interface at all. > PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0 all" > 15:47:35.270564 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.51977 > 212.47.228.136.443: UDP, length 768 > 15:47:35.671076 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.56347 > 178.216.201.222.2053: UDP, length 576 > > I tested a different jail with TCP packets, got same: > 16:45:46.411698 rule 0..16777216/0(match): block out on wan0: 192.168.1.10.58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]> > > The only thing I can think of is that packets are not being tagged, so the "pass out" rule is not evaluated (pfctl -s state confirms no state for those packets). Is there an issue that packets traversing a cloned lo0 interface cannot be tagged? > > Unfortunately tcpdump or such tools as I understand, cannot display the TAG header so I'm unable to proceed with debugging. > Any ideas? > -- Cape Augusta Digital Properties, LLC a Cape Augusta Company *Breach of confidentiality & accidental breach of confidentiality * This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36395078-e9fe-64ce-5506-7ddf82d63c48>