Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Feb 2020 14:01:21 +0000
From:      kaycee gb <kisscoolandthegangbang@hotmail.fr>
To:        "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
Subject:   Re: usage of rdr and pass validation
Message-ID:  <VE1PR03MB5629E66F59E835D2FF9871D8A0EB0@VE1PR03MB5629.eurprd03.prod.outlook.com>
In-Reply-To: <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net>
References:  <VE1PR03MB5629241E3A50263429C448DCA0EA0@VE1PR03MB5629.eurprd03.prod.outlook.com> <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Le Wed, 26 Feb 2020 07:39:27 -0800,
Chris <bsd-lists@BSDforge.com> a =E9crit :

> On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb
> kisscoolandthegangbang@hotmail.fr said
>=20
> > Le Tue, 25 Feb 2020 13:43:50 -0800,
> > Chris <bsd-lists@BSDforge.com> a =E9crit :
> >=20
> > > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> > > kisscoolandthegangbang@hotmail.fr said
> > >  =20
> > > > Hi,
> > > >=20
> > > > First, sorry english is not my native language. I will try to be as
> > > precise
> > > > as
> > > > possible.=20
> > > >=20
> > > > And also I am not sure it is only pf related. Let me know in this c=
ase
> > > > please.
> > > > Maybe it would be for net an jail too.=20
> > > >=20
> > > > So, I have two cases maybe related.=20
> > > >=20
> > > > First one is for using rdr translation rule.=20
> > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to=
 join
> > > > one service from the outside. Using one rdr rule like this one, all
> > > > seems
> > > to
> > > > work fine. I have acces to the service.
> > > >  =20
> > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443
> > > > > -> $j_one port 443  =20
> > > >=20
> > > > But in case I want to apply some options to this, I have to split i=
t in
> > > > 3. This
> > > > is the relevant part of my config that makes it work=20
> > > >  =20
> > > > > # Emulate skip on lo0
> > > > > pass            quick   on lo0                  from 127.0.0.1  t=
o
> > > > > 127.0.0.1
> > > > > # jail internal  comms
> > > > > pass            quick   on lo0                  from $j_one     t=
o
> > > $j_one
> > > > >=20
> > >> ># other traffic ( do not know yet why it is necessary and why no
> > >interface
> > >> >specified in mandatory )
> > > > > pass    in      quick           proto tcp from any to $j_one port=
 443
> > > > >
> > > > > # block all on lo0
> > > > > block   log     quick   on lo0
> > > > >
> > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443      -=
>
> > > > > $j_one port 443
> > > > > pass    in      quick   on $ext_if proto tcp from any to $j_one p=
ort
> > > > > 443=20
> > >=20
> > > >=20
> > > > See the two lines at the end which are the first two parts. The thi=
rd
> > > > part is
> > > > the line after the "other traffic comment". After a lot of error an=
d
> > > retry,
> > > > this line have to be wrote like that. I can not add "on lo0" on thi=
s
> > > > line
> > > or
> > > > the
> > > > service is not reachable.=20
> > > >=20
> > > > I'm using jails since some time now and remember having jail traffi=
c
> > > > bound to
> > > > lo0 before even in my configuration jails have another interface de=
fined
> > > (a
> > > > bridge generally).=20
> > > >=20
> > > > So I would like to know why isn't it possible to limit more this ru=
le ?
> > > > I tried all other interfaces present in my system, and that do not =
work
> > > > either.
> > > > Using tcpdump, I can't see the traffic related to this service on a=
ny
> > > > interface except the external one. It's a little bit strange for me=
.=20
> > > >=20
> > > > Finally, I will write another mail for the other case. =20
> > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> > > when I attempt these sort of things. As it seems to simplify things i=
n my
> > > head.
> > > For example, rc.conf
> > > cloned_interfaces=3D"lo1 lo2"
> > > ifconfig_lo1=3D"inet 127.0.0.2"
> > > ifconfig_lo2=3D"inet 127.0.0.3" =20
> >=20
> > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interf=
aces"
> > that helps with jail configuration file. Jail traffic is in reality goi=
ng
> > through lo0.=20
> > When I started using jails, I was using lo1 lo2 ... too but after tryin=
g one
> > time or two with bridge interfaces, I decided to stay with bridges, it =
was
> > more
> > in my head more like a switch for jails, and that worked in the same wa=
y.
> > Just
> > a matter of preference.
> Sure. Understood. :) The server I excerpt these from has a *much*
> larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
> chose things as they are, because somehow they made it easier in my head
> at the time. :)

50 million, it start to be something :)
> > >=20
> > > This allows me to treat them as any other NIC. I route as necessary t=
o my
> > > NIC to the outside world; pf.conf(5):
> > > EXT_ADDR=3D"ou.ts.ide.ip"
> > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> > > table <trusted> persist file "/etc/TRUSTED"
> > >=20
> > >=20
> > > set skip on { lo0, lo1, lo2 } =20
> >=20
> > You could just write set skip on lo0, that would have the same effect. =
I
> > emulate this for host traffic because I filter inter jails communicatio=
ns.
> *Actually* it is enough to simply use lo, and in fact I still do. But the=
re
> were some changes to pf(4), (some I think should not have been made) that
> currently prevent me from using that. I had to roll back one of our 12.x
> servers because of the changes.

Yeap, changes sometimes make us do that. :x
12.X seems to have introduced a certain amount of changes. I have some sort=
 of
inernal process for installing my systems. Tried to install a 12.0 some wee=
ks
ago that way and it failed. Had not investigated yet so I stay with 11.3 fo=
r
the moment.
> > >=20
> > > # this only represents the rule(s) for lo1 but should be helpful for
> > > # additional rules on lo2 (or more)
> > > nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20
> >=20
> > Funny how you write this one. Maybe I'm used to split it in nat and pas=
s as
> > a second rule. IIUC the doc, that's possible to write like this.=20
> >=20
> > > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20
> >=20
> > Funny for this one too. I suppose in this case re0 is the external
> > interface.
> > Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm miss=
ing
> > something ?
>=20
> To be honest, I've migrated many of my rules from ~releng8. It's what
> worked at the time, and even tho pf(4) has changed. I haven't. ;)

Maybe you should. At least investigate. 8 to 11 (???) is a long time
> > >=20
> > >=20
> > > block in
> > > pass out
> > >=20
> > >  =20
> >=20
> > With pass in rdr translation rule, like said above that work. My questi=
on
> > was
> > for when I use rdr translation splited rules.
> Sorry. I had difficulty fully determining your goal. As the rule lines
> got wrapped in the email messages.

80 characters long lines is not enough when you have to paste configuration=
s
space or tab aligned ^^

> # Emulate skip on lo0
> pass quick on lo0 from 127.0.0.1  to 127.0.0.1
> # jail internal  comms
> pass quick on lo0 from $j_one to $j_one

># other traffic ( do not know yet why it is necessary and why no interface
>specified in mandatory )
> pass in quick proto tcp from any to $j_one port 443
>
> # block all on lo0
> block log quick   on lo0
>
> rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> $j_one port=
 443
> pass in quick on $ext_if proto tcp from any to $j_one port 443

With that conf I had hard time to understand why I need the "other traffic"
rule and why I could not specify an interface with the "on" clause to allow
the traffic pass.=20

With deeper debugging, I found that I had this in my pf.conf

> private_nets =3D  "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16,
> 169.254/16"
> bcast_nets =3D    "224.0.0.0/4, 255.255.255.255/32"
> table <ext_in> { $private_nets, $bcast_nets, $ext_if:broadcast }
>=20
> block   in      quick   on $ext_if to <ext_in>

After splitting that to
> private_nets =3D  "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16,
> 169.254/16"
> bcast_nets =3D    "224.0.0.0/4, 255.255.255.255/32"
> table <private> { $private_nets }
> table <cast> { $bcast_nets, $ext_if:broadcast }
>=20
> block   in      quick   on $ext_if from <private>
> block   in      quick   on $ext_if to <cast>

I have the configuration I was expecting and it's working. I wonder now why
blocking internal nets inbound on external if was reacting like that. I
remember reading something about how pf do rdr operations. I have to confir=
m
this but for the moment it's ok. =20
=20
It also solved my second case ^^

Thanks,

kaycee,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB5629E66F59E835D2FF9871D8A0EB0>