Date: Thu, 27 Feb 2020 14:01:21 +0000 From: kaycee gb <kisscoolandthegangbang@hotmail.fr> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: usage of rdr and pass validation Message-ID: <VE1PR03MB5629E66F59E835D2FF9871D8A0EB0@VE1PR03MB5629.eurprd03.prod.outlook.com> In-Reply-To: <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net> References: <VE1PR03MB5629241E3A50263429C448DCA0EA0@VE1PR03MB5629.eurprd03.prod.outlook.com> <dd501547161575a050f3dc8ad9ca9f6c@udns.ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Wed, 26 Feb 2020 07:39:27 -0800, Chris <bsd-lists@BSDforge.com> a =E9crit : > On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb > kisscoolandthegangbang@hotmail.fr said >=20 > > Le Tue, 25 Feb 2020 13:43:50 -0800, > > Chris <bsd-lists@BSDforge.com> a =E9crit : > >=20 > > > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb > > > kisscoolandthegangbang@hotmail.fr said > > > =20 > > > > Hi, > > > >=20 > > > > First, sorry english is not my native language. I will try to be as > > > precise > > > > as > > > > possible.=20 > > > >=20 > > > > And also I am not sure it is only pf related. Let me know in this c= ase > > > > please. > > > > Maybe it would be for net an jail too.=20 > > > >=20 > > > > So, I have two cases maybe related.=20 > > > >=20 > > > > First one is for using rdr translation rule.=20 > > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to= join > > > > one service from the outside. Using one rdr rule like this one, all > > > > seems > > > to > > > > work fine. I have acces to the service. > > > > =20 > > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 > > > > > -> $j_one port 443 =20 > > > >=20 > > > > But in case I want to apply some options to this, I have to split i= t in > > > > 3. This > > > > is the relevant part of my config that makes it work=20 > > > > =20 > > > > > # Emulate skip on lo0 > > > > > pass quick on lo0 from 127.0.0.1 t= o > > > > > 127.0.0.1 > > > > > # jail internal comms > > > > > pass quick on lo0 from $j_one t= o > > > $j_one > > > > >=20 > > >> ># other traffic ( do not know yet why it is necessary and why no > > >interface > > >> >specified in mandatory ) > > > > > pass in quick proto tcp from any to $j_one port= 443 > > > > > > > > > > # block all on lo0 > > > > > block log quick on lo0 > > > > > > > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -= > > > > > > $j_one port 443 > > > > > pass in quick on $ext_if proto tcp from any to $j_one p= ort > > > > > 443=20 > > >=20 > > > >=20 > > > > See the two lines at the end which are the first two parts. The thi= rd > > > > part is > > > > the line after the "other traffic comment". After a lot of error an= d > > > retry, > > > > this line have to be wrote like that. I can not add "on lo0" on thi= s > > > > line > > > or > > > > the > > > > service is not reachable.=20 > > > >=20 > > > > I'm using jails since some time now and remember having jail traffi= c > > > > bound to > > > > lo0 before even in my configuration jails have another interface de= fined > > > (a > > > > bridge generally).=20 > > > >=20 > > > > So I would like to know why isn't it possible to limit more this ru= le ? > > > > I tried all other interfaces present in my system, and that do not = work > > > > either. > > > > Using tcpdump, I can't see the traffic related to this service on a= ny > > > > interface except the external one. It's a little bit strange for me= .=20 > > > >=20 > > > > Finally, I will write another mail for the other case. =20 > > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...) > > > when I attempt these sort of things. As it seems to simplify things i= n my > > > head. > > > For example, rc.conf > > > cloned_interfaces=3D"lo1 lo2" > > > ifconfig_lo1=3D"inet 127.0.0.2" > > > ifconfig_lo2=3D"inet 127.0.0.3" =20 > >=20 > > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interf= aces" > > that helps with jail configuration file. Jail traffic is in reality goi= ng > > through lo0.=20 > > When I started using jails, I was using lo1 lo2 ... too but after tryin= g one > > time or two with bridge interfaces, I decided to stay with bridges, it = was > > more > > in my head more like a switch for jails, and that worked in the same wa= y. > > Just > > a matter of preference. > Sure. Understood. :) The server I excerpt these from has a *much* > larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I > chose things as they are, because somehow they made it easier in my head > at the time. :) 50 million, it start to be something :) > > >=20 > > > This allows me to treat them as any other NIC. I route as necessary t= o my > > > NIC to the outside world; pf.conf(5): > > > EXT_ADDR=3D"ou.ts.ide.ip" > > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful. > > > table <trusted> persist file "/etc/TRUSTED" > > >=20 > > >=20 > > > set skip on { lo0, lo1, lo2 } =20 > >=20 > > You could just write set skip on lo0, that would have the same effect. = I > > emulate this for host traffic because I filter inter jails communicatio= ns. > *Actually* it is enough to simply use lo, and in fact I still do. But the= re > were some changes to pf(4), (some I think should not have been made) that > currently prevent me from using that. I had to roll back one of our 12.x > servers because of the changes. Yeap, changes sometimes make us do that. :x 12.X seems to have introduced a certain amount of changes. I have some sort= of inernal process for installing my systems. Tried to install a 12.0 some wee= ks ago that way and it failed. Had not investigated yet so I stay with 11.3 fo= r the moment. > > >=20 > > > # this only represents the rule(s) for lo1 but should be helpful for > > > # additional rules on lo2 (or more) > > > nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20 > >=20 > > Funny how you write this one. Maybe I'm used to split it in nat and pas= s as > > a second rule. IIUC the doc, that's possible to write like this.=20 > >=20 > > > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20 > >=20 > > Funny for this one too. I suppose in this case re0 is the external > > interface. > > Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm miss= ing > > something ? >=20 > To be honest, I've migrated many of my rules from ~releng8. It's what > worked at the time, and even tho pf(4) has changed. I haven't. ;) Maybe you should. At least investigate. 8 to 11 (???) is a long time > > >=20 > > >=20 > > > block in > > > pass out > > >=20 > > > =20 > >=20 > > With pass in rdr translation rule, like said above that work. My questi= on > > was > > for when I use rdr translation splited rules. > Sorry. I had difficulty fully determining your goal. As the rule lines > got wrapped in the email messages. 80 characters long lines is not enough when you have to paste configuration= s space or tab aligned ^^ > # Emulate skip on lo0 > pass quick on lo0 from 127.0.0.1 to 127.0.0.1 > # jail internal comms > pass quick on lo0 from $j_one to $j_one ># other traffic ( do not know yet why it is necessary and why no interface >specified in mandatory ) > pass in quick proto tcp from any to $j_one port 443 > > # block all on lo0 > block log quick on lo0 > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> $j_one port= 443 > pass in quick on $ext_if proto tcp from any to $j_one port 443 With that conf I had hard time to understand why I need the "other traffic" rule and why I could not specify an interface with the "on" clause to allow the traffic pass.=20 With deeper debugging, I found that I had this in my pf.conf > private_nets =3D "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16, > 169.254/16" > bcast_nets =3D "224.0.0.0/4, 255.255.255.255/32" > table <ext_in> { $private_nets, $bcast_nets, $ext_if:broadcast } >=20 > block in quick on $ext_if to <ext_in> After splitting that to > private_nets =3D "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16, > 169.254/16" > bcast_nets =3D "224.0.0.0/4, 255.255.255.255/32" > table <private> { $private_nets } > table <cast> { $bcast_nets, $ext_if:broadcast } >=20 > block in quick on $ext_if from <private> > block in quick on $ext_if to <cast> I have the configuration I was expecting and it's working. I wonder now why blocking internal nets inbound on external if was reacting like that. I remember reading something about how pf do rdr operations. I have to confir= m this but for the moment it's ok. =20 =20 It also solved my second case ^^ Thanks, kaycee,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VE1PR03MB5629E66F59E835D2FF9871D8A0EB0>