From owner-freebsd-pf@freebsd.org Thu Feb 27 14:01:29 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DA7A52426FC for ; Thu, 27 Feb 2020 14:01:29 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03olkn0825.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe08::825]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48SvTz6YJwz4KBT for ; Thu, 27 Feb 2020 14:01:27 +0000 (UTC) (envelope-from kisscoolandthegangbang@hotmail.fr) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XvBwB3GWekMaAO+H8gA8VGye6I4eoJkGHsbuIMZCZWbt96YbskGpXfSqPRm9976qE1mqFECOZWsBCbSIbKMnxwwrcXLOs3l40auGD/e05mII5p8HKPUfX7fgzDPEQ2F1XqAOSlB/Pz2ff0IXxjkHh/tsvQi4pU7Bagh9z5nyzutTOAn+Bv4bVHRJew1ylzyz5bxl00ARIHhRdvM6nfK/OJQPuafkt2W1vSClcR+Ep2RAmYIhkdINwQzzu90mRUnLfZvRfOTRLujfbSuJBIf5ukVLv7ANRtCVytPVEE9bvrZD7uCGX6ULtDIGNmkwzCL2DEvr9RISWTgAaiHBCV6kMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+kcEVBFXBcwDaLzqjkZyW0lNE1Mu8bqWGVcy4vkNVxs=; b=HTBPo1zwpztq5x5X7/DtlgSVuh7W0PM5nVE0xSxUyPMh0pyaaWKlsz4mpAC+bwKHxRawhsh5boEPSMQLdn42t10wtgq5ZYL+7lI5D/Z1lwptRCw7gTl4+aaX7gs8lkSPUk73VGV5l1+LnUKiSZ/qK2CSVrzKOXxuNwK5ZMmi7Rji2stVBg4R3TBY3NDn6uttoQD3vXdOcH3bTuRJHN1o87Jhg8yOOm6jDg79zIPwdBDQf/OuNNkYf49NhsZUcuwn7Qw9YN3QzZvIRntl/ykrDEh0FuVM7L5AOaJgUkdITfwXIQ1HlZ7BZ1SiLRecBoe5qllLvrdFINNtlAvpWwh8ig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from DB5EUR03FT013.eop-EUR03.prod.protection.outlook.com (2a01:111:e400:7e0a::34) by DB5EUR03HT093.eop-EUR03.prod.protection.outlook.com (2a01:111:e400:7e0a::442) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15; Thu, 27 Feb 2020 14:01:21 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com (10.152.20.55) by DB5EUR03FT013.mail.protection.outlook.com (10.152.20.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15 via Frontend Transport; Thu, 27 Feb 2020 14:01:21 +0000 Received: from VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521]) by VE1PR03MB5629.eurprd03.prod.outlook.com ([fe80::157c:e8c6:4788:a521%7]) with mapi id 15.20.2750.024; Thu, 27 Feb 2020 14:01:21 +0000 Received: from mail.lacabanedeladmin.trickip.net (93.1.37.139) by AM0PR05CA0011.eurprd05.prod.outlook.com (2603:10a6:208:55::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14 via Frontend Transport; Thu, 27 Feb 2020 14:01:20 +0000 Received: from slackstro.home.lan ([172.16.93.12]) (authenticated bits=0) by mail.lacabanedeladmin.trickip.net (8.15.2/8.15.2) with ESMTPSA id 01RE1Ikl087159 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 27 Feb 2020 15:01:18 +0100 (CET) (envelope-from kisscoolandthegangbang@hotmail.fr) From: kaycee gb To: "freebsd-pf@freebsd.org" Subject: Re: usage of rdr and pass validation Thread-Topic: usage of rdr and pass validation Thread-Index: AQHV7BTK93gfeOMNTUCzAPORpfn2zQ== Date: Thu, 27 Feb 2020 14:01:21 +0000 Message-ID: References: In-Reply-To: Accept-Language: fr-FR, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: AM0PR05CA0011.eurprd05.prod.outlook.com (2603:10a6:208:55::24) To VE1PR03MB5629.eurprd03.prod.outlook.com (2603:10a6:803:11e::30) x-incomingtopheadermarker: OriginalChecksum:756721186D45744FBA9BE9D561D338A9A6239EB32D59FD137AAE8EA0604CC55D; UpperCasedChecksum:4B5CE0544A0434FB6116A9F7E18547FAD39255AB947BBEA5758D40A3C530D8CB; SizeAsReceived:8009; Count:51 x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: Claws Mail 3.9.2 (GTK+ 2.24.20; x86_64-unknown-linux-gnu) x-tmn: [6E6dAB8Pg7LQwriesqyvWpp0btxcpsdw] x-microsoft-original-message-id: <20200227150110.4ffe0bc2@slackstro.home.lan> x-ms-publictraffictype: Email x-incomingheadercount: 51 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 4fa64340-2236-49e3-db52-08d7bb8d85b7 x-ms-traffictypediagnostic: DB5EUR03HT093: x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: +xaJ7Kzs6e0qk01qja1gvMFoEClRITz03CXnBNLqKozacy4gHVWx6MofE98SsGjHWKNfhG3CeyKiLGfpvPdqpynN4iKXq6O+AVJl9HbBrERdmJzJVZ80jJGxR2el5d3jZjxKYT6ZwWO9RThFnLLt8d0fPJCPwhtqVh6G92avBkgDejnUhWjFou2AVNkdkynK x-ms-exchange-antispam-messagedata: DmEU5BBzKG9HIQeKmVcX1nPVnSNauaLL1CNr6PeNDV2qPUvv79YfdWK2TaO787g+Bqko0lLHKNirJfWSgBy++5zYDCIoxwzXCTQ9rU7qE6O6PDGvNUUI8w8jyOzDiykjRBfCPqd3EBQgSR9U8I75OA== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-ID: <94882AE90746EC45AB408CC49A530EF4@eurprd03.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 4fa64340-2236-49e3-db52-08d7bb8d85b7 X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2020 14:01:21.3161 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5EUR03HT093 X-Rspamd-Queue-Id: 48SvTz6YJwz4KBT X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=hotmail.fr; spf=pass (mx1.freebsd.org: domain of kisscoolandthegangbang@hotmail.fr designates 2a01:111:f400:fe08::825 as permitted sender) smtp.mailfrom=kisscoolandthegangbang@hotmail.fr X-Spamd-Result: default: False [-3.80 / 15.00]; RCVD_TLS_LAST(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[6]; RECEIVED_SPAMHAUS_PBL(0.00)[139.37.1.93.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; FREEMAIL_FROM(0.00)[hotmail.fr]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; IP_SCORE(0.00)[ipnet: 2a01:111:f000::/36(-3.98), asn: 8075(-3.12), country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[hotmail.fr,none]; RCVD_IN_DNSWL_NONE(0.00)[5.2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.e.f.0.0.4.f.1.1.1.0.1.0.a.2.list.dnswl.org : 127.0.3.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[hotmail.fr]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 14:01:29 -0000 Le Wed, 26 Feb 2020 07:39:27 -0800, Chris a =E9crit : > On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb > kisscoolandthegangbang@hotmail.fr said >=20 > > Le Tue, 25 Feb 2020 13:43:50 -0800, > > Chris a =E9crit : > >=20 > > > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb > > > kisscoolandthegangbang@hotmail.fr said > > > =20 > > > > Hi, > > > >=20 > > > > First, sorry english is not my native language. I will try to be as > > > precise > > > > as > > > > possible.=20 > > > >=20 > > > > And also I am not sure it is only pf related. Let me know in this c= ase > > > > please. > > > > Maybe it would be for net an jail too.=20 > > > >=20 > > > > So, I have two cases maybe related.=20 > > > >=20 > > > > First one is for using rdr translation rule.=20 > > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to= join > > > > one service from the outside. Using one rdr rule like this one, all > > > > seems > > > to > > > > work fine. I have acces to the service. > > > > =20 > > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 > > > > > -> $j_one port 443 =20 > > > >=20 > > > > But in case I want to apply some options to this, I have to split i= t in > > > > 3. This > > > > is the relevant part of my config that makes it work=20 > > > > =20 > > > > > # Emulate skip on lo0 > > > > > pass quick on lo0 from 127.0.0.1 t= o > > > > > 127.0.0.1 > > > > > # jail internal comms > > > > > pass quick on lo0 from $j_one t= o > > > $j_one > > > > >=20 > > >> ># other traffic ( do not know yet why it is necessary and why no > > >interface > > >> >specified in mandatory ) > > > > > pass in quick proto tcp from any to $j_one port= 443 > > > > > > > > > > # block all on lo0 > > > > > block log quick on lo0 > > > > > > > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -= > > > > > > $j_one port 443 > > > > > pass in quick on $ext_if proto tcp from any to $j_one p= ort > > > > > 443=20 > > >=20 > > > >=20 > > > > See the two lines at the end which are the first two parts. The thi= rd > > > > part is > > > > the line after the "other traffic comment". After a lot of error an= d > > > retry, > > > > this line have to be wrote like that. I can not add "on lo0" on thi= s > > > > line > > > or > > > > the > > > > service is not reachable.=20 > > > >=20 > > > > I'm using jails since some time now and remember having jail traffi= c > > > > bound to > > > > lo0 before even in my configuration jails have another interface de= fined > > > (a > > > > bridge generally).=20 > > > >=20 > > > > So I would like to know why isn't it possible to limit more this ru= le ? > > > > I tried all other interfaces present in my system, and that do not = work > > > > either. > > > > Using tcpdump, I can't see the traffic related to this service on a= ny > > > > interface except the external one. It's a little bit strange for me= .=20 > > > >=20 > > > > Finally, I will write another mail for the other case. =20 > > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...) > > > when I attempt these sort of things. As it seems to simplify things i= n my > > > head. > > > For example, rc.conf > > > cloned_interfaces=3D"lo1 lo2" > > > ifconfig_lo1=3D"inet 127.0.0.2" > > > ifconfig_lo2=3D"inet 127.0.0.3" =20 > >=20 > > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interf= aces" > > that helps with jail configuration file. Jail traffic is in reality goi= ng > > through lo0.=20 > > When I started using jails, I was using lo1 lo2 ... too but after tryin= g one > > time or two with bridge interfaces, I decided to stay with bridges, it = was > > more > > in my head more like a switch for jails, and that worked in the same wa= y. > > Just > > a matter of preference. > Sure. Understood. :) The server I excerpt these from has a *much* > larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I > chose things as they are, because somehow they made it easier in my head > at the time. :) 50 million, it start to be something :) > > >=20 > > > This allows me to treat them as any other NIC. I route as necessary t= o my > > > NIC to the outside world; pf.conf(5): > > > EXT_ADDR=3D"ou.ts.ide.ip" > > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful. > > > table persist file "/etc/TRUSTED" > > >=20 > > >=20 > > > set skip on { lo0, lo1, lo2 } =20 > >=20 > > You could just write set skip on lo0, that would have the same effect. = I > > emulate this for host traffic because I filter inter jails communicatio= ns. > *Actually* it is enough to simply use lo, and in fact I still do. But the= re > were some changes to pf(4), (some I think should not have been made) that > currently prevent me from using that. I had to roll back one of our 12.x > servers because of the changes. Yeap, changes sometimes make us do that. :x 12.X seems to have introduced a certain amount of changes. I have some sort= of inernal process for installing my systems. Tried to install a 12.0 some wee= ks ago that way and it failed. Had not investigated yet so I stay with 11.3 fo= r the moment. > > >=20 > > > # this only represents the rule(s) for lo1 but should be helpful for > > > # additional rules on lo2 (or more) > > > nat pass on re0 from { lo1 } to any -> $EXT_ADDR =20 > >=20 > > Funny how you write this one. Maybe I'm used to split it in nat and pas= s as > > a second rule. IIUC the doc, that's possible to write like this.=20 > >=20 > > > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR =20 > >=20 > > Funny for this one too. I suppose in this case re0 is the external > > interface. > > Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm miss= ing > > something ? >=20 > To be honest, I've migrated many of my rules from ~releng8. It's what > worked at the time, and even tho pf(4) has changed. I haven't. ;) Maybe you should. At least investigate. 8 to 11 (???) is a long time > > >=20 > > >=20 > > > block in > > > pass out > > >=20 > > > =20 > >=20 > > With pass in rdr translation rule, like said above that work. My questi= on > > was > > for when I use rdr translation splited rules. > Sorry. I had difficulty fully determining your goal. As the rule lines > got wrapped in the email messages. 80 characters long lines is not enough when you have to paste configuration= s space or tab aligned ^^ > # Emulate skip on lo0 > pass quick on lo0 from 127.0.0.1 to 127.0.0.1 > # jail internal comms > pass quick on lo0 from $j_one to $j_one ># other traffic ( do not know yet why it is necessary and why no interface >specified in mandatory ) > pass in quick proto tcp from any to $j_one port 443 > > # block all on lo0 > block log quick on lo0 > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> $j_one port= 443 > pass in quick on $ext_if proto tcp from any to $j_one port 443 With that conf I had hard time to understand why I need the "other traffic" rule and why I could not specify an interface with the "on" clause to allow the traffic pass.=20 With deeper debugging, I found that I had this in my pf.conf > private_nets =3D "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16, > 169.254/16" > bcast_nets =3D "224.0.0.0/4, 255.255.255.255/32" > table { $private_nets, $bcast_nets, $ext_if:broadcast } >=20 > block in quick on $ext_if to After splitting that to > private_nets =3D "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16, > 169.254/16" > bcast_nets =3D "224.0.0.0/4, 255.255.255.255/32" > table { $private_nets } > table { $bcast_nets, $ext_if:broadcast } >=20 > block in quick on $ext_if from > block in quick on $ext_if to I have the configuration I was expecting and it's working. I wonder now why blocking internal nets inbound on external if was reacting like that. I remember reading something about how pf do rdr operations. I have to confir= m this but for the moment it's ok. =20 =20 It also solved my second case ^^ Thanks, kaycee,