From owner-freebsd-pf@FreeBSD.ORG Wed Jan 29 20:30:59 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2E1429ED for ; Wed, 29 Jan 2014 20:30:59 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1051812C3 for ; Wed, 29 Jan 2014 20:30:58 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1W8bmj-0001pm-BC for freebsd-pf@freebsd.org; Wed, 29 Jan 2014 12:30:57 -0800 Date: Wed, 29 Jan 2014 12:30:57 -0800 (PST) From: Beeblebrox To: freebsd-pf@freebsd.org Message-ID: <1391027457325-5881251.post@n5.nabble.com> Subject: Some pf syntax questions MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 20:30:59 -0000 I have re0 (ExtIf), re1 (IntIf), lo0, vboxnet0 (VbIf) as interfaces. There are http-cache, privoxy and dns running each inside own jail, with IP's from 127.0.0.2 - 4. Host is both gateway to LAN and workstation (so http and dns packets are generated from lo0 also). I would like to have all http and dns packets from IntIf and VbIf silently proxied to the jails. The rdr and nat section of pf.conf is: ##### Translation & RDR ###### no rdr proto {tcp,udp} from $jdns to any port domain no rdr proto tcp from $jprvx to $ExtIf port http no rdr proto tcp from $jhttp to {$IntIf,$VbIf} port http ## redirect packets for interception ## rdr proto {tcp,udp} from any to any port domain tag t_dns -> $jdns rdr proto tcp from any to any port http tag t_www -> $jhttp port 8080 rdr on $IntIf proto {tcp,udp} from $IntNet to any port domain tag t_dns -> $jdns rdr on $IntIf proto tcp from $IntNet to any port http tag t_www -> $jhttp port 8080 nat on $ExtIf from !($ExtIf) -> $ExtIf Problems & Questions: 1. Currently, packets from VbIf (vboxnet0 + host-only guests) and lo0 correctly pass through the jails. Configuration for IntIf fails completely however. How can the packets from IntIf be redirected to the jails? FIB has been tried and does not work because from ifconfig man page's FIB section: "The FIB is not inherited, e.g. vlans or other sub-interfaces will use the default FIB (0) irrespective of the parent interface's FIB." 2. Having tagged the packets as above, I found this syntax to NOT work: no rdr tagged t_dns \ no rdr tagged t_www. Is this logic doomed to fail, or is there a different syntax? As far as I know, the tag should persist on the outbound, but probably gets dropped once it leaves ExtIF, hence wrong place to tag? 3. So far, I have not found any method or setup to force redirect packets from lo0. I assume it's impossible even if I were to add these to pf.conf? rdr on $ExtIf proto {tcp,udp} from any port domain tag t_dns -> $jdns rdr on $ExtIf proto tcp from any port http tag t_www -> $jhttp port 8080 ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Some-pf-syntax-questions-tp5881251.html Sent from the freebsd-pf mailing list archive at Nabble.com.