From owner-freebsd-pf@FreeBSD.ORG Mon Feb 8 18:15:27 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 984711065694 for ; Mon, 8 Feb 2010 18:15:27 +0000 (UTC) (envelope-from mauduro@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.24]) by mx1.freebsd.org (Postfix) with ESMTP id 20BA18FC14 for ; Mon, 8 Feb 2010 18:15:26 +0000 (UTC) Received: by ey-out-2122.google.com with SMTP id 22so1321090eye.9 for ; Mon, 08 Feb 2010 10:15:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=JH+e47yhFVtkB0auJtfPwYAWff0gL/YYgFd+aQINOAI=; b=khWuR5pG5chTzV8tFbD1ZmorkPK5nwiiWriKIN8iy3qpTOROXH/vNR/swYvnC2nn3a x1OJv5Zsf6ru11yeQR9nbpZEaF9unuhPszuDUiORNaysfDwipGuWnBKjuok/k/KAQFcB Hti+Ua0kJDsRXUdZMaN1B6GKQCtOEDKdo+Zhk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=cO21Tupy35i663NA8/Y4eXb6hnZyG4gu5S16BMWaIA6uwb1nM6us9Jfx7GYIb7q5gy gC+iPnFnFDvau5SpQu0TmXKLCu8sH3XRox1++dXAIzEUnrzA38muiO/NlNQvJi9g3H7J c2OeygT9X7fkV5DXdzbgL4erG+HGVTFtb2KhI= MIME-Version: 1.0 Received: by 10.216.90.203 with SMTP id e53mr3937742wef.28.1265652925556; Mon, 08 Feb 2010 10:15:25 -0800 (PST) In-Reply-To: References: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> Date: Mon, 8 Feb 2010 11:15:24 -0700 Message-ID: From: Maurice To: jhell Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2010 18:15:27 -0000 On Fri, Feb 5, 2010 at 10:09 PM, jhell wrote: > > On Fri, 5 Feb 2010 19:47, peter@ wrote: > >> Hi Maurice, >> >> Yes, you can do it without much difficulty and I've got my server >> setup in that manner: there's about twenty separate jails that can >> access the internet via specific NAT rules and incoming services >> handled via RDR rules. Note: you won't be able to ping from a jail, >> unless you want to allow your jailed processes to create raw sockets >> (you don't) :-) >> >> There's probably many ways it can be done, but what I did was something >> like: >> >> >> i) create a second loopback interface, lo1 (c.f. cloned interfaces) >> and assign appropriate alias netblocks for your jails on that >> interface; >> >> >> ii) create your pf.conf, set skip on lo0 but not the external or lo1 >> interface; >> >> >> iii) I'd set "set state-policy if-bound" so you know what's going on; >> >> >> iv) don't use the antispoof keyword, it will make a mess in this >> situation; >> >> >> v) setting up bind to handle local dns resolution is a good idea - >> point your jails towards this and you'll need to add in an appropriate >> rule(s) later on; >> >> >> vi) setup outgoing nat rules, e.g. >> >> nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port >> smtp -> $ext_ip >> >> >> vii) setup incoming services, e.g. >> >> rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail >> port smtp >> >> >> viii) put in pass rules to allow nat out and rdr in; remember NAT is >> done first, so your outgoing packets ALL have source IP of the >> external IP now and not the jail IP >> >> pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags >> S/SA modulate state >> pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp >> flags S/SA modulate state >> >> >> ix) allow jail implicit access to itself >> >> pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to >> $int_ip_mail flags S/SA keep state >> >> >> x) add in rules to allow any interjail communication as needed >> (remember the incoming/outgoing packets appear the other way round >> here - use tcpdump to check if in doubt) >> >> >> If you have any problems, run tcpdump in a serarate terminal window to >> determine what's going on. >> >> >> Peter >> >> >> >> >> >> >> On 5 February 2010 22:53, Maurice wrote: >> >>> Hi, >>> >>> I have been looking for a couple days now, with no luck, for some >>> direction >>> as to whether I can successfully configure my freebsd to NAT with only >>> one >>> NIC. This is because I am setting up my system to jail my webserver, and >>> I >>> don't think I can get it to work without NATting it. If you have an >>> alternate solution that would be great too. This is what my pf.conf looks >>> like right now: >>> >>> >>> # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15 >>> 03:14:26 kensmith Exp $ >>> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ >>> # >>> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. >>> # Remember to set net.inet.ip.forwarding=1 and/or >>> net.inet6.ip6.forwarding=1 >>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >>> >>> block in all >>> block out all >>> >>> ext_if="fxp0" >>> #int_if="int0" >>> all_if="{fxp0, lo0}" >>> >>> #Internal network subnet >>> int_net="10.0.0.0/32" >>> >>> #name and IP of webserver >>> APACHE="10.0.0.1" >>> >>> #table persist >>> >>> set skip on lo >>> >>> scrub in >>> >>> #nat-anchor "ftp-proxy/*" >>> #rdr-anchor "ftp-proxy/*" >>> #nat on $ext_if from !($ext_if) -> ($ext_if:0) >>> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 >>> #no rdr on $ext_if proto tcp from to any port smtp >>> #rdr pass on $ext_if proto tcp from any to any port smtp \ >>> # -> 127.0.0.1 port spamd >>> >>> #anchor "ftp-proxy/*" >>> #pass out >>> >>> #pass quick on $int_if no state >>> #antispoof quick for { lo $int_if } >>> block in quick from urpf-failed >>> >>> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state >>> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 >>> nat on $ext_if from $APACHE to any -> fxp0 >>> >>> > Your placement of nat and redirect rules are a little bit worrisome. > pf.conf as stated by its manual page is ordered (see following) > > # [Macros] i.e. variable=lo1 # [Options] i.e. set etc.. etc.. > # [Normalization] i.e. scrub > # [Queuing] i.e. ALTQ > # [Translation] i.e. NAT RDR etc... > # [Filtering] i.e. pass & block rules > > Beware that there is quite the change for rule-sets ahead if the newer > version of pf that is in the works for OpenBSD ever makes it downstream to > FreeBSD. > > I Personally do not know if the way you have your rule-set configured would > cause any havoc with NAT since you have it mingled between filtering rules > but it would be good practice to stick to whats already drawn in the manual > page. > > Best of luck. > > > #pass in log on $ext_if proto tcp to ($ext_if) port smtp >>> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp >>> >>> That doesn't seem to be doing the trick, since I can't ping and DNS won't >>> resolve anything from within the jail (APACHE). I am going off some >>> examples >>> I found that would seem to suggest it is possible with only one NIC, but >>> I >>> can't seem to get it to work. Any help/advice would be greatly >>> appreciated. >>> >>> thanks, >>> >>> Maurice >>> >> >> > -- > > jhell > Thank you for your instructions, gentlemen. I will do my best to follow them. This is my first stab at setting up a UNIX box, so thank you for your patience as well! regards,