From owner-freebsd-questions@freebsd.org Tue Aug 17 10:58:57 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A48B9661DEA for ; Tue, 17 Aug 2021 10:58:57 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gpp1X29JQz4dDN for ; Tue, 17 Aug 2021 10:58:56 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 8D2203200A4C; Tue, 17 Aug 2021 06:58:48 -0400 (EDT) Received: from imap44 ([10.202.2.94]) by compute4.internal (MEProxy); Tue, 17 Aug 2021 06:58:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=YX8kfY2SlYiHudMpTAMSUaLEWTJT UuDpYCZTY4BtPZE=; b=igsM9BUC5i1DVYGFWZMp5fVIOzvcnnMumeYJUQ1iBP3x fghbwqumS3Cc/E6hoD1oi9dshOq+mU7BdlKcMxrUm5Fmc3DHqk+GUDuY2ej9Sl7F zWcfx5a8zDdsFQLM3BpVqtL+sxmWqfLoae7y3MTAs/M1109wxGo4gfbmIRLUXHcZ 8wkArQdjywIzYcr560sS8xz39beIZO+QbmNjseE4IlhrEDA0N+nKO8XuhO1rRfE+ lh72afa5Q3Pe4W0ctYw32VgRhrOOznHp5XOA3PNxt6pyK7MOMPA7TsDOyiC49B4O 56tghJURUWN41zJRhyAlSH6dJ57MtQcS2gcBNaDpOQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=YX8kfY 2SlYiHudMpTAMSUaLEWTJTUuDpYCZTY4BtPZE=; b=IHSw3lVlbbP5FlzPGyrM7e Rf8mA/tuIrsZIC0FHH8sqNykRt03AKy+8fMEkkkE9FiZHt+1zQs7gAI02FaZ4i5r D5taUstvUtPJUPljFNz+bROwJC973yU5no3Cv5bbS/b8LjdycTmkYzjufmnN9/0S xEVJ7x0f8umhWbMD9eDodLTFrnKnOnla7dsDb6rUZCvQjwZTYaNjMQ1gisa+U/US UINnqDDVIuKFQ5b3AILfgJudinJoTyn6ZW6lpqWdhYzgOEuWuu6mKY7nms8o1xO1 TbVOoO8CTcA9LmDvm+mIHqYJKxpNUvj9Bsp9nkFmes9pvChcOMF5iwpkC0/dxo2g == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrleefgdefiecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfffgrvhgv ucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenuc ggtffrrghtthgvrhhnpeehuedtheefhffgiefhkeeiheetueeghfegjefhtedtteeujeff leehjeelkeevvdenucffohhmrghinhepnhhuuhhgrdhnohenucevlhhushhtvghrufhiii gvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdr rght X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id A0B02FA0AA4; Tue, 17 Aug 2021 06:58:47 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-1118-g75eff666e5-fm-20210816.002-g75eff666 Mime-Version: 1.0 Message-Id: <521aab6b-eab0-460b-8fcc-a432bfd9b135@www.fastmail.com> In-Reply-To: <8a330aeb-fccf-f8bd-1154-15288e3f0a9d@kicp.uchicago.edu> References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu> <8a330aeb-fccf-f8bd-1154-15288e3f0a9d@kicp.uchicago.edu> Date: Tue, 17 Aug 2021 10:58:25 +0000 From: "Dave Cottlehuber" To: "Valeri Galtsev" Cc: freebsd-questions Subject: Re: Jails: pf blocks access to localhost of host system Content-Type: text/plain X-Rspamd-Queue-Id: 4Gpp1X29JQz4dDN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=igsM9BUC; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=IHSw3lVl; dmarc=none; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 64.147.123.19 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-3.59 / 15.00]; XM_UA_NO_VERSION(0.01)[]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-1.00)[-1.000]; RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm3]; FREEFALL_USER(0.00)[dch]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.19:from]; MAILMAN_DEST(0.00)[freebsd-questions]; MID_RHS_WWW(0.50)[] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Aug 2021 10:58:57 -0000 On Mon, 16 Aug 2021, at 21:54, Valeri Galtsev wrote: > Here if my simplified to necessary minimum for debugging pf.conf: A very helpful trick for debugging pf rules is to temporarily switch to logging blocks, and then use tcpdump or wireshark on the pflog interface to show exactly which rule is blocking your traffic. # use `block log all` temporarily in your pf.conf $ sudo service pflog onestart $ sudo tcpdump -i pflog0 -o -ttt -vv -e -n ... 00:00:00.000000 rule 6/0(match): block in on wlan0: (tos 0x0, ttl 28, id 10175, offset 0, flags [DF], proto TCP (6), length 52) 18.135.227.37.443 > 172.17.29.35.41193: Flags [.], cksum 0xcd79 (correct), seq 2375471224, ack 432893548, win 8, options [nop,nop,TS val 2577574610 ecr 2828825691], length 0 in particular note the rule 6 listed. When you run `pfctl -vvv -f /etc/pf.conf | egrep '^@6 ' you'll see what rules those are, and then you can add a pass rule as appropriate from tcpdump info. This would be a great addition to the handbook, I think. There is already `31.3. PF` which alludes to this but doesn't link all the bits together for a newcomer to pf. Read pflog(4) and specifically this in pf.conf(5): log In addition to the action specified, a log message is generated. Only the packet that establishes the state is logged, unless the no state option is specified. The logged packets are sent to a pflog(4) interface, by default pflog0. This interface is monitored by the pflogd(8) logging daemon, which dumps the logged packets to the file /var/log/pflog in pcap(3) binary format. You can attach logging to almost any rule in pf.conf, not just blocking ones. Finally, remember to clean up pcap junk: sudo service pflog onestop sudo rm /var/log/pflog As a general pointer, I tend to use `pass in quick ...` for rules, I was once told that speeds things up but I forget the details. https://home.nuug.no/~peter/pftutorial/ if you haven't already found it, is invaluable. There is a version somewhere with a freebsd specific section in it, if somebody has a link to this please share. A+ Dave