From owner-freebsd-pf@FreeBSD.ORG Sat Feb 6 00:47:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF45A1065676 for ; Sat, 6 Feb 2010 00:47:04 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-ew0-f211.google.com (mail-ew0-f211.google.com [209.85.219.211]) by mx1.freebsd.org (Postfix) with ESMTP id 71BBA8FC18 for ; Sat, 6 Feb 2010 00:47:04 +0000 (UTC) Received: by ewy3 with SMTP id 3so2118483ewy.13 for ; Fri, 05 Feb 2010 16:47:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=1v6KcNiDQtiuwY/vQwUxwhUeJ8vWFEfg50D/9RjMsOY=; b=SlbsBwvNz2CbYR/Beql0kSJrvBSm72flMssEkPiBevR6ORvRCUqgVTWa0EwjrKdroG +HSOcSAHqYqboVrDwXdGWa1I8sNPDNFZww9OLfUGaU8dsB+KpzaBPQ9wopHTvSNWxhFk viPv8OPqTMgmDsoVIl/xUEE0HeKR43hAH7f88= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=vTlW8Y8Ky7JD1ISwwtPwV1qvzWJU0UfiTQS6nlsmhF8gqRNiO+f7Zv67qlPGF0BOvG yrrbVNONy5YbijGPaWC+v2mBTGYbjddGWgQfAyfIEKqx0Sor4BCON//tJ0v3cBs+KMOP 0BcBR/FDTkXwKjKLApO3yAAdRLmN99DReZ3f4= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.213.100.203 with SMTP id z11mr164514ebn.51.1265417221990; Fri, 05 Feb 2010 16:47:01 -0800 (PST) In-Reply-To: References: Date: Sat, 6 Feb 2010 00:47:01 +0000 X-Google-Sender-Auth: 1f01f9c7537e497d Message-ID: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> From: Peter Maxwell To: Maurice , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2010 00:47:05 -0000 Hi Maurice, Yes, you can do it without much difficulty and I've got my server setup in that manner: there's about twenty separate jails that can access the internet via specific NAT rules and incoming services handled via RDR rules. Note: you won't be able to ping from a jail, unless you want to allow your jailed processes to create raw sockets (you don't) :-) There's probably many ways it can be done, but what I did was something lik= e: i) create a second loopback interface, lo1 (c.f. cloned interfaces) and assign appropriate alias netblocks for your jails on that interface; ii) create your pf.conf, set skip on lo0 but not the external or lo1 interf= ace; iii) I'd set "set state-policy if-bound" so you know what's going on; iv) don't use the antispoof keyword, it will make a mess in this situation; v) setting up bind to handle local dns resolution is a good idea - point your jails towards this and you'll need to add in an appropriate rule(s) later on; vi) setup outgoing nat rules, e.g. nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port smtp -> $ext_ip vii) setup incoming services, e.g. rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port= smtp viii) put in pass rules to allow nat out and rdr in; remember NAT is done first, so your outgoing packets ALL have source IP of the external IP now and not the jail IP pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags S/SA modulate state pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp flags S/SA modulate state ix) allow jail implicit access to itself pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to $int_ip_mail flags S/SA keep state x) add in rules to allow any interjail communication as needed (remember the incoming/outgoing packets appear the other way round here - use tcpdump to check if in doubt) If you have any problems, run tcpdump in a serarate terminal window to determine what's going on. Peter On 5 February 2010 22:53, Maurice wrote: > Hi, > > I have been looking for a couple days now, with no luck, for some directi= on > as to whether I can successfully configure my freebsd to NAT with only on= e > NIC. =A0This is because I am setting up my system to jail my webserver, a= nd I > don't think I can get it to work without NATting it. If you have an > alternate solution that would be great too. This is what my pf.conf looks > like right now: > > > # =A0 =A0 =A0 $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/= 04/15 > 03:14:26 kensmith Exp $ > # =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=3D1 and/or net.inet6.ip6.forward= ing=3D1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > block in all > block out all > > ext_if=3D"fxp0" > #int_if=3D"int0" > all_if=3D"{fxp0, lo0}" > > #Internal network subnet > int_net=3D"10.0.0.0/32" > > #name and IP of webserver > APACHE=3D"10.0.0.1" > > #table persist > > set skip on lo > > scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # =A0 =A0 =A0 -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > block in quick from urpf-failed > > pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state > rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 > nat on $ext_if from $APACHE to any -> fxp0 > > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > That doesn't seem to be doing the trick, since I can't ping and DNS won't > resolve anything from within the jail (APACHE). I am going off some examp= les > I found that would seem to suggest it is possible with only one NIC, but = I > can't seem to get it to work. Any help/advice would be greatly appreciate= d. > > thanks, > > Maurice > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >