From owner-freebsd-pf@freebsd.org  Thu Mar  2 03:17:55 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D90C8CEA5DE
 for <freebsd-pf@mailman.ysv.freebsd.org>; Thu,  2 Mar 2017 03:17:55 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: from mail-wr0-x230.google.com (mail-wr0-x230.google.com
 [IPv6:2a00:1450:400c:c0c::230])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 908D1838
 for <freebsd-pf@freebsd.org>; Thu,  2 Mar 2017 03:17:55 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: by mail-wr0-x230.google.com with SMTP id u48so43048378wrc.0
 for <freebsd-pf@freebsd.org>; Wed, 01 Mar 2017 19:17:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=5glkWZA+AlrKYYjJyirgRWLVBK44m+ZaX9+hK+LbSxo=;
 b=tHwDsdcZWaTw1TlVBk11cQDlQJpBZeZPsK+AsgVRKKJOScvaHfGjOGT08ZRJCCb8w0
 W1KoTl9IjoEA0RM5AIneMWgPkz2WIjteGIgQeiyU4irbti7wghayfzLVH/NlyDOtr1IH
 FNogtT91tSVyB2zxMQF1WYrTckoJLnCHLNSWnZFWmaEMM4SxQ/k3X0cWJPXcog09bWhb
 RGpXVGB2Au/loWYyoq4Z30BkeLkOEDAtM71VaQkQqKMzNIpYeDPbGEBGaxowR+yPs1DX
 CXasa/Tmj45GsxckH4csO2ZbsLBqz34Pm+puloD56Y1G9FgsXgyXypEmWHdVHxMk5QqZ
 BZ5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=5glkWZA+AlrKYYjJyirgRWLVBK44m+ZaX9+hK+LbSxo=;
 b=j2l1ZGUoBzHyr8pqCJH7+F0tACLEOhIVsq0twF1PgFyi5rjk/LGqq/RjYXxFtmHmbw
 EuyfEu7qoSIKk4L8b9lnBL1/iqjYl804t74MZhzAUzTaXiQOU9ToVla0/9VN5kEGOojT
 EBKucc2JvimXc/mVWkUvMZK1xhHnrtbQpBOfmgBwMACYRSvEiL98Zjy7170Lp5+B73gX
 PBl5Hzjic+JhITpBfVG8pOzudfnDYC63rtp/Uk6CMf/Yy4gE4w7WwlBlQWYAQMm93PGM
 csM35en84Eq/IM4hd/tmNgWKFxQsh/MJM2fDSO5eO0nj75MfpSi9Ua/5YYTiGuCE9jvP
 pQJA==
X-Gm-Message-State: AMke39nykRhwx5RmWUAlaf8RVneUZA8cMgriBOdgVb1B6l1OCgwRoop1zkT4FWJzFc+ezvQ4agZO9iyTiAmWRQ==
X-Received: by 10.223.156.2 with SMTP id f2mr11317410wrc.4.1488424673357; Wed,
 01 Mar 2017 19:17:53 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.174.164 with HTTP; Wed, 1 Mar 2017 19:17:53 -0800 (PST)
From: David Mehler <dave.mehler@gmail.com>
Date: Wed, 1 Mar 2017 22:17:53 -0500
Message-ID: <CAPORhP6Otsv=Jz_VeS0PL6sciVP51ZomMTmw6Tzr3Xp=tvHwGw@mail.gmail.com>
Subject: pf and a natted jailed web server
To: freebsd-pf <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 03:17:56 -0000

Hello,

I'm running FreeBSD 10.3 in a vps. I've got one public IP and am
running a jail server using /etc/jail.conf.

My problem is I'm trying to pass in port 8080 traffic in to the jailed
web server which then goes to port 80 which the jailed web server has
a web server listening on.

My problem is either the pf nat or rdr is not happy and I've been on
this for several hours and it's running together. To me the
configuration looks right.

A separate maybe related problem maybe not is that when I create a new
jail then bring it up it gets a new ip on lo1 for example 10.0.0.16 in
order to allow that jail to the network I have to reload my pf rules.
Is this correct behavior?

Any help appreciated. My pf.conf is below.

Thanks.
Dave.

pf.conf:
ext_if=3D"fxp0"
int_if =3D "lo1"
jailnet =3D $int_if:network
icmp_types=3D"echoreq"
icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }"
synstate =3D"flags S/SA synproxy state"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"

# Name and IP of jails
webmail=3D"10.0.0.15"

# allowed traffic
tcp_services=3D"{bootpc, bootps, ftp-data, ftp, ssh, domain, smtp, http,
https, imap, imaps, 3690, 7, 2703 587}"
udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}"

# Options
set block-policy return
set skip on lo0
set skip on lo1
scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440

# NAT
nat on $ext_if inet from $jailnet to any -> ($ext_if)

# Redirect any packets requesting port 8080 or 4430 to jailed webserver
rdr pass on $ext_if inet proto tcp from any to any port 8080 ->
$webmail port http

# Tables
table <bruteforce> persist file "/etc/pf/bruteforce"

# Pass anything on the lo* interfaces
pass quick on lo0 all
pass quick on lo1 all

# Block by default
block all

# Explicitly block unroutable addresses
antispoof quick for ($ext_if)

# Explicitly block anything in the bruteforce table
block quick from <bruteforce>

# Pass out only the desired ports from host and jails
pass quick proto tcp from {self} to port $tcp_services keep state
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto tcp from $jailnet to port $tcp_services keep state
(max-src-conn 100, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto {tcp, udp} from {self} to port $udp_services keep state
pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state

# allow ping
pass inet proto icmp icmp-type $icmp_types keep state

# Traceroute
# allow out the default range for traceroute(8):
  # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4

# allow https traffic out from the jails
pass out proto tcp from $jailnet port https to any keep state

 # Allow ssh connections in from the internet
pass in proto tcp from any to $ext_if port ssh keep state

# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 keep state

# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 keep state

# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 keep state

# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 keep state

# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 keep state

# Pass in port 8080 to the jailed web server
#pass in inet proto tcp to $webmail port 80 keep state

# IPv6
pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st=
ate
pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ),
ff02::/16 } icmp6-type $icmp6_types_ext_if keep state