Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 11 Apr 2015 14:30:26 +0200
From:      michael@familie-keil.de
To:        freebsd-pf@freebsd.org
Subject:   Re: Freebsd jail block out in lo1 while connecting back on ext_if
Message-ID:  <1d7343ce9ad936f2b3a00a26c68fd095@familie-keil.de>
In-Reply-To: <a6a75f553f38f25f3da59fef92c7397c@familie-keil.de>
References:  <a6a75f553f38f25f3da59fef92c7397c@familie-keil.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
 

After some additional research on pf and the lecture of Peter Hansteen'S
"The Book of PF", 
I was able to solve this issue by myself. Peter'S Book is worth each and
every cent and a remarkable source of knowledge.

The rootcause for my issue was a uncompleted nat/rdr setup alog with a
too optimistic "skip on lo". 

So I someone will come 'cross this post and has trouble with NAT Setup
and Freebsd jails on a cloned lo0 interface, please feel free to give
some deeper thought to following solution. 

Please remember to tighten your rules. "from any" in the first inbound
rdrs istn't a good idea. Maybe you want to block out fail2ban and
bruteforce issues. 

ext_if = "re0" 
jail_if = "{ lo1, lo0 }" 
jail_net = "10.100.0.0/24"
jail_web_adr = "10.100.0.1"
jail_web_ports = "{ http, https }"
jail_mail_adr = "10.100.0.2"
jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps,
submission } " 

nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr 

no nat log on $jail_if proto tcp from $jail_net
nat log on $jail_if proto tcp from $jail_web_adr to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_web_ports -> $jail_web_adr
nat log on $jail_if proto tcp from $jail_mail_adr to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_mail_ports -> $jail_mail_adr 

--- 

Cheers 

Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1d7343ce9ad936f2b3a00a26c68fd095>