Date: Mon, 8 Feb 2010 11:15:24 -0700 From: Maurice <mauduro@gmail.com> To: jhell <jhell@dataix.net> Cc: freebsd-pf@freebsd.org Subject: Re: using pf to NAT with only one NIC Message-ID: <d3e0b6a01002081015i820069fo7dc95f6eea05da99@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1002052354540.50033@pragry.qngnvk.ybpny> References: <d3e0b6a01002051453o377d6e45p3b3991552f37310c@mail.gmail.com> <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> <alpine.BSF.2.00.1002052354540.50033@pragry.qngnvk.ybpny>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 5, 2010 at 10:09 PM, jhell <jhell@dataix.net> wrote:
>
> On Fri, 5 Feb 2010 19:47, peter@ wrote:
>
>> Hi Maurice,
>>
>> Yes, you can do it without much difficulty and I've got my server
>> setup in that manner: there's about twenty separate jails that can
>> access the internet via specific NAT rules and incoming services
>> handled via RDR rules. Note: you won't be able to ping from a jail,
>> unless you want to allow your jailed processes to create raw sockets
>> (you don't) :-)
>>
>> There's probably many ways it can be done, but what I did was something
>> like:
>>
>>
>> i) create a second loopback interface, lo1 (c.f. cloned interfaces)
>> and assign appropriate alias netblocks for your jails on that
>> interface;
>>
>>
>> ii) create your pf.conf, set skip on lo0 but not the external or lo1
>> interface;
>>
>>
>> iii) I'd set "set state-policy if-bound" so you know what's going on;
>>
>>
>> iv) don't use the antispoof keyword, it will make a mess in this
>> situation;
>>
>>
>> v) setting up bind to handle local dns resolution is a good idea -
>> point your jails towards this and you'll need to add in an appropriate
>> rule(s) later on;
>>
>>
>> vi) setup outgoing nat rules, e.g.
>>
>> nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port
>> smtp -> $ext_ip
>>
>>
>> vii) setup incoming services, e.g.
>>
>> rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail
>> port smtp
>>
>>
>> viii) put in pass rules to allow nat out and rdr in; remember NAT is
>> done first, so your outgoing packets ALL have source IP of the
>> external IP now and not the jail IP
>>
>> pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags
>> S/SA modulate state
>> pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp
>> flags S/SA modulate state
>>
>>
>> ix) allow jail implicit access to itself
>>
>> pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to
>> $int_ip_mail flags S/SA keep state
>>
>>
>> x) add in rules to allow any interjail communication as needed
>> (remember the incoming/outgoing packets appear the other way round
>> here - use tcpdump to check if in doubt)
>>
>>
>> If you have any problems, run tcpdump in a serarate terminal window to
>> determine what's going on.
>>
>>
>> Peter
>>
>>
>>
>>
>>
>>
>> On 5 February 2010 22:53, Maurice <mauduro@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have been looking for a couple days now, with no luck, for some
>>> direction
>>> as to whether I can successfully configure my freebsd to NAT with only
>>> one
>>> NIC. This is because I am setting up my system to jail my webserver, and
>>> I
>>> don't think I can get it to work without NATting it. If you have an
>>> alternate solution that would be great too. This is what my pf.conf looks
>>> like right now:
>>>
>>>
>>> # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15
>>> 03:14:26 kensmith Exp $
>>> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
>>> #
>>> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
>>> # Remember to set net.inet.ip.forwarding=1 and/or
>>> net.inet6.ip6.forwarding=1
>>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>>
>>> block in all
>>> block out all
>>>
>>> ext_if="fxp0"
>>> #int_if="int0"
>>> all_if="{fxp0, lo0}"
>>>
>>> #Internal network subnet
>>> int_net="10.0.0.0/32"
>>>
>>> #name and IP of webserver
>>> APACHE="10.0.0.1"
>>>
>>> #table <spamd-white> persist
>>>
>>> set skip on lo
>>>
>>> scrub in
>>>
>>> #nat-anchor "ftp-proxy/*"
>>> #rdr-anchor "ftp-proxy/*"
>>> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
>>> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>>> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
>>> #rdr pass on $ext_if proto tcp from any to any port smtp \
>>> # -> 127.0.0.1 port spamd
>>>
>>> #anchor "ftp-proxy/*"
>>> #pass out
>>>
>>> #pass quick on $int_if no state
>>> #antispoof quick for { lo $int_if }
>>> block in quick from urpf-failed
>>>
>>> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
>>> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
>>> nat on $ext_if from $APACHE to any -> fxp0
>>>
>>>
> Your placement of nat and redirect rules are a little bit worrisome.
> pf.conf as stated by its manual page is ordered (see following)
>
> # [Macros] i.e. variable=lo1 # [Options] i.e. set etc.. etc..
> # [Normalization] i.e. scrub
> # [Queuing] i.e. ALTQ
> # [Translation] i.e. NAT RDR etc...
> # [Filtering] i.e. pass & block rules
>
> Beware that there is quite the change for rule-sets ahead if the newer
> version of pf that is in the works for OpenBSD ever makes it downstream to
> FreeBSD.
>
> I Personally do not know if the way you have your rule-set configured would
> cause any havoc with NAT since you have it mingled between filtering rules
> but it would be good practice to stick to whats already drawn in the manual
> page.
>
> Best of luck.
>
>
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
>>> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>>>
>>> That doesn't seem to be doing the trick, since I can't ping and DNS won't
>>> resolve anything from within the jail (APACHE). I am going off some
>>> examples
>>> I found that would seem to suggest it is possible with only one NIC, but
>>> I
>>> can't seem to get it to work. Any help/advice would be greatly
>>> appreciated.
>>>
>>> thanks,
>>>
>>> Maurice
>>>
>>
>>
> --
>
> jhell
>
Thank you for your instructions, gentlemen. I will do my best to follow
them. This is my first stab at setting up a UNIX box, so thank you for your
patience as well!
regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d3e0b6a01002081015i820069fo7dc95f6eea05da99>