Date: Sun, 18 Dec 2016 16:33:13 +0300 From: Beeblebrox <zaphod@berentweb.com> To: freebsd-pf@freebsd.org Subject: PF TAGged jail traffic fails pass rule on egress Message-ID: <20161218163313.01fbc51e@rsbsd.rsb> In-Reply-To: <20161207171021.607579ea@rsbsd.rsb> References: <20161207171021.607579ea@rsbsd.rsb>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian - thanks for the answer. I already have pflog enabled on wan0 (egress), but nothing of value there. After your ide re " no actual packets on lo2" I ran tcpdump on that interfa= ce; indeed no traffic shows up. I moved the jails to a new vlan1 with /24 subnet, with x.x.0.1 empty and ja= ils starting from x.x.0.2/32. This obviously facilitates NAT from pf in tha= t NAT is now not needed for inter-jail communication. However, nothing changes for the greater problem of packet tagging as "tcpd= ump -i vlan1" shows no packet traversal as was the case on lo2. I also real= ised that since pf.conf has: nat on wan0 from !(wan0) to any -> wan0 Attempts to tag packets post-nat is useless because source-ip (jail) has be= en replaced by the ip of wan0. This seems to leave me with limited choices 1. NAT & TAG each jail separately (ie: nat pass on wan0 from $jdns to any t= ag TD -> wan0) 2. Use a single tag for all packets leaving vlan1 so as to simplify the nat= rules Neither which offers a satisfactory configuration because of other complica= tions each solution causes. As reminder: Ultimate goal is to allow only pre= -defined port traffic per jail. I can't find a simpler way than TAGGING to = accomplish this. PS I've also found that the OpenBSD syntax "!(tagged )" is not recognised = on FreeBSD... Thanks & Regards --=20 FreeBSD_amd64_11-Stable_RadeonKMS Please CC my email when responding, mail from list is not delivered.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20161218163313.01fbc51e>