Date: Sat, 21 Dec 2013 23:35:50 +0800 From: Carsten Larsen <csf@innolan.dk> To: Beeblebrox <zaphod@berentweb.com>, freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services Message-ID: <52B5B556.3070209@innolan.dk> In-Reply-To: <1387553794487-5870320.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi again,
Beeblebrox wrote:
> I had some dificulty understanding the packet flow logic in your
> explanation, so forgive me for asking once more. As an example from what you
> indicated does this ruleset do the job?
>
> # Begin NAT & RDR rules
> # For the privoxy jail
> nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag
> NAT_PRVX -> $j_privoxy port 8118
> nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag
> NAT_PRVX -> $JailIf port 80
NAT is only for outbound rules. Use rdr rules for inbound traffic.
Here is a rewrite: Allow traffic from DNS jail to leave on external
interface. All ports open outbound. Reserve ports on external interface
below 10000 for inbound traffic.
nat on $ExtIf from $j_dns to !$($ExtIf) tag NAT_DNS_JAIL -> $($ExtIf)
port 10000:65535
Thats it. The rest is to allow routing between jails and maybe local
networks. NAT is only needed for traffic leaving on the external interface.
If you need to serve incoming traffic arriving on the external interface
then use the rdr rules.
>
> # For the unbound jail, there's a problem. Other jailed IP's on $JailIf will
> want a DNS server they can query.
> nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain
> tag NAT_DNS -> $j_dns
> nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port
> domain tag NAT_PRVX -> $ExtIf
>
> # Lastly
> nat on $ExtIf from any to !($ExtIf) -> ($ExtIf)
>
Lastly should be filter rules. Example:
block on $ExtIf
# Allow all traffic regardless source and destination port originating
# from the dns jail
pass quick on $ExtIf inet tagged NAT_DNS_JAIL
# Allow all traffic originating from the host
pass quick on $ExtIf
...
Also add scrub to ensure no packet fragmentation. This is needed for pf
to work.
> It looks to me like it still does not quite make complete sense.
>
> Thanks for your time.
>
>
>
>
> -----
> FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
> --
> View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html
> Sent from the freebsd-pf mailing list archive at Nabble.com.
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52B5B556.3070209>