Date: Sat, 21 Jan 2012 19:34:06 +1100 From: other@ahhyes.net To: <freebsd-jail@freebsd.org> Subject: nat + pf, network weirdness Message-ID: <ccb513567c50edc1c35dbe53cc9ff804@ahhyes.net>
next in thread | raw e-mail | index | archive | help
Hi Guys,
I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of
services that are public facing in an effort to improve security.
Firstly a breakdown of how things are setup:
srv# ifconfig
pflog0: flags=0<> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1500
syncpeer: 0.0.0.0 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=503<RXCSUM,TXCSUM,TSO4,LRO>
ether 00:16:3e:85:8a:12
inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255
media: Ethernet manual
status: active
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 10.1.1.IP netmask 0xffffff00
inet 10.1.1.IP netmask 0xffffffff
inet 10.1.1.IP netmask 0xffffffff
inet 10.1.1.IP netmask 0xffffffff
srv# jls
JID IP Address Hostname Path
1 10.1.1.IP www.mydomain.net
/somepath/jails/www
2 10.1.1.IP sql.mydomain.net
/somepath/jails/db
3 10.1.1.IP ns.mydomain.net
/somepath/jails/ns
5 10.1.1.IP mail.mydomain.net
/somepath/jails/mail
Interface xn0 is my public facing interface, with my public IP.
Everything appears to work as it should, I have a PF running on the
host with a default deny all policy. I have the following NAT rule in my
pf.conf:
nat on xn0 from 10.1.1.0/24 to any -> (xn0)
This allows my jails to reach the outside world, and I have a bunch of
port redirects to direct inbound traffic to the appropriate jail.
The issue:
There seems to be no ability to firewall the traffic between jails
whilst the NAT rule is in place. For example, I can log into my jail for
"ns" and telnet port 3306 on the jail for SQL and connect freely. If I
remove the nat rule from PF, the jails cannot talk to each other over
the network, which is what I expect because I have not specified any
filter rules on my pf.conf to allow the traffic. According to the PF
manual, the filter rules should still get run after the NAT translation
takes place, but it does not. With NAT running, I can put a deny all
from 10.1.1.0/24 as my very first filter rule and it will do nothing at
all. I am unable to determine what the issue is as I cannot even run
tcpdump -i lo1 on the host as it appears there is no traffic at all on
that interface??? I have a suspicion that the NAT translation is causing
traffic to hit a rule in PF that allows it to pass, but I cannot confirm
this as I have no ability to see what's flowing over the lo1 interface,
it's apparently silent (bull)...
Any ideas? I really want to lock down the communication the jails have.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ccb513567c50edc1c35dbe53cc9ff804>