Date: Mon, 16 Aug 2021 22:41:21 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Jails: pf blocks access to localhost of host system Message-ID: <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org> In-Reply-To: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu> References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR
Content-Type: multipart/mixed; boundary="gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <d28be669-30d8-89b9-3035-899084d3c148@FreeBSD.org>
Subject: Re: Jails: pf blocks access to localhost of host system
References: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
In-Reply-To: <8f6aa4f4-f361-e6eb-985b-291b7be631e0@kicp.uchicago.edu>
--gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
On 16/08/2021 22:31, Valeri Galtsev wrote:
> Dear Experts in pf and jails.
>=20
> I was recent refugee from to pf from ipfw which I was happily using for=
=20
> decade (why is different story). I seem to be able to configure all I=20
> need from pf, except one thing, which is jail access to localhost of=20
> host system.
>=20
> I configure jails "by the book" (i.e FreeBSD handbook), I do not use an=
y=20
> scripts facilitating simple enough for me process. My jail configuratio=
n=20
> is like the following:
>=20
> # cat /etc/jail.conf
>=20
> jailname {
> =C2=A0=C2=A0=C2=A0 host.hostname =3D "hostname.domainname";
> =C2=A0=C2=A0=C2=A0 ip4.addr =3D X.Y.Z.W; # address on public address s=
pace
> =C2=A0=C2=A0=C2=A0 devfs_ruleset=3D7;=C2=A0 // integer number of devfs=
rules_jail_bpf ruleset
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // in /etc/devfs.r=
ules
> =C2=A0=C2=A0=C2=A0 persist;=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =
// Required because there are no processes
> =C2=A0=C2=A0=C2=A0 exec.start =3D "/etc/rc.d/cron start; /etc/rc.d/sys=
logd start;=20
> /usr/local/etc/rc.d/apache24 start";
> =C2=A0=C2=A0=C2=A0 exec.stop =3D "/usr/local/etc/rc.d/apache24 stop; /=
etc/rc.d/syslogd=20
> stop; /etc/rc.d/cron stop";
> }
>=20
> As you see, there is no lo0 configured in jail. (I do have lo0=20
> configured in jails on some machines, but I do not feel it necessary in=
=20
> this case). Now if script from apache in that jail connects port 25 on =
> localhost to send email, the connection goes ho postfix I run on host=20
> system.
>=20
> While I was using ipfw having the rule allowing all traffic on lo0 to=20
> pass (I figure) at the top of rules did the trick. I can not achieve th=
e=20
> same with pf. Searching on we web didn't help either.
>=20
> Here if my simplified to necessary minimum for debugging pf.conf:
>=20
>=20
> # cat /etc/pf.conf
> ##################### BEGIN
> # macro name(s) for external interface(s).
> ext_if =3D "bce0"
> int_if =3D "bce1"
>=20
> services =3D "{ 80 443 3306 5432 9102 }"
>=20
> icmp_types =3D "{ echoreq unreach }"
>=20
> # set a default deny everything policy.
> block all
>=20
> # Allow all traffic on trusted interfaces
> pass quick from { lo0 $int_if } to any keep state
>=20
> # keep state on any outbound tcp, udp or icmp traffic.
> # modulate the isn of
> # outgoing packets. (initial sequence number) broken operating systems
> # sometimes don=E2=80=99t randomize this number, making it guessable.
> pass out on $ext_if proto { tcp, udp, icmp } from any to any \
> =C2=A0=C2=A0=C2=A0 modulate state
>=20
> # set a rule that allows inbound ssh traffic
> pass in on $ext_if proto tcp to port { 22 } \
> =C2=A0=C2=A0=C2=A0 keep state
>=20
> # On workstation we will pass all outgoing traffic
> pass out all keep state
>=20
> #=C2=A0 We pass what comes to our services (but DHCP taken care os abov=
e)
> pass in on $ext_if proto { tcp udp } to port $services
>=20
> # and icmp types we want
> pass inet proto icmp icmp-type $icmp_types
>=20
> ##################### END
>=20
>=20
> If I am inside jail the command
>=20
> telnet localhost 25
>=20
> successfully connects to postfix run on host system. When I enable pf=20
> with rules as above, similar connection from inside jail just hangs.
>=20
> I was assuming the rule:
>=20
> pass quick from { lo0 $int_if } to any keep state
>=20
> will do the trick, but no, the connection from inside jail to host=20
> system localhost port 25 is blocked by pf.
>=20
>=20
> Can someone give me any pointers for this particular case?
>=20
> Thanks a lot in advance for your pointers!
>=20
> Valeri
>=20
>=20
> PS I know, I can do the following and it will work: configure lo0 in=20
> jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and=20
> run postfix is jail. But being able to tell pf what I want it to [not] =
> do will be preferable.
>=20
Try:
set skip on { lo0 $int_if }
(and delete any filtering rules on lo0 or $int_if)
which says to pf not to touch any packets traversing those interfaces.
Cheers,
Matthew
--gtTYZIBAYlw0hAoTOTc0nVdb87ed4AQaB--
--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
wsF5BAABCAAjFiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAmEa24EFAwAAAAAACgkQAFE/EOCp5OcN
xw/+NLbCLwSrIda2bSldM08ZSfnkyS+BY5Sigb2DSqSusWGugQ8hGcJ86yNkXBnN3QAjJ/h2D1yB
M6KBAnnhy76yvah/TakjhQ+ek4I+DDYR8fz3XeLZhRpU5dZy3fvzLbbFgwoKoZbpMw+sEerEuunH
UFNWIOh+3vRznaFJiHDxeTHt2V1FNx2FuSwNl49ZYMlrjpfOUz1RYFylx4x8VP3OUuU4KktYzT06
Tm2N5NbQNb1RFiXIlLOYs13rV0jPdIqBkgq1PXowiIOxU+mOj1s3AjALkK9puSyA7iZQZs+fpOeE
gxmdCNtKEUaI9rRpZA3ymI674KVC9boV9Vp4zFUgeGuwN4NkcQnfPVRSyGP1zAEjFkQaJOcpwVlw
ed65S4ufNsvmMs83G+7PxIrhMB1v+k2bV6t2jACYLGvEKMCXXBpJjpPljw4EFZsO15pZ2VwiJWkZ
8AJySWSVULqfhLBHlpUYUDcNIC2rgH7ctOWK8MreGEpjY8JAEYUXN9hxgT01CZ+Fo19x/0I9YmHQ
6yGvlCWdZ0epJAO8oNmyjrWKejSqMlMiK5Qr1lXitz3XNCgG8TBSY8yrIkKiXqfGNMhf8k8W1WBE
vCItb8i9n9T4omCbbC0OgwE8aYmo2tWVHYSLgMgREsMQeSJn7g3UzPx4CiaSrGw9ad33+M1EVHzW
oDM=
=LGhK
-----END PGP SIGNATURE-----
--1uJFmbBjEh8CbFE6FtDIsbMFz2bjJkOjR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d28be669-30d8-89b9-3035-899084d3c148>