nat + pf, network weirdness
Виталий Владимирович
artemrts at ukr.net
Sat Jan 21 14:33:33 UTC 2012
--- Original message ---
From: other at ahhyes.net
To: freebsd-jail at freebsd.org
Date: 21 January 2012, 10:57:48
Subject: nat + pf, network weirdness
> Hi Guys,
>
> I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of
> services that are public facing in an effort to improve security.
>
> Firstly a breakdown of how things are setup:
>
> srv# ifconfig
> pflog0: flags=0<> metric 0 mtu 33152
> pfsync0: flags=0<> metric 0 mtu 1500
> syncpeer: 0.0.0.0 maxupd: 128
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 127.0.0.1 netmask 0xff000000
> xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> options=503<RXCSUM,TXCSUM,TSO4,LRO>
> ether 00:16:3e:85:8a:12
> inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255
> media: Ethernet manual
> status: active
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 10.1.1.IP netmask 0xffffff00
> inet 10.1.1.IP netmask 0xffffffff
> inet 10.1.1.IP netmask 0xffffffff
> inet 10.1.1.IP netmask 0xffffffff
>
> srv# jls
> JID IP Address Hostname Path
> 1 10.1.1.IP www.mydomain.net
> /somepath/jails/www
> 2 10.1.1.IP sql.mydomain.net
> /somepath/jails/db
> 3 10.1.1.IP ns.mydomain.net
> /somepath/jails/ns
> 5 10.1.1.IP mail.mydomain.net
> /somepath/jails/mail
>
> Interface xn0 is my public facing interface, with my public IP.
>
> Everything appears to work as it should, I have a PF running on the
> host with a default deny all policy. I have the following NAT rule in my
> pf.conf:
>
> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
>
You should use Packet Tagging (Policy Filtering).
Something like this:
nat on $ext_if tag WWW tagged WWW -> ($ext_if)
nat on $ext_if tag SQL tagged SQL -> ($ext_if)
......
block in
block out
pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark traffic from jail to world
.....
pass out quick on $ext_if inet from ($ext_if) tagged WWW <- dispatch only marked WWW
PF is very well in situations like this. With PF it is possible to divide LAN traffic and router traffic easily.
More information about the freebsd-jail
mailing list