nat + pf, network weirdness

Виталий Владимирович artemrts at ukr.net
Sat Jan 21 14:33:33 UTC 2012 


  --- Original message ---
 From: other at ahhyes.net
 To: freebsd-jail at freebsd.org
  Date: 21 January 2012, 10:57:48
 Subject: nat + pf, network weirdness
 
 


> Hi Guys,
> 
> I am running 9.0-RELEASE on my VPS. I decided to jail a bunch of 
> services that are public facing in an effort to improve security.
> 
> Firstly a breakdown of how things are setup:
> 
> srv# ifconfig
> pflog0: flags=0<> metric 0 mtu 33152
> pfsync0: flags=0<> metric 0 mtu 1500
> syncpeer: 0.0.0.0 maxupd: 128
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 127.0.0.1 netmask 0xff000000
> xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
> 1500
> options=503<RXCSUM,TXCSUM,TSO4,LRO>
> ether 00:16:3e:85:8a:12
> inet 109.IP.IP.IP netmask 0xffffff00 broadcast 109.169.82.255
> media: Ethernet manual
> status: active
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=3<RXCSUM,TXCSUM>
> inet 10.1.1.IP netmask 0xffffff00
> inet 10.1.1.IP netmask 0xffffffff
> inet 10.1.1.IP netmask 0xffffffff
> inet 10.1.1.IP netmask 0xffffffff
> 
> srv# jls
> JID  IP Address      Hostname                      Path
> 1  10.1.1.IP       www.mydomain.net              
> /somepath/jails/www
> 2  10.1.1.IP       sql.mydomain.net              
> /somepath/jails/db
> 3  10.1.1.IP       ns.mydomain.net               
> /somepath/jails/ns
> 5  10.1.1.IP       mail.mydomain.net             
> /somepath/jails/mail
> 
> Interface xn0 is my public facing interface, with my public IP.
> 
> Everything appears to work as it should, I have a PF running on the 
> host with a default deny all policy. I have the following NAT rule in my 
> pf.conf:
> 
> nat on xn0 from 10.1.1.0/24 to any -> (xn0)
> 
  You should use Packet Tagging (Policy Filtering).
  Something like this:
   
  nat on $ext_if tag WWW tagged WWW -> ($ext_if)
  nat on $ext_if tag SQL tagged SQL -> ($ext_if)
  
  ......

   block in
   block out
   pass in quick on lo1 inet from 10.1.1.1 to !(self) tag WWW <- mark traffic from jail to world
   .....
   pass out quick on $ext_if inet from ($ext_if) tagged WWW <- dispatch only marked WWW

  PF is very well in situations like this. With PF it is possible to divide LAN traffic and router traffic easily.

More information about the freebsd-jail mailing list