setfib + pf + synproxy not working
Max Laier
max at love2party.net
Fri Jan 8 05:55:46 UTC 2010
On Friday 08 January 2010 06:04:34 Peter wrote:
> iH,
> Playing around with FIBs and jails.
>
> The host system is on a private 172.xxx network with a gateway of 172.xxx
> going through a NAT box for internet. [fib 0]
>
> The jail has only a public IP, on fib 1 [with gateway being ISP router]
>
> With this, the jail is working fine.
>
> What I'm trying to accomplish is portknocking for 'ssh' access:
>
> pass in log quick proto tcp from any to any port {1234} synproxy state \
> (max-src-conn-rate 5/15, overload <portknock_ssh>)
>
> Because the jail is on 'fib 1', the connection is never established to
> overload the rule. The 'synproxy state' is communicating via the
> 172.xxxx/default gateway [of fib 0] instead of via the public "fib 1"
>
> I can ssh into the jail if I do
> pass in log quick proto tcp from any to any port {22} keep state
>
> I CANNOT ssh into the jail if I do
> pass in log quick proto tcp from any to any port {22} synproxy state
>
> Anyway I can force 'synproxy' to communicate via fib 1 ?
I don't think I understand your setup and intent completely, but you can
select a fib with the "rtable" filter parameter. It *should* be used for the
synproxy communication, as well. Please report if this helps.
--
Max
More information about the freebsd-pf
mailing list