using pf to NAT with only one NIC

Peter Maxwell peter at allicient.co.uk
Sat Feb 6 00:47:05 UTC 2010 

Hi Maurice,

Yes, you can do it without much difficulty and I've got my server
setup in that manner: there's about twenty separate jails that can
access the internet via specific NAT rules and incoming services
handled via RDR rules.  Note: you won't be able to ping from a jail,
unless you want to allow your jailed processes to create raw sockets
(you don't) :-)

There's probably many ways it can be done, but what I did was something like:


i) create a second loopback interface, lo1 (c.f. cloned interfaces)
and assign appropriate alias netblocks for your jails on that
interface;


ii) create your pf.conf, set skip on lo0 but not the external or lo1 interface;


iii) I'd set "set state-policy if-bound" so you know what's going on;


iv) don't use the antispoof keyword, it will make a mess in this situation;


v) setting up bind to handle local dns resolution is a good idea -
point your jails towards this and you'll need to add in an appropriate
rule(s) later on;


vi) setup outgoing nat rules, e.g.

nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port
smtp -> $ext_ip


vii) setup incoming services, e.g.

rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port smtp


viii) put in pass rules to allow nat out and rdr in; remember NAT is
done first, so your outgoing packets ALL have source IP of the
external IP now and not the jail IP

pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags
S/SA modulate state
pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp
flags S/SA modulate state


ix) allow jail implicit access to itself

pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to
$int_ip_mail flags S/SA keep state


x) add in rules to allow any interjail communication as needed
(remember the incoming/outgoing packets appear the other way round
here - use tcpdump to check if in doubt)


If you have any problems, run tcpdump in a serarate terminal window to
determine what's going on.


Peter






On 5 February 2010 22:53, Maurice <mauduro at gmail.com> wrote:
> Hi,
>
> I have been looking for a couple days now, with no luck, for some direction
> as to whether I can successfully configure my freebsd to NAT with only one
> NIC.  This is because I am setting up my system to jail my webserver, and I
> don't think I can get it to work without NATting it. If you have an
> alternate solution that would be great too. This is what my pf.conf looks
> like right now:
>
>
> #       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15
> 03:14:26 kensmith Exp $
> #       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> block in all
> block out all
>
> ext_if="fxp0"
> #int_if="int0"
> all_if="{fxp0, lo0}"
>
> #Internal network subnet
> int_net="10.0.0.0/32"
>
> #name and IP of webserver
> APACHE="10.0.0.1"
>
> #table <spamd-white> persist
>
> set skip on lo
>
> scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
> #rdr pass on $ext_if proto tcp from any to any port smtp \
> #       -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
> #pass out
>
> #pass quick on $int_if no state
> #antispoof quick for { lo $int_if }
> block in quick from urpf-failed
>
> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
> nat on $ext_if from $APACHE to any -> fxp0
>
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> That doesn't seem to be doing the trick, since I can't ping and DNS won't
> resolve anything from within the jail (APACHE). I am going off some examples
> I found that would seem to suggest it is possible with only one NIC, but I
> can't seem to get it to work. Any help/advice would be greatly appreciated.
>
> thanks,
>
> Maurice
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list