using pf to NAT with only one NIC

jhell jhell at DataIX.net
Sat Feb 6 05:10:23 UTC 2010


On Fri, 5 Feb 2010 19:47, peter@ wrote:
> Hi Maurice,
>
> Yes, you can do it without much difficulty and I've got my server
> setup in that manner: there's about twenty separate jails that can
> access the internet via specific NAT rules and incoming services
> handled via RDR rules.  Note: you won't be able to ping from a jail,
> unless you want to allow your jailed processes to create raw sockets
> (you don't) :-)
>
> There's probably many ways it can be done, but what I did was something like:
>
>
> i) create a second loopback interface, lo1 (c.f. cloned interfaces)
> and assign appropriate alias netblocks for your jails on that
> interface;
>
>
> ii) create your pf.conf, set skip on lo0 but not the external or lo1 interface;
>
>
> iii) I'd set "set state-policy if-bound" so you know what's going on;
>
>
> iv) don't use the antispoof keyword, it will make a mess in this situation;
>
>
> v) setting up bind to handle local dns resolution is a good idea -
> point your jails towards this and you'll need to add in an appropriate
> rule(s) later on;
>
>
> vi) setup outgoing nat rules, e.g.
>
> nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port
> smtp -> $ext_ip
>
>
> vii) setup incoming services, e.g.
>
> rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port smtp
>
>
> viii) put in pass rules to allow nat out and rdr in; remember NAT is
> done first, so your outgoing packets ALL have source IP of the
> external IP now and not the jail IP
>
> pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags
> S/SA modulate state
> pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp
> flags S/SA modulate state
>
>
> ix) allow jail implicit access to itself
>
> pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to
> $int_ip_mail flags S/SA keep state
>
>
> x) add in rules to allow any interjail communication as needed
> (remember the incoming/outgoing packets appear the other way round
> here - use tcpdump to check if in doubt)
>
>
> If you have any problems, run tcpdump in a serarate terminal window to
> determine what's going on.
>
>
> Peter
>
>
>
>
>
>
> On 5 February 2010 22:53, Maurice <mauduro at gmail.com> wrote:
>> Hi,
>>
>> I have been looking for a couple days now, with no luck, for some direction
>> as to whether I can successfully configure my freebsd to NAT with only one
>> NIC.  This is because I am setting up my system to jail my webserver, and I
>> don't think I can get it to work without NATting it. If you have an
>> alternate solution that would be great too. This is what my pf.conf looks
>> like right now:
>>
>>
>> #       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15
>> 03:14:26 kensmith Exp $
>> #       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
>> #
>> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
>> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> block in all
>> block out all
>>
>> ext_if="fxp0"
>> #int_if="int0"
>> all_if="{fxp0, lo0}"
>>
>> #Internal network subnet
>> int_net="10.0.0.0/32"
>>
>> #name and IP of webserver
>> APACHE="10.0.0.1"
>>
>> #table <spamd-white> persist
>>
>> set skip on lo
>>
>> scrub in
>>
>> #nat-anchor "ftp-proxy/*"
>> #rdr-anchor "ftp-proxy/*"
>> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
>> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
>> #rdr pass on $ext_if proto tcp from any to any port smtp \
>> #       -> 127.0.0.1 port spamd
>>
>> #anchor "ftp-proxy/*"
>> #pass out
>>
>> #pass quick on $int_if no state
>> #antispoof quick for { lo $int_if }
>> block in quick from urpf-failed
>>
>> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
>> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
>> nat on $ext_if from $APACHE to any -> fxp0
>>

Your placement of nat and redirect rules are a little bit worrisome. 
pf.conf as stated by its manual page is ordered (see following)

# [Macros] i.e. variable=lo1 
# [Options] i.e. set etc.. etc..
# [Normalization] i.e. scrub
# [Queuing] i.e. ALTQ
# [Translation] i.e. NAT RDR etc...
# [Filtering] i.e. pass & block rules

Beware that there is quite the change for rule-sets ahead if the newer 
version of pf that is in the works for OpenBSD ever makes it downstream to 
FreeBSD.

I Personally do not know if the way you have your rule-set configured would 
cause any havoc with NAT since you have it mingled between filtering rules 
but it would be good practice to stick to whats already drawn in the 
manual page.

Best of luck.

>> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
>> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>>
>> That doesn't seem to be doing the trick, since I can't ping and DNS won't
>> resolve anything from within the jail (APACHE). I am going off some examples
>> I found that would seem to suggest it is possible with only one NIC, but I
>> can't seem to get it to work. Any help/advice would be greatly appreciated.
>>
>> thanks,
>>
>> Maurice
>

-- 

  jhell



More information about the freebsd-pf mailing list