NAT & RDR rules for jailed proxy services

Carsten Larsen csf at innolan.dk
Sat Dec 21 15:36:10 UTC 2013 

Hi again,

Beeblebrox wrote:
> I had some dificulty understanding the packet flow logic in your
> explanation, so forgive me for asking once more. As an example from what you
> indicated does this ruleset do the job?
>
> # Begin NAT & RDR rules
> # For the privoxy jail
>   nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag
> NAT_PRVX -> $j_privoxy port 8118
>   nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag
> NAT_PRVX -> $JailIf port 80
NAT is only for outbound rules. Use rdr rules for inbound traffic.

Here is a rewrite: Allow traffic from DNS jail to leave on external 
interface. All ports open outbound. Reserve ports on external interface 
below 10000 for inbound traffic.
nat on $ExtIf from $j_dns to !$($ExtIf) tag NAT_DNS_JAIL -> $($ExtIf) 
port 10000:65535

Thats it. The rest is to allow routing between jails and maybe local 
networks. NAT is only needed for traffic leaving on the external interface.

If you need to serve incoming traffic arriving on the external interface 
then use the rdr rules.

>
> # For the unbound jail, there's a problem. Other jailed IP's on $JailIf will
> want a DNS server they can query.
>   nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain
> tag NAT_DNS -> $j_dns
>   nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port
> domain tag NAT_PRVX -> $ExtIf
>
> # Lastly
> nat on $ExtIf from any to !($ExtIf) -> ($ExtIf)
>

Lastly should be filter rules. Example:
block on $ExtIf
# Allow all traffic regardless source and destination port originating
# from the dns jail
pass quick on $ExtIf inet tagged NAT_DNS_JAIL

# Allow all traffic originating from the host
pass quick on $ExtIf

...

Also add scrub to ensure no packet fragmentation. This is needed for pf 
to work.

> It looks to me like it still does not quite make complete sense.
>
> Thanks for your time.
>
>
>
>
> -----
> FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
> --
> View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html
> Sent from the freebsd-pf mailing list archive at Nabble.com.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list