NAT & RDR rules for jailed proxy services

Tue Dec 24 11:38:05 UTC 2013

Hi Beeblebrox,

I took a look at your configuration on google docs and I must say it is 
a rather complex strategy you have chosen. I wont try to fix your 
configuration but instead give some general advice based on my own 
experience.

-> Instead of relying heavily on nat and redirect rules try to use 
routing between your addresses. This would work just by allowing routing 
in the kernel. Examine routing tables using netstat -rn.
-> Use the tool pftop accessible from the ports collection and examine 
the state table. This usually give an indication of where to look for 
the missing responses. It will also show you which IP is being used as 
gateway while doing NAT.
-> Verify your rules looks as expected with 'pfctl -s rules' and 'pfctl 
-s nat'.
-> Be sure you understand how filtering work. I would recommend to read 
the online tutorials by Peter N. M. Hansteen at 
http://home.nuug.no/~peter/pf/en/
-> If you really want to dig deep buy the "Book of PF". I read it myself 
and it helped a lot to understand the possibilities but also the 
constraints of pf. The book does not specifically treat the subject of 
jails though.

God luck with the rules (and merry Christmas)
Carsten Larsen

---

Beeblebrox wrote:
> Hi Carsten,
> Thanks very much for your ideas & input. I have it working mostly as you
> advised. Nat rules:
>   nat on $ExtIf proto {tcp,udp} from $jdns to $JaIf port 443 tag NAT_DNS ->
> $ExtIf     # I use dnscrypt-proxy
>   nat on $ExtIf proto {tcp,udp} from $jprvx to $JaIf port {80,443} tag
> NAT_PRVX -> $ExtIf
>   nat on $ExtIf from any to !($ExtIf) -> $ExtIf
> I don't have to use different ports, it works as is. Tagging does help
> distinguish between "same port, different jail" (for port 443 as example).
>
> That said, I seem to have run into a strange filter rule problem. I aim to
> block all ports that each jail is not using. Partial filter rules:
>   block drop log (all) on $ExtIf
>   block drop log (all) on $JaIf
> ##_PRIVOXY
>   pass in quick on $JaIf proto tcp from any to $jprvx port 8118
>   pass out quick on {$JaIf,$ExtIf} inet tagged NAT_PRVX $TcpState $OpenSTO
>
> The strangeness: When I comment out the block code (rules lines 1 & 2
> above), the privoxy jail stops working. tcpdump shows:
> 1387731935.321882 rule 13..16777216/0(match): block out on lo2:
> 192.168.2.99.55548 > 192.168.2.99.8118: Flags [S], seq 1465289666, win
> 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
> 0
> 1387731935.321927 rule 13..16777216/0(match): block out on lo2:
> 192.168.2.99.55549 > 192.168.2.99.8118: Flags [S], seq 650179452, win 65535,
> options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length 0
> 1387731935.322052 rule 13..16777216/0(match): block out on lo2:
> 192.168.2.99.55550 > 192.168.2.99.8118: Flags [S], seq 1328782560, win
> 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
> 0
> 1387731935.322084 rule 13..16777216/0(match): block out on lo2:
> 192.168.2.99.55551 > 192.168.2.99.8118: Flags [S], seq 3999782183, win
> 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 19234153 ecr 0], length
> 0
>
> Is the problem with the port that privoxy is using, or do I need to allow
> some other pass rule for each jail (like jail's lo0 must be able to pass to
> <jail-ip>:8118)?
>
>>> Also add scrub to ensure no packet fragmentation. This is needed for pf
>>> to work.
> I have a bunch of code I have ommited so as to keep the messages short.
>
> Thanks and Regards.
>
>
>
>
> -----
> FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
> --
> View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870782.html
> Sent from the freebsd-pf mailing list archive at Nabble.com.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>