Some pf syntax questions

Beeblebrox zaphod at berentweb.com
Wed Jan 29 20:30:59 UTC 2014 

I have re0 (ExtIf), re1 (IntIf), lo0, vboxnet0 (VbIf) as interfaces. There
are http-cache, privoxy and dns running each inside own jail, with IP's from 
127.0.0.2 - 4. Host is both gateway to LAN and workstation (so http and dns
packets are generated from lo0 also).  I would like to have all http and dns
packets from IntIf and VbIf silently proxied to the jails.

The rdr and nat section of pf.conf is:
##### Translation & RDR ######
 no rdr proto {tcp,udp} from $jdns to any port domain
 no rdr proto tcp from $jprvx to $ExtIf port http
 no rdr proto tcp from $jhttp to {$IntIf,$VbIf} port http

## redirect packets for interception ##
 rdr proto {tcp,udp} from any to any port domain tag t_dns -> $jdns
 rdr proto tcp from any to any port http tag t_www -> $jhttp port 8080
 rdr on $IntIf proto {tcp,udp} from $IntNet to any port domain tag t_dns ->
$jdns
 rdr on $IntIf proto tcp from $IntNet to any port http tag t_www -> $jhttp
port 8080

 nat on $ExtIf from !($ExtIf) -> $ExtIf

Problems & Questions:
1. Currently, packets from VbIf (vboxnet0 + host-only guests) and lo0
correctly pass through the jails. Configuration for IntIf fails completely
however. How can the packets from IntIf be redirected to the jails? FIB has
been tried and does not work because from ifconfig man page's FIB section:
"The FIB is not inherited, e.g. vlans or other sub-interfaces will use the
default FIB (0) irrespective of the parent interface's FIB."

2. Having tagged the packets as above, I found this syntax to NOT work: no
rdr tagged t_dns  \  no rdr tagged t_www. Is this logic doomed to fail, or
is there a different syntax? As far as I know, the tag should persist on the
outbound, but probably gets dropped once it leaves ExtIF, hence wrong place
to tag?

3. So far, I have not found any method or setup to force redirect packets
from lo0. I assume it's impossible even if I were to add these to pf.conf?
 rdr on $ExtIf proto {tcp,udp} from any port domain tag t_dns -> $jdns
 rdr on $ExtIf proto tcp from any port http tag t_www -> $jhttp port 8080



-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/Some-pf-syntax-questions-tp5881251.html
Sent from the freebsd-pf mailing list archive at Nabble.com.

More information about the freebsd-pf mailing list