Configuring PF with Jails only having IPv6
Niklaas Baudet von Gersdorff
niklaas at kulturflatrate.net
Sat Nov 22 09:20:11 UTC 2014
Dear list members,
I have been struggling to properly set-up PF for some days. I am renting
a root server that has one public IPv4 address and a /64 IPv6 subnet. It
is the first time that I am using FreeBSD 10. I got attracted by the
jails concept and successfully set-up the root server itself as well as
one jail with ezjail using one IPv6 address. It is possible to connect
to the jail via SSH when PF is _disabled_.
The network configuration looks as follows. I censored some
information. The information that is censored is explained after each
output:
# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether [# MAC address]
inet [#1 ] netmask 0xffffffff broadcast [#2 ]
inet6 fe80::6e62:6dff:fe60:74fb%re0 prefixlen 64 scopeid 0x1
inet6 [#3 ] prefixlen 64
inet6 [#4 ] prefixlen 64
nd6 options=8021<PERFORMNUD,AUTO_LINKLOCAL,DEFAULTIF>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
[#1] = IPv4 address of root server
[#2] = IPv4 address of root server's gateway
[#3] = IPv6 address of root server
[#4] = IPv6 address of jail
# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default static.[#2] UGS 0 110615 re0
localhost link#2 UH 0 1614 lo0
static.[#2] [some MAC address] UHS 0 0 re0
static.[#1] link#1 UHS 0 8898 lo0 =>
[#4 ]/32 link#1 U 0 0 re0
Internet6:
Destination Gateway Flags Netif Expire
:: localhost UGRS lo0 =>
default fe80::1%re0 UGS re0
localhost link#2 UH lo0
::ffff:0.0.0.0 localhost UGRS lo0
[#3 ] link#1 U re0
[#3 ] link#1 UHS lo0
[#3 ] link#1 UHS lo0
[#3 ] link#1 UHS lo0
fe80:: localhost UGRS lo0
fe80::%re0 link#1 U re0
fe80::6e62:6dff:fe link#1 UHS lo0
fe80::%lo0 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
ff01::%re0 fe80::6e62:6dff:fe U re0
ff01::%lo0 localhost U lo0
ff02:: localhost UGRS lo0
ff02::%re0 fe80::6e62:6dff:fe U re0
ff02::%lo0 localhost U lo0
[#1] = IPv4 address of the root server in reverse order
[#2] = IPv4 address of the gateway of the root server in reverse order
[#3] = IPv6 subnet
[#4] = IPv4 address of the root server
The network configuration is taken from
http://wiki.hetzner.de/index.php/FreeBSD_installieren/en#IPv6
and provided by the provider where I am renting the root server which
results in the following configuration in `/etc/rc.conf`:
ifconfig_re0="inet [#1 ]/32"
gateway_if="re0"
gateway_ip="[#2 ]"
static_routes="gateway default"
route_gateway="-host $gateway_ip -interface $gateway_if"
route_default="default $gateway_ip"
ipv6_default_interface="re0"
ifconfig_re0_ipv6="[#3 ]/64"
# set a static local interface-route
ipv6_defaultrouter="fe80::1%re0"
ifconfig_re0_alias0="inet6 [#4 ]/64"
[#1] = IPv4 address of the root server
[#2] = IPv4 address of the gateway of the root server
[#3] = IPv6 address of the root server
[#4] = IPv6 address of the jail
The following configuration I basically took from pf.conf(5):
# pfctl -vnf /etc/pf.conf
ext_if = "re0"
services = "{ ssh }"
table <clients> persist { [#1] [#2] [#3] }
set skip on { lo0 }
scrub in on re0 all fragment reassemble
block return log on re0 all
block drop in from no-route to any
block drop in from urpf-failed to any
block drop out log quick on re0 from ! <clients> to any
block drop in quick on re0 inet from any to 255.255.255.255
block drop in log quick on re0 inet from 10.0.0.0/8 to any
block drop in log quick on re0 inet from 172.16.0.0/12 to any
block drop in log quick on re0 inet from 192.168.0.0/16 to any
block drop in log quick on re0 inet from 255.255.255.255 to any
pass out on re0 proto udp all keep state
pass in on re0 proto udp from any to any port = domain keep state
pass on re0 inet proto icmp all icmp-type echoreq code 0 keep state
pass out on re0 proto tcp all flags S/SA modulate state
pass in on re0 proto tcp from any to any port = ssh flags S/SA keep state
block drop in on re0 proto tcp from any os "nomatch" to any port = smtp
[#1] = IPv4 address of the root server
[#2] = IPv6 address of the root server
[#2] = IPv6 address of the jail
As a start I would like to block everything and only open the SSH port
so that I can connect to the root server itself as well as the jails
that I set-up.
Although I did lots of research on the web, I haven't found any solution
to connect to the jail while PF is enabled yet. I guess this comes from
the somehow "weird" set-up of the routing in `/etc/rc.conf` and the fact
that I do not understand it. The following excerpt is from `pflog0`
which I get when I try to connect to the jail via SSH.
00:00:01.043975 rule 0..16777216/0(match): block out on re0: (hlim 255, next-header ICMPv6 (58) payload length: 32) [#1 ] > ff02::1:ff00:1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::1
source link-address option (1), length 8 (1): [# MAC address ]
[#1] = IPv6 address of jail
So it looks like ICMPv6 traffic is blocked but I am not sure about this.
Maybe I also need to add the "routing information" to PF's configuration
but I do not know how to do this.
Any help is very much appreciated.
Best,
--
Niklaas
Baudet von Gersdorff
niklaas at kulturflatrate.net
http://www.twitter.com/NBvGersdorff
http://www.kulturflatrate.net/niklaas
More information about the freebsd-pf
mailing list