usage of rdr and pass validation

kaycee gb kisscoolandthegangbang at hotmail.fr
Tue Feb 25 19:50:16 UTC 2020 

Hi,

First, sorry english is not my native language. I will try to be as precise as
possible. 

And also I am not sure it is only pf related. Let me know in this case please.
Maybe it would be for net an jail too. 

So, I have two cases maybe related. 

First one is for using rdr translation rule. 
I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
one service from the outside. Using one rdr rule like this one, all seems to
work fine. I have acces to the service.

> rdr pass on $ext_if inet proto tcp from any to $ext_if port 443      ->
> $j_one port 443 

But in case I want to apply some options to this, I have to split it in 3. This
is the relevant part of my config that makes it work 

> # Emulate skip on lo0
> pass            quick   on lo0                  from 127.0.0.1  to
> 127.0.0.1
> # jail internal  comms
> pass            quick   on lo0                  from $j_one     to $j_one
> 
># other traffic ( do not know yet why it is necessary and why no interface
>specified in mandatory )
> pass    in      quick           proto tcp from any to $j_one port 443
>
> # block all on lo0
> block   log     quick   on lo0
>
> rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> $j_one port 443
> pass    in      quick   on $ext_if proto tcp from any to $j_one port 443

See the two lines at the end which are the first two parts. The third part is
the line after the "other traffic comment". After a lot of error and retry,
this line have to be wrote like that. I can not add "on lo0" on this line or the
service is not reachable. 

I'm using jails since some time now and remember having jail traffic bound to
lo0 before even in my configuration jails have another interface defined (a
bridge generally). 

So I would like to know why isn't it possible to limit more this rule ? I
tried all other interfaces present in my system, and that do not work either.
Using tcpdump, I can't see the traffic related to this service on any
interface except the external one. It's a little bit strange for me. 

Finally, I will write another mail for the other case. 

kaycee,

More information about the freebsd-pf mailing list