usage of rdr and pass validation

Tue Feb 25 21:43:46 UTC 2020

On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb kisscoolandthegangbang at hotmail.fr said

> Hi,
> 
> First, sorry english is not my native language. I will try to be as precise
> as
> possible. 
> 
> And also I am not sure it is only pf related. Let me know in this case
> please.
> Maybe it would be for net an jail too. 
> 
> So, I have two cases maybe related. 
> 
> First one is for using rdr translation rule. 
> I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> one service from the outside. Using one rdr rule like this one, all seems to
> work fine. I have acces to the service.
> 
> > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > $j_one port 443 
> 
> But in case I want to apply some options to this, I have to split it in 3.
> This
> is the relevant part of my config that makes it work 
> 
> > # Emulate skip on lo0
> > pass            quick   on lo0                  from 127.0.0.1  to
> > 127.0.0.1
> > # jail internal  comms
> > pass            quick   on lo0                  from $j_one     to $j_one
> > 
> ># other traffic ( do not know yet why it is necessary and why no interface
> >specified in mandatory )
> > pass    in      quick           proto tcp from any to $j_one port 443
> >
> > # block all on lo0
> > block   log     quick   on lo0
> >
> > rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > $j_one port 443
> > pass    in      quick   on $ext_if proto tcp from any to $j_one port 443
> 
> See the two lines at the end which are the first two parts. The third part
> is
> the line after the "other traffic comment". After a lot of error and retry,
> this line have to be wrote like that. I can not add "on lo0" on this line or
> the
> service is not reachable. 
> 
> I'm using jails since some time now and remember having jail traffic bound
> to
> lo0 before even in my configuration jails have another interface defined (a
> bridge generally). 
> 
> So I would like to know why isn't it possible to limit more this rule ? I
> tried all other interfaces present in my system, and that do not work
> either.
> Using tcpdump, I can't see the traffic related to this service on any
> interface except the external one. It's a little bit strange for me. 
> 
> Finally, I will write another mail for the other case.
FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
when I attempt these sort of things. As it seems to simplify things in my
head.
For example, rc.conf
cloned_interfaces="lo1 lo2"
ifconfig_lo1="inet 127.0.0.2"
ifconfig_lo2="inet 127.0.0.3"

This allows me to treat them as any other NIC. I route as necessary to my
NIC to the outside world; pf.conf(5):
EXT_ADDR="ou.ts.ide.ip"
# contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
table <trusted> persist file "/etc/TRUSTED"

set skip on { lo0, lo1, lo2 }

# this only represents the rule(s) for lo1 but should be helpful for
# additional rules on lo2 (or more)
nat pass on re0 from { lo1 } to any -> $EXT_ADDR
rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR

block in
pass out

HTH

--Chris
> 
> kaycee,
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"