usage of rdr and pass validation

kaycee gb kisscoolandthegangbang at hotmail.fr
Wed Feb 26 10:32:04 UTC 2020 

Le Tue, 25 Feb 2020 13:43:50 -0800,
Chris <bsd-lists at BSDforge.com> a écrit :

> On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> kisscoolandthegangbang at hotmail.fr said
>   
> > Hi,
> > 
> > First, sorry english is not my native language. I will try to be as precise
> > as
> > possible. 
> > 
> > And also I am not sure it is only pf related. Let me know in this case
> > please.
> > Maybe it would be for net an jail too. 
> > 
> > So, I have two cases maybe related. 
> > 
> > First one is for using rdr translation rule. 
> > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > one service from the outside. Using one rdr rule like this one, all seems to
> > work fine. I have acces to the service.
> >   
> > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > > $j_one port 443   
> > 
> > But in case I want to apply some options to this, I have to split it in 3.
> > This
> > is the relevant part of my config that makes it work 
> >   
> > > # Emulate skip on lo0
> > > pass            quick   on lo0                  from 127.0.0.1  to
> > > 127.0.0.1
> > > # jail internal  comms
> > > pass            quick   on lo0                  from $j_one     to $j_one
> > > 
> > ># other traffic ( do not know yet why it is necessary and why no interface
> > >specified in mandatory )
> > > pass    in      quick           proto tcp from any to $j_one port 443
> > >
> > > # block all on lo0
> > > block   log     quick   on lo0
> > >
> > > rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > > $j_one port 443
> > > pass    in      quick   on $ext_if proto tcp from any to $j_one port 443  
> > 
> > See the two lines at the end which are the first two parts. The third part
> > is
> > the line after the "other traffic comment". After a lot of error and retry,
> > this line have to be wrote like that. I can not add "on lo0" on this line or
> > the
> > service is not reachable. 
> > 
> > I'm using jails since some time now and remember having jail traffic bound
> > to
> > lo0 before even in my configuration jails have another interface defined (a
> > bridge generally). 
> > 
> > So I would like to know why isn't it possible to limit more this rule ? I
> > tried all other interfaces present in my system, and that do not work
> > either.
> > Using tcpdump, I can't see the traffic related to this service on any
> > interface except the external one. It's a little bit strange for me. 
> > 
> > Finally, I will write another mail for the other case.  
> FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> when I attempt these sort of things. As it seems to simplify things in my
> head.
> For example, rc.conf
> cloned_interfaces="lo1 lo2"
> ifconfig_lo1="inet 127.0.0.2"
> ifconfig_lo2="inet 127.0.0.3"  

IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
that helps with jail configuration file. Jail traffic is in reality going
through lo0. 
When I started using jails, I was using lo1 lo2 ... too but after trying one
time or two with bridge interfaces, I decided to stay with bridges, it was more
in my head more like a switch for jails, and that worked in the same way. Just
a matter of preference. 
> 
> This allows me to treat them as any other NIC. I route as necessary to my
> NIC to the outside world; pf.conf(5):
> EXT_ADDR="ou.ts.ide.ip"
> # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> table <trusted> persist file "/etc/TRUSTED"
> 
> 
> set skip on { lo0, lo1, lo2 }  

You could just write set skip on lo0, that would have the same effect. I
emulate this for host traffic because I filter inter jails communications.
> 
> # this only represents the rule(s) for lo1 but should be helpful for
> # additional rules on lo2 (or more)
> nat pass on re0 from { lo1 } to any -> $EXT_ADDR  

Funny how you write this one. Maybe I'm used to split it in nat and pass as
a second rule. IIUC the doc, that's possible to write like this. 

> rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR  

Funny for this one too. I suppose in this case re0 is the external interface.
Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missing
something ? 
> 
> 
> block in
> pass out
> 
>   

With pass in rdr translation rule, like said above that work. My question was
for when I use rdr translation splited rules. 

kaycee,

P.S. Resent because in first mail forgot pf list

More information about the freebsd-pf mailing list