usage of rdr and pass validation

Chris bsd-lists at BSDforge.com
Wed Feb 26 15:39:16 UTC 2020 

On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb kisscoolandthegangbang at hotmail.fr said

> Le Tue, 25 Feb 2020 13:43:50 -0800,
> Chris <bsd-lists at BSDforge.com> a écrit :
> 
> > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> > kisscoolandthegangbang at hotmail.fr said
> >   
> > > Hi,
> > > 
> > > First, sorry english is not my native language. I will try to be as
> > precise
> > > as
> > > possible. 
> > > 
> > > And also I am not sure it is only pf related. Let me know in this case
> > > please.
> > > Maybe it would be for net an jail too. 
> > > 
> > > So, I have two cases maybe related. 
> > > 
> > > First one is for using rdr translation rule. 
> > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > > one service from the outside. Using one rdr rule like this one, all seems
> > to
> > > work fine. I have acces to the service.
> > >   
> > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > > > $j_one port 443   
> > > 
> > > But in case I want to apply some options to this, I have to split it in 3.
> > > This
> > > is the relevant part of my config that makes it work 
> > >   
> > > > # Emulate skip on lo0
> > > > pass            quick   on lo0                  from 127.0.0.1  to
> > > > 127.0.0.1
> > > > # jail internal  comms
> > > > pass            quick   on lo0                  from $j_one     to
> > $j_one
> > > > 
> >> ># other traffic ( do not know yet why it is necessary and why no
> >interface
> >> >specified in mandatory )
> > > > pass    in      quick           proto tcp from any to $j_one port 443
> > > >
> > > > # block all on lo0
> > > > block   log     quick   on lo0
> > > >
> > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443      ->
> > > > $j_one port 443
> > > > pass    in      quick   on $ext_if proto tcp from any to $j_one port 443 
> > 
> > > 
> > > See the two lines at the end which are the first two parts. The third part
> > > is
> > > the line after the "other traffic comment". After a lot of error and
> > retry,
> > > this line have to be wrote like that. I can not add "on lo0" on this line
> > or
> > > the
> > > service is not reachable. 
> > > 
> > > I'm using jails since some time now and remember having jail traffic bound
> > > to
> > > lo0 before even in my configuration jails have another interface defined
> > (a
> > > bridge generally). 
> > > 
> > > So I would like to know why isn't it possible to limit more this rule ? I
> > > tried all other interfaces present in my system, and that do not work
> > > either.
> > > Using tcpdump, I can't see the traffic related to this service on any
> > > interface except the external one. It's a little bit strange for me. 
> > > 
> > > Finally, I will write another mail for the other case.  
> > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> > when I attempt these sort of things. As it seems to simplify things in my
> > head.
> > For example, rc.conf
> > cloned_interfaces="lo1 lo2"
> > ifconfig_lo1="inet 127.0.0.2"
> > ifconfig_lo2="inet 127.0.0.3"  
> 
> IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
> that helps with jail configuration file. Jail traffic is in reality going
> through lo0. 
> When I started using jails, I was using lo1 lo2 ... too but after trying one
> time or two with bridge interfaces, I decided to stay with bridges, it was
> more
> in my head more like a switch for jails, and that worked in the same way.
> Just
> a matter of preference.
Sure. Understood. :) The server I excerpt these from has a *much*
larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
chose things as they are, because somehow they made it easier in my head
at the time. :)
> > 
> > This allows me to treat them as any other NIC. I route as necessary to my
> > NIC to the outside world; pf.conf(5):
> > EXT_ADDR="ou.ts.ide.ip"
> > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> > table <trusted> persist file "/etc/TRUSTED"
> > 
> > 
> > set skip on { lo0, lo1, lo2 }  
> 
> You could just write set skip on lo0, that would have the same effect. I
> emulate this for host traffic because I filter inter jails communications.
*Actually* it is enough to simply use lo, and in fact I still do. But there
were some changes to pf(4), (some I think should not have been made) that
currently prevent me from using that. I had to roll back one of our 12.x
servers because of the changes.
> > 
> > # this only represents the rule(s) for lo1 but should be helpful for
> > # additional rules on lo2 (or more)
> > nat pass on re0 from { lo1 } to any -> $EXT_ADDR  
> 
> Funny how you write this one. Maybe I'm used to split it in nat and pass as
> a second rule. IIUC the doc, that's possible to write like this. 
> 
> > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR  
> 
> Funny for this one too. I suppose in this case re0 is the external
> interface.
> Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missing
> something ?

To be honest, I've migrated many of my rules from ~releng8. It's what
worked at the time, and even tho pf(4) has changed. I haven't. ;)
> > 
> > 
> > block in
> > pass out
> > 
> >   
> 
> With pass in rdr translation rule, like said above that work. My question
> was
> for when I use rdr translation splited rules.
Sorry. I had difficulty fully determining your goal. As the rule lines
got wrapped in the email messages.
> 
> kaycee,
> 
> P.S. Resent because in first mail forgot pf list
NP. :)

--Chris
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list