question re: PF and forwarding
Littlefield, Tyler
tyler at tysdomain.com
Tue Mar 29 15:40:18 UTC 2016
On 3/29/2016 4:59 AM, krad wrote:
> what network topology are the jails nics on? I presume its not vnet
> as that doesnt play well with PF. Your rules hint at the jails
> being on loopback. If so can you put them on a separate ip on your
> subnet as pf can still filter them fine there, and you will find
> the ruleset a bit easier to manage. If those 192 addresses arent on
> loopback and are on the same subnet as the hosts ip on igb0, why
> are you natting them, this will probably cause issues?
>
I have tried with them as aliases on IGB0 (my subnet for external is
10.21.96.0/24 and my jails subnet is 192.168.0.1/24. This should worrk
fine. I also have put them on loopback, just for giggles to see if
they would still forrward. I can connect through just fine (from
jail->host->outside), but I can not connect to port 445/etc on the
host. I have gateway enabled in rc.conf and ip4 and ipv6 (although not
relevant) have forwarding enabled via sysctl. I'm unclear as to why
the ports would not be forwarded through from host->jail and not
really sure how to test that.
Thanks,
>
>
> On 28 March 2016 at 21:23, Littlefield, Tyler <tyler at tysdomain.com
> <mailto:tyler at tysdomain.com>> wrote:
>
> All, sorry for the multiple emails recently. I'm working to get my
> server set up here so I can begin doing some dev on BHyve once that
> is all finalized. I am jailing my services like minidlna samba and
> unbound and am using PF to forward those. For whatever reason I do
> not see the ports I specify as open ports, but the individual
> addresses show them when I connect from within my server. For
> example, I can telnet 192.168.0.2 445 and that works fine in terms
> of establishing a connection. I was hoping that someone might see
> any connection here. Here is my pf.conf. *** if="igb0"
> addr="10.21.96.128" samba_addr="192.168.0.2"
> dlna_addr="192.168.0.3" unbound_addr="192.168.0.4"
> tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn
> microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn
> microsoft-ds}"
>
> set skip on lo set loginterface $if scrub in all
>
> #allow jails through nat on $if inet from $samba_addr to any tag
> jail_samba -> $addr nat on $if inet from $dlna_addr to any tag
> jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag
> jail_unbound -> $addr #portforward to jails. #unbound rdr pass on
> $if proto tcp from any to $addr port 53 -> $unbound_addr port 53
> rdr pass on $if proto udp from any to $addr port 53 ->
> $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to
> $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp
> from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if
> proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr
> pass on $if proto tcp from any to $addr port 445 -> $samba_addr
> port 445 rdr pass on $if proto udp from any to $addr port 137 ->
> $samba_addr port 137 rdr pass on $if proto udp from any to $addr
> port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any
> to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp
> from any to $addr port 445 -> $samba_addr port 445
>
> #rules pass quick on lo1 pass from igb0:network to any keep state
>
> #default policy: deny antispoof quick for { $if lo } block in all
> #accept TCP ports. pass in on $if proto tcp from any to any port
> $tcp_services pass in on $if proto udp from any to any port
> $udp_services *** _______________________________________________
> freebsd-questions at freebsd.org
> <mailto:freebsd-questions at freebsd.org> mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org
> <mailto:freebsd-questions-unsubscribe at freebsd.org>"
>
>
--
Take care,
Ty
Twitter: @sorressean
Web: https://tysdomain.com
Pubkey: https://tysdomain.com/files/pubkey.asc
More information about the freebsd-questions
mailing list