Jails: pf blocks access to localhost of host system
Matthew Seaman
matthew at FreeBSD.org
Mon Aug 16 21:41:24 UTC 2021
On 16/08/2021 22:31, Valeri Galtsev wrote:
> Dear Experts in pf and jails.
>
> I was recent refugee from to pf from ipfw which I was happily using for
> decade (why is different story). I seem to be able to configure all I
> need from pf, except one thing, which is jail access to localhost of
> host system.
>
> I configure jails "by the book" (i.e FreeBSD handbook), I do not use any
> scripts facilitating simple enough for me process. My jail configuration
> is like the following:
>
> # cat /etc/jail.conf
>
> jailname {
> host.hostname = "hostname.domainname";
> ip4.addr = X.Y.Z.W; # address on public address space
> devfs_ruleset=7; // integer number of devfsrules_jail_bpf ruleset
> // in /etc/devfs.rules
> persist; // Required because there are no processes
> exec.start = "/etc/rc.d/cron start; /etc/rc.d/syslogd start;
> /usr/local/etc/rc.d/apache24 start";
> exec.stop = "/usr/local/etc/rc.d/apache24 stop; /etc/rc.d/syslogd
> stop; /etc/rc.d/cron stop";
> }
>
> As you see, there is no lo0 configured in jail. (I do have lo0
> configured in jails on some machines, but I do not feel it necessary in
> this case). Now if script from apache in that jail connects port 25 on
> localhost to send email, the connection goes ho postfix I run on host
> system.
>
> While I was using ipfw having the rule allowing all traffic on lo0 to
> pass (I figure) at the top of rules did the trick. I can not achieve the
> same with pf. Searching on we web didn't help either.
>
> Here if my simplified to necessary minimum for debugging pf.conf:
>
>
> # cat /etc/pf.conf
> ##################### BEGIN
> # macro name(s) for external interface(s).
> ext_if = "bce0"
> int_if = "bce1"
>
> services = "{ 80 443 3306 5432 9102 }"
>
> icmp_types = "{ echoreq unreach }"
>
> # set a default deny everything policy.
> block all
>
> # Allow all traffic on trusted interfaces
> pass quick from { lo0 $int_if } to any keep state
>
> # keep state on any outbound tcp, udp or icmp traffic.
> # modulate the isn of
> # outgoing packets. (initial sequence number) broken operating systems
> # sometimes don’t randomize this number, making it guessable.
> pass out on $ext_if proto { tcp, udp, icmp } from any to any \
> modulate state
>
> # set a rule that allows inbound ssh traffic
> pass in on $ext_if proto tcp to port { 22 } \
> keep state
>
> # On workstation we will pass all outgoing traffic
> pass out all keep state
>
> # We pass what comes to our services (but DHCP taken care os above)
> pass in on $ext_if proto { tcp udp } to port $services
>
> # and icmp types we want
> pass inet proto icmp icmp-type $icmp_types
>
> ##################### END
>
>
> If I am inside jail the command
>
> telnet localhost 25
>
> successfully connects to postfix run on host system. When I enable pf
> with rules as above, similar connection from inside jail just hangs.
>
> I was assuming the rule:
>
> pass quick from { lo0 $int_if } to any keep state
>
> will do the trick, but no, the connection from inside jail to host
> system localhost port 25 is blocked by pf.
>
>
> Can someone give me any pointers for this particular case?
>
> Thanks a lot in advance for your pointers!
>
> Valeri
>
>
> PS I know, I can do the following and it will work: configure lo0 in
> jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and
> run postfix is jail. But being able to tell pf what I want it to [not]
> do will be preferable.
>
Try:
set skip on { lo0 $int_if }
(and delete any filtering rules on lo0 or $int_if)
which says to pf not to touch any packets traversing those interfaces.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20210816/d5e715ef/attachment.sig>
More information about the freebsd-questions
mailing list