Re: NAT & RDR rules for jailed proxy services

Sat, 21 Dec 2013 07:36:43 -0800 

Hi again,

Beeblebrox wrote:

I had some dificulty understanding the packet flow logic in your
explanation, so forgive me for asking once more. As an example from what you
indicated does this ruleset do the job?

# Begin NAT & RDR rules
# For the privoxy jail
  nat pass in quick on $JailIf from !$JailIf to $JailIf port 8118 tag
NAT_PRVX -> $j_privoxy port 8118
  nat pass out quick on $JailIf from $j_privoxy to !$JailIf port 8118 tag
NAT_PRVX -> $JailIf port 80

NAT is only for outbound rules. Use rdr rules for inbound traffic.
Here is a rewrite: Allow traffic from DNS jail to leave on external interface. All ports open outbound. Reserve ports on external interface below 10000 for inbound traffic. nat on $ExtIf from $j_dns to !$($ExtIf) tag NAT_DNS_JAIL -> $($ExtIf) port 10000:65535
Thats it. The rest is to allow routing between jails and maybe local networks. NAT is only needed for traffic leaving on the external interface.
If you need to serve incoming traffic arriving on the external interface then use the rdr rules. 



# For the unbound jail, there's a problem. Other jailed IP's on $JailIf will
want a DNS server they can query.
  nat pass in quick on $JailIf proto {tcp,udp} from any to $j_dns port domain
tag NAT_DNS -> $j_dns
  nat pass out quick on $JailIf proto {tcp,udp} from $j_dns to $ExtIf port
domain tag NAT_PRVX -> $ExtIf

# Lastly
nat on $ExtIf from any to !($ExtIf) -> ($ExtIf)



Lastly should be filter rules. Example:
block on $ExtIf
# Allow all traffic regardless source and destination port originating
# from the dns jail
pass quick on $ExtIf inet tagged NAT_DNS_JAIL

# Allow all traffic originating from the host
pass quick on $ExtIf

...
Also add scrub to ensure no packet fragmentation. This is needed for pf to work. 


It looks to me like it still does not quite make complete sense.

Thanks for your time.




-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: 
http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870320.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"


_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to