On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb kisscoolandthegangb...@hotmail.fr
said
Hi,
First, sorry english is not my native language. I will try to be as precise
as
possible.
And also I am not sure it is only pf related. Let me know in this case
please.
Maybe it would be for net an jail too.
So, I have two cases maybe related.
First one is for using rdr translation rule.
I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
one service from the outside. Using one rdr rule like this one, all seems to
work fine. I have acces to the service.
> rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 ->
> $j_one port 443
But in case I want to apply some options to this, I have to split it in 3.
This
is the relevant part of my config that makes it work
> # Emulate skip on lo0
> pass quick on lo0 from 127.0.0.1 to
> 127.0.0.1
> # jail internal comms
> pass quick on lo0 from $j_one to $j_one
>
># other traffic ( do not know yet why it is necessary and why no interface
>specified in mandatory )
> pass in quick proto tcp from any to $j_one port 443
>
> # block all on lo0
> block log quick on lo0
>
> rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> $j_one port 443
> pass in quick on $ext_if proto tcp from any to $j_one port 443
See the two lines at the end which are the first two parts. The third part
is
the line after the "other traffic comment". After a lot of error and retry,
this line have to be wrote like that. I can not add "on lo0" on this line or
the
service is not reachable.
I'm using jails since some time now and remember having jail traffic bound
to
lo0 before even in my configuration jails have another interface defined (a
bridge generally).
So I would like to know why isn't it possible to limit more this rule ? I
tried all other interfaces present in my system, and that do not work
either.
Using tcpdump, I can't see the traffic related to this service on any
interface except the external one. It's a little bit strange for me.
Finally, I will write another mail for the other case.
FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
when I attempt these sort of things. As it seems to simplify things in my
head.
For example, rc.conf
cloned_interfaces="lo1 lo2"
ifconfig_lo1="inet 127.0.0.2"
ifconfig_lo2="inet 127.0.0.3"
This allows me to treat them as any other NIC. I route as necessary to my
NIC to the outside world; pf.conf(5):
EXT_ADDR="ou.ts.ide.ip"
# contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
table <trusted> persist file "/etc/TRUSTED"
set skip on { lo0, lo1, lo2 }
# this only represents the rule(s) for lo1 but should be helpful for
# additional rules on lo2 (or more)
nat pass on re0 from { lo1 } to any -> $EXT_ADDR
rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR
block in
pass out
HTH
--Chris
kaycee,
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
