On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb kisscoolandthegangb...@hotmail.fr
said
Le Tue, 25 Feb 2020 13:43:50 -0800,
Chris <bsd-li...@bsdforge.com> a écrit :
> On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> kisscoolandthegangb...@hotmail.fr said
>
> > Hi,
> >
> > First, sorry english is not my native language. I will try to be as
> precise
> > as
> > possible.
> >
> > And also I am not sure it is only pf related. Let me know in this case
> > please.
> > Maybe it would be for net an jail too.
> >
> > So, I have two cases maybe related.
> >
> > First one is for using rdr translation rule.
> > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > one service from the outside. Using one rdr rule like this one, all seems
> to
> > work fine. I have acces to the service.
> >
> > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > > $j_one port 443
> >
> > But in case I want to apply some options to this, I have to split it in 3.
> > This
> > is the relevant part of my config that makes it work
> >
> > > # Emulate skip on lo0
> > > pass quick on lo0 from 127.0.0.1 to
> > > 127.0.0.1
> > > # jail internal comms
> > > pass quick on lo0 from $j_one to
> $j_one
> > >
>> ># other traffic ( do not know yet why it is necessary and why no
>interface
>> >specified in mandatory )
> > > pass in quick proto tcp from any to $j_one port 443
> > >
> > > # block all on lo0
> > > block log quick on lo0
> > >
> > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > > $j_one port 443
> > > pass in quick on $ext_if proto tcp from any to $j_one port 443
>
> >
> > See the two lines at the end which are the first two parts. The third part
> > is
> > the line after the "other traffic comment". After a lot of error and
> retry,
> > this line have to be wrote like that. I can not add "on lo0" on this line
> or
> > the
> > service is not reachable.
> >
> > I'm using jails since some time now and remember having jail traffic bound
> > to
> > lo0 before even in my configuration jails have another interface defined
> (a
> > bridge generally).
> >
> > So I would like to know why isn't it possible to limit more this rule ? I
> > tried all other interfaces present in my system, and that do not work
> > either.
> > Using tcpdump, I can't see the traffic related to this service on any
> > interface except the external one. It's a little bit strange for me.
> >
> > Finally, I will write another mail for the other case.
> FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> when I attempt these sort of things. As it seems to simplify things in my
> head.
> For example, rc.conf
> cloned_interfaces="lo1 lo2"
> ifconfig_lo1="inet 127.0.0.2"
> ifconfig_lo2="inet 127.0.0.3"
IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
that helps with jail configuration file. Jail traffic is in reality going
through lo0.
When I started using jails, I was using lo1 lo2 ... too but after trying one
time or two with bridge interfaces, I decided to stay with bridges, it was
more
in my head more like a switch for jails, and that worked in the same way.
Just
a matter of preference.
Sure. Understood. :) The server I excerpt these from has a *much*
larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
chose things as they are, because somehow they made it easier in my head
at the time. :)
>
> This allows me to treat them as any other NIC. I route as necessary to my
> NIC to the outside world; pf.conf(5):
> EXT_ADDR="ou.ts.ide.ip"
> # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> table <trusted> persist file "/etc/TRUSTED"
>
>
> set skip on { lo0, lo1, lo2 }
You could just write set skip on lo0, that would have the same effect. I
emulate this for host traffic because I filter inter jails communications.
*Actually* it is enough to simply use lo, and in fact I still do. But there
were some changes to pf(4), (some I think should not have been made) that
currently prevent me from using that. I had to roll back one of our 12.x
servers because of the changes.
>
> # this only represents the rule(s) for lo1 but should be helpful for
> # additional rules on lo2 (or more)
> nat pass on re0 from { lo1 } to any -> $EXT_ADDR
Funny how you write this one. Maybe I'm used to split it in nat and pass as
a second rule. IIUC the doc, that's possible to write like this.
> rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR
Funny for this one too. I suppose in this case re0 is the external
interface.
Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missing
something ?
To be honest, I've migrated many of my rules from ~releng8. It's what
worked at the time, and even tho pf(4) has changed. I haven't. ;)
>
>
> block in
> pass out
>
>
With pass in rdr translation rule, like said above that work. My question
was
for when I use rdr translation splited rules.
Sorry. I had difficulty fully determining your goal. As the rule lines
got wrapped in the email messages.
kaycee,
P.S. Resent because in first mail forgot pf list
NP. :)
--Chris
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
