Le Wed, 26 Feb 2020 07:39:27 -0800,
Chris <bsd-li...@bsdforge.com> a écrit :
> On Wed, 26 Feb 2020 10:31:59 +0000 kaycee gb
> kisscoolandthegangb...@hotmail.fr said
>
> > Le Tue, 25 Feb 2020 13:43:50 -0800,
> > Chris <bsd-li...@bsdforge.com> a écrit :
> >
> > > On Tue, 25 Feb 2020 19:50:11 +0000 kaycee gb
> > > kisscoolandthegangb...@hotmail.fr said
> > >
> > > > Hi,
> > > >
> > > > First, sorry english is not my native language. I will try to be as
> > > precise
> > > > as
> > > > possible.
> > > >
> > > > And also I am not sure it is only pf related. Let me know in this case
> > > > please.
> > > > Maybe it would be for net an jail too.
> > > >
> > > > So, I have two cases maybe related.
> > > >
> > > > First one is for using rdr translation rule.
> > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > > > one service from the outside. Using one rdr rule like this one, all
> > > > seems
> > > to
> > > > work fine. I have acces to the service.
> > > >
> > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443
> > > > > -> $j_one port 443
> > > >
> > > > But in case I want to apply some options to this, I have to split it in
> > > > 3. This
> > > > is the relevant part of my config that makes it work
> > > >
> > > > > # Emulate skip on lo0
> > > > > pass quick on lo0 from 127.0.0.1 to
> > > > > 127.0.0.1
> > > > > # jail internal comms
> > > > > pass quick on lo0 from $j_one to
> > > $j_one
> > > > >
> > >> ># other traffic ( do not know yet why it is necessary and why no
> > >interface
> > >> >specified in mandatory )
> > > > > pass in quick proto tcp from any to $j_one port 443
> > > > >
> > > > > # block all on lo0
> > > > > block log quick on lo0
> > > > >
> > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > > > > $j_one port 443
> > > > > pass in quick on $ext_if proto tcp from any to $j_one port
> > > > > 443
> > >
> > > >
> > > > See the two lines at the end which are the first two parts. The third
> > > > part is
> > > > the line after the "other traffic comment". After a lot of error and
> > > retry,
> > > > this line have to be wrote like that. I can not add "on lo0" on this
> > > > line
> > > or
> > > > the
> > > > service is not reachable.
> > > >
> > > > I'm using jails since some time now and remember having jail traffic
> > > > bound to
> > > > lo0 before even in my configuration jails have another interface defined
> > > (a
> > > > bridge generally).
> > > >
> > > > So I would like to know why isn't it possible to limit more this rule ?
> > > > I tried all other interfaces present in my system, and that do not work
> > > > either.
> > > > Using tcpdump, I can't see the traffic related to this service on any
> > > > interface except the external one. It's a little bit strange for me.
> > > >
> > > > Finally, I will write another mail for the other case.
> > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> > > when I attempt these sort of things. As it seems to simplify things in my
> > > head.
> > > For example, rc.conf
> > > cloned_interfaces="lo1 lo2"
> > > ifconfig_lo1="inet 127.0.0.2"
> > > ifconfig_lo2="inet 127.0.0.3"
> >
> > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
> > that helps with jail configuration file. Jail traffic is in reality going
> > through lo0.
> > When I started using jails, I was using lo1 lo2 ... too but after trying one
> > time or two with bridge interfaces, I decided to stay with bridges, it was
> > more
> > in my head more like a switch for jails, and that worked in the same way.
> > Just
> > a matter of preference.
> Sure. Understood. :) The server I excerpt these from has a *much*
> larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
> chose things as they are, because somehow they made it easier in my head
> at the time. :)
50 million, it start to be something :)
> > >
> > > This allows me to treat them as any other NIC. I route as necessary to my
> > > NIC to the outside world; pf.conf(5):
> > > EXT_ADDR="ou.ts.ide.ip"
> > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> > > table <trusted> persist file "/etc/TRUSTED"
> > >
> > >
> > > set skip on { lo0, lo1, lo2 }
> >
> > You could just write set skip on lo0, that would have the same effect. I
> > emulate this for host traffic because I filter inter jails communications.
> *Actually* it is enough to simply use lo, and in fact I still do. But there
> were some changes to pf(4), (some I think should not have been made) that
> currently prevent me from using that. I had to roll back one of our 12.x
> servers because of the changes.
Yeap, changes sometimes make us do that. :x
12.X seems to have introduced a certain amount of changes. I have some sort of
inernal process for installing my systems. Tried to install a 12.0 some weeks
ago that way and it failed. Had not investigated yet so I stay with 11.3 for
the moment.
> > >
> > > # this only represents the rule(s) for lo1 but should be helpful for
> > > # additional rules on lo2 (or more)
> > > nat pass on re0 from { lo1 } to any -> $EXT_ADDR
> >
> > Funny how you write this one. Maybe I'm used to split it in nat and pass as
> > a second rule. IIUC the doc, that's possible to write like this.
> >
> > > rdr pass on re0 proto tcp from any to { lo1 } -> $EXT_ADDR
> >
> > Funny for this one too. I suppose in this case re0 is the external
> > interface.
> > Shouldn't $EXT_ADDR be replaced with jail's address ? Or maybe I'm missing
> > something ?
>
> To be honest, I've migrated many of my rules from ~releng8. It's what
> worked at the time, and even tho pf(4) has changed. I haven't. ;)
Maybe you should. At least investigate. 8 to 11 (???) is a long time
> > >
> > >
> > > block in
> > > pass out
> > >
> > >
> >
> > With pass in rdr translation rule, like said above that work. My question
> > was
> > for when I use rdr translation splited rules.
> Sorry. I had difficulty fully determining your goal. As the rule lines
> got wrapped in the email messages.
80 characters long lines is not enough when you have to paste configurations
space or tab aligned ^^
> # Emulate skip on lo0
> pass quick on lo0 from 127.0.0.1 to 127.0.0.1
> # jail internal comms
> pass quick on lo0 from $j_one to $j_one
># other traffic ( do not know yet why it is necessary and why no interface
>specified in mandatory )
> pass in quick proto tcp from any to $j_one port 443
>
> # block all on lo0
> block log quick on lo0
>
> rdr on $ext_if inet proto tcp from any to $ext_if port 443 -> $j_one port 443
> pass in quick on $ext_if proto tcp from any to $j_one port 443
With that conf I had hard time to understand why I need the "other traffic"
rule and why I could not specify an interface with the "on" clause to allow
the traffic pass.
With deeper debugging, I found that I had this in my pf.conf
> private_nets = "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16,
> 169.254/16"
> bcast_nets = "224.0.0.0/4, 255.255.255.255/32"
> table <ext_in> { $private_nets, $bcast_nets, $ext_if:broadcast }
>
> block in quick on $ext_if to <ext_in>
After splitting that to
> private_nets = "127/8, 10/8, 100.64/10, 172.16/12, 192/24, 192.168/16,
> 169.254/16"
> bcast_nets = "224.0.0.0/4, 255.255.255.255/32"
> table <private> { $private_nets }
> table <cast> { $bcast_nets, $ext_if:broadcast }
>
> block in quick on $ext_if from <private>
> block in quick on $ext_if to <cast>
I have the configuration I was expecting and it's working. I wonder now why
blocking internal nets inbound on external if was reacting like that. I
remember reading something about how pf do rdr operations. I have to confirm
this but for the moment it's ok.
It also solved my second case ^^
Thanks,
kaycee,
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
