From owner-freebsd-pf@FreeBSD.ORG Sun Jan 31 00:50:09 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BE551065692 for ; Sun, 31 Jan 2010 00:50:09 +0000 (UTC) (envelope-from jkkn@jkkn.dk) Received: from blackbird.jkkn.net (blackbird.home6.jkkn.net [IPv6:2001:16d8:dd04:0:207:e9ff:fe62:64be]) by mx1.freebsd.org (Postfix) with ESMTP id 0E27B8FC0A for ; Sun, 31 Jan 2010 00:50:08 +0000 (UTC) Received: from [192.168.2.2] (online.jkkn.net. [83.91.180.61]) (authenticated bits=0) by blackbird.jkkn.net (envelope-from jkkn@jkkn.dk) (8.14.3/8.14.3) with ESMTP id o0V0o3H9005592 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 31 Jan 2010 01:50:04 +0100 (CET) (envelope-from jkkn@jkkn.dk) Message-ID: <4B64D3B6.3050400@jkkn.dk> Date: Sun, 31 Jan 2010 01:49:58 +0100 From: =?ISO-8859-1?Q?Kristian_Kr=E6mmer_Nielsen?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.7) Gecko/20100111 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4B63B165.2020809@jkkn.dk> In-Reply-To: <4B63B165.2020809@jkkn.dk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.1 required=5.0 tests=RCVD_IN_PBL, RCVD_IN_SORBS_DUL, SPF_PASS autolearn=no version=3.2.5 X-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record * 0.5 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL * [83.91.180.61 listed in zen.spamhaus.org] * 1.6 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [83.91.180.61 listed in dnsbl.sorbs.net] X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on blackbird.jkkn.net X-Virus-Scanned: clamav-milter 0.95.3 at blackbird.jkkn.net X-Virus-Status: Clean Subject: Re: Possible bug: pf ignores "reply-to" in block-rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jan 2010 00:50:09 -0000 Hey again, I have been looking through the source-code of pf and wondering if this might be an issue with all packets that pf initiates and sends by it self? As far as I can tell pf uses the method "pf_send_tcp" to initiase packages from itself, like the reset-packet used by "block return"-rules. But routes like route-to/dub-to/reply-to seem only to be handle in "pf_route" which is only used for the packets pf processes. THE ISSUE: The problem is "pf_send_tcp" does not really call "pf_route" at any time so I guess routing is not handled at all for these packets? Would we dear to call pf_route() somewhere in pf_send_tcp() to fix this - could someone give me a hint on this? I also discovered an unrelated issue, in the sourcecode of pf_route() I see a comment saying "Copied from FreeBSD 5.1-CURRENT ip_output" - this code seem quiet old, e.x. there are no support for IPSEC in the copied code. Both outside the FreeBSD special case and ip_output in CURRENT does additional checks for IPSEC - I am not using IPSEC myself, but we might also have trouble routing IPSEC traffic until this copied code is updated? Hope someone can hint me on pf_send_tcp/pf_route. Thanks, Kristian On 30-01-2010 05:11, Kristian Kræmmer Nielsen wrote: > Hey, > > I am experiencing an issue using reply-to on block rules. > > I am a "nice" firewall administrator and always uses "block return" > rules, thereby pf sends nice reset packets back to clients if they > attempt to connect to a port that pf is setup to block. > > My setup is using a gif0 tunnel to tunnel specific traffic from > another public IP-address to the server. Since it is important that > packages are then to be routed back the same way and not using the > default-route, I use "pass in reply-to gif0"-rules and this worked > perfectly for all incoming traffic. > > But, on my "block return in gif0 reply-to gif0" - pf seem to simply > ignore the reply-to parameter and instead decides to send the packs > back using the default route. > > I see the packages go out on the wrong interface, in my case my > ethernet interface (em0), that is the default route for the server. > > Could someone check to see if pf respects "reply-to" when sending > reset packages (block return)? > > Or if that is not the case explain to me what "reply-to" is suppose to > do on "block"-rules? > > Best regards, > Kristian Kræmmer Nielsen, > Odense, Denmark > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" From owner-freebsd-pf@FreeBSD.ORG Mon Feb 1 11:07:03 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EA6C10656A3 for ; Mon, 1 Feb 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F02748FC2C for ; Mon, 1 Feb 2010 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o11B72or062877 for ; Mon, 1 Feb 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o11B72Z3062875 for freebsd-pf@FreeBSD.org; Mon, 1 Feb 2010 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Feb 2010 11:07:02 GMT Message-Id: <201002011107.o11B72Z3062875@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 11:07:03 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 40 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 09:47:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC9271065694 for ; Tue, 2 Feb 2010 09:47:26 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.27]) by mx1.freebsd.org (Postfix) with ESMTP id A3DFB8FC19 for ; Tue, 2 Feb 2010 09:47:26 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 8so1082403qwh.7 for ; Tue, 02 Feb 2010 01:47:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:content-type :content-transfer-encoding:subject:date:message-id:to:mime-version :x-mailer; bh=SRy8fWLQ/yMTd384YcwOV5+sTF0DhRc8GMWCCDk4ygw=; b=xEsV8Ie74ao0VYCXwAdx6/XQm9/3Q2s4V/WmgH2Ifb0YCgwdgAWsORRKaPss4K8dOZ I18h7AlDQkN9pH9/+vTLNTD+pxUR1pGqeGeXVKT06puZNpTB/Nshbd6tHPaQTWk2ysoB 8rcbFJu0ufnJ8HIVvoXsxhqEYVoLZEjkso9Ik= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=PPd0cYRfUSEkw+AHbr6R78p1AvpJ+QBFeTpnLtzN/EgRORzPngZWJlC8OnXQ8aGROK w0g7vAX19ox2w9zMGel6+nmVXKbzjlPCuMsiB8aoAUXtk2AzBhimAmfr48WQ5GBdwSgF XA0+tG/EGm9cIg510xS+yaU5Z3Cr/aq03LDXc= Received: by 10.224.107.77 with SMTP id a13mr2655058qap.312.1265102526145; Tue, 02 Feb 2010 01:22:06 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-70-109-58-33.clppva.fios.verizon.net [70.109.58.33]) by mx.google.com with ESMTPS id 22sm4512185qyk.10.2010.02.02.01.22.05 (version=SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 01:22:05 -0800 (PST) From: Vadym Chepkov Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 2 Feb 2010 04:22:04 -0500 Message-Id: To: freebsd-pf@FreeBSD.org Mime-Version: 1.0 (Apple Message framework v1077) X-Mailer: Apple Mail (2.1077) Cc: Subject: pf and enc0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 09:47:27 -0000 Hi, I have stumbled on a problem and I am not sure if it's a bug or a = feature. very simple block rules # pfctl -sr | grep block=20 block return in log on bge0 all block return in quick on bge0 from to any block return out quick on bge0 from any to bge0 is my WAN interface, I have FreeBSD 6.4 I enabled IPSEC in my kernel options FAST_IPSEC options IPSEC_NAT_T device enc device crypto device cryptodev and all works fine until I do 'ifconfig enc0 up' after that traffic coming through ipsec tunnel is getting rejected and I = can see it's recorded in pflog0 I am not sure why and how to prevent this from happening. Thanks, Vadym Chepkov= From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 09:51:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4AAC1106566C for ; Tue, 2 Feb 2010 09:51:07 +0000 (UTC) (envelope-from vchepkov@gmail.com) Received: from mail-qy0-f184.google.com (mail-qy0-f184.google.com [209.85.221.184]) by mx1.freebsd.org (Postfix) with ESMTP id F26CC8FC0A for ; Tue, 2 Feb 2010 09:51:06 +0000 (UTC) Received: by qyk14 with SMTP id 14so1155102qyk.9 for ; Tue, 02 Feb 2010 01:51:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:mime-version :content-type:from:in-reply-to:date:cc:content-transfer-encoding :message-id:references:to:x-mailer; bh=X6EjiZku1hTzv+AlthwvIpLIdh0wsD7eFiUTdzyKT2g=; b=cYNrRST3N54NPUJIeylVQw0OuS4HtuVvzi5RTiGj9apytanT/5UBBPjmnwuVKQuE3t +cWInX/zv3AgmD/dtUsZhVGbHYmHUVefUBYDhhndH+4P4fjlnjM3uNzXWxnFbvAPA8Ty hu7xIYaP6ALKUCaCE0poNv9igFhOnwXDs8VWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=nNwiXcqTvHFqoCUU+JKT90uLMwQThUTxDdi/pzRgAdgvFVZAh5Bwn+OLDuWq/MHdxm 12fFOfKWJ3+IXLGJ2lPxxTPsw4FsSNZR1tqFpQ6qvKkWiffD5ndJ8zN6eZ1buThnb8hq PTFUluAR8nqJZihjYJI3ZNynjFeyck5rtKUQg= Received: by 10.224.113.19 with SMTP id y19mr2672956qap.323.1265104266125; Tue, 02 Feb 2010 01:51:06 -0800 (PST) Received: from vvcmac.chepkov.lan (pool-70-109-58-33.clppva.fios.verizon.net [70.109.58.33]) by mx.google.com with ESMTPS id 21sm4503801qyk.12.2010.02.02.01.51.05 (version=SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 01:51:05 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=iso-8859-1 From: Vadym Chepkov In-Reply-To: <1FDF0CD4-43E2-449D-9B19-648E8A3EFC8B@xgs-france.com> Date: Tue, 2 Feb 2010 04:51:04 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <3EFB5293-0CCA-41F7-B5DF-B309197EC343@gmail.com> References: <1FDF0CD4-43E2-449D-9B19-648E8A3EFC8B@xgs-france.com> To: dug X-Mailer: Apple Mail (2.1077) Cc: freebsd-pf@FreeBSD.org Subject: Re: pf and enc0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 09:51:07 -0000 But I don't "block" it, I thought default is to "pass" ? On Feb 2, 2010, at 4:48 AM, dug wrote: > Hello, >=20 > You have to allow this traffic on your enc0 interface. > It's not a bug. >=20 >=20 > Le 2 f=E9vr. 2010 =E0 10:22, Vadym Chepkov a =E9crit : >=20 >> Hi, >>=20 >> I have stumbled on a problem and I am not sure if it's a bug or a = feature. >>=20 >> very simple block rules >>=20 >> # pfctl -sr | grep block=20 >> block return in log on bge0 all >> block return in quick on bge0 from to any >> block return out quick on bge0 from any to >>=20 >> bge0 is my WAN interface, I have FreeBSD 6.4 >>=20 >> I enabled IPSEC in my kernel >>=20 >> options FAST_IPSEC >> options IPSEC_NAT_T >> device enc >> device crypto >> device cryptodev >>=20 >> and all works fine until I do 'ifconfig enc0 up' >> after that traffic coming through ipsec tunnel is getting rejected = and I can see it's recorded in pflog0 >>=20 >> I am not sure why and how to prevent this from happening. >>=20 >> Thanks, >> Vadym Chepkov_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >>=20 >=20 From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 17:54:54 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E4E71065695 for ; Tue, 2 Feb 2010 17:54:54 +0000 (UTC) (envelope-from stefanferreira@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 412D48FC1A for ; Tue, 2 Feb 2010 17:54:53 +0000 (UTC) Received: by vws11 with SMTP id 11so199463vws.13 for ; Tue, 02 Feb 2010 09:54:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=ERsdoPiwlBi6or0+h4hydSwsnMAJRfizuxM8CYykWQg=; b=FWTFEHYdzImV18MzdTAQ4h4pLOJEC0n1Ei88VAw3pqFbBfAyTAqnie2/4L4k1jv5Td tzDh+wJj+cSFIaPMG5LjWJnT6i1j/AhSirrq7T+EiNMfdmbEvwwfXedPVulZdW/Gk3EJ yqX7mjggG/1oZx2uhbirxPCFMRU7OGFDvjoq4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=eIT8kDCr0zPygnfqYNYSe2wvKL2MIxlsScKlWojjFli9s84GmJw35QnRamW0H9e/km yy2yMiVJz8tPtcIjtXIckaj3kfjkG4QCWf3kSqKEZxEjCfDh7waKYxoYZlLhhb+WtySb UAChzq/6YC67S0CYHH0jIkzqsfWJx9v04KZVA= Received: by 10.220.122.68 with SMTP id k4mr8364198vcr.66.1265133281363; Tue, 02 Feb 2010 09:54:41 -0800 (PST) Received: from ?192.168.8.120? (196-215-4-63.dynamic.isadsl.co.za [196.215.4.63]) by mx.google.com with ESMTPS id 33sm71741832vws.11.2010.02.02.09.54.38 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 09:54:40 -0800 (PST) Message-ID: <4B6866D5.4060405@gmail.com> Date: Tue, 02 Feb 2010 19:54:29 +0200 From: Stefan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: toute-to on lo0 not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 17:54:54 -0000 Hi In my quest to route traffic originating on the freebsd machine, I've managed to loop back outbound traffic via lo0 so that I can try and route it inbound on lo0 (pf can't apply route-to logic to outbound traffic; by then it's to late to try and route it over a different interface). The loopback works when I switch off skip on lo0, and pass all lo0 traffic, so that traffic is definitely processed by pf. I also know the looping works, because when I try to ping an outside IP, I get a response that the TTL has been exceeded, and traceroute shows repeating entries of 127.0.0.1 (in other words, the packets jost loop back through the pf box repeatedly till their TTL is exceeded). The problem is the moment I change my rule to try and route the inbound traffic on lo0, the packets just seem to go nowhere. They are not routed correctly and I can't tell what happens to them. In the ruleset below, enabling the second rule results in the packets looping back to the pf box repeatedly, and the first rule results in the packets "disappearing". The only difference is the route-to statement, which works for all traffic originating elsewhere on the lan. #pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local #pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local pass out quick all $KEEPSTATE tagged zSA_Local pass quick on lo0 Please help! I really need to route traffic originating on the pf box via pf, and not via rtables! From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 22:21:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7B5710656D6 for ; Tue, 2 Feb 2010 22:21:02 +0000 (UTC) (envelope-from ohauer@gmx.de) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 1163C8FC16 for ; Tue, 2 Feb 2010 22:21:00 +0000 (UTC) Received: (qmail invoked by alias); 02 Feb 2010 22:20:56 -0000 Received: from u18-124.dsl.vianetworks.de (EHLO u18-124.dsl.vianetworks.de) [194.231.39.124] by mail.gmx.net (mp015) with SMTP; 02 Feb 2010 23:20:56 +0100 X-Authenticated: #1956535 X-Provags-ID: V01U2FsdGVkX1+JFaM5x+OJhT2+FbQmygiNay8Qi+iP79hEaHXjCu vCAGejSoJF7iHH Received: by u18-124.dsl.vianetworks.de (Postfix, from userid 1100) id C2F2526183; Tue, 2 Feb 2010 23:20:44 +0100 (CET) To: FreeBSD-gnats-submit@freebsd.org From: olli hauer X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20100202222044.C2F2526183@u18-124.dsl.vianetworks.de> Date: Tue, 2 Feb 2010 23:20:44 +0100 (CET) X-Y-GMX-Trusted: 0 X-FuHaFi: 0.41999999999999998 Cc: freebsd-pf@freebsd.org Subject: [patch] outgoing states are not killed by authpf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: olli hauer List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 22:21:02 -0000 >Submitter-Id: current-users >Originator: olli hauer >Organization: >Confidential: no >Synopsis: [patch] outgoing states are not killed by authpf >Severity: non-critical >Priority: low >Category: kern >Class: sw-bug >Release: FreeBSD 7.2-RELEASE-p6 i386 >Environment: System: FreeBSD 7.2-RELEASE-p6 >Description: Outgoing states are not killed by authpf, since psk.psk_af is overridden in authpf_kill_states with the No. of killed states for incoming ipsrc. Patch is only needed until code from OpenBSD >=200811 is merged to FreeBSD since OpenBSD_4.4+ returns No. off killed states in psk.psk_killed. The OpenBSD change is not documented in man page at the moment, but you can find it out in the source (net/pfvar.h). I found it this way by hacking snortsam. Please see additional my PR 140369 to correct the man page for FreeBSD >From man (4) pf: DIOCKILLSTATES struct pfioc_state_kill *psk Remove matching entries from the state table. This ioctl returns the number of killed states in psk_af. Here are the structs from FreeBSD and OpenBSD FreeBSD: struct pfioc_state_kill { /* XXX returns the number of states killed in psk_af */ sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; }; OpenBSD_4.4/4.5: struct pfioc_state_kill { struct pf_state_cmp psk_pfcmp; sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; char psk_label[PF_RULE_LABEL_SIZE]; u_int psk_killed; }; >How-To-Repeat: >Fix: The following patch safes the sa_family into a variable 'saf' and restores psk.psk_af to this family after killing states from incoming ipsrc. --- patch_authpf.c begins here --- Index: base/stable/7/contrib/pf/authpf/authpf.c =================================================================== --- base/stable/7/contrib/pf/authpf/authpf.c (revision 203401) +++ base/stable/7/contrib/pf/authpf/authpf.c (working copy) @@ -788,14 +788,15 @@ authpf_kill_states(void) { struct pfioc_state_kill psk; struct pf_addr target; + sa_family_t saf; /* safe AF_INET family */ memset(&psk, 0, sizeof(psk)); memset(&target, 0, sizeof(target)); if (inet_pton(AF_INET, ipsrc, &target.v4) == 1) - psk.psk_af = AF_INET; + psk.psk_af = saf = AF_INET; else if (inet_pton(AF_INET6, ipsrc, &target.v6) == 1) - psk.psk_af = AF_INET6; + psk.psk_af = saf = AF_INET6; else { syslog(LOG_ERR, "inet_pton(%s) failed", ipsrc); return; @@ -809,6 +810,9 @@ authpf_kill_states(void) if (ioctl(dev, DIOCKILLSTATES, &psk)) syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)"); + /* restore AF_INET, since it contains now the Nr. of killed states */ + psk.psk_af = saf; + /* Kill all states to ipsrc */ memset(&psk.psk_src, 0, sizeof(psk.psk_src)); memcpy(&psk.psk_dst.addr.v.a.addr, &target, --- patch_authpf.c ends here --- From owner-freebsd-pf@FreeBSD.ORG Tue Feb 2 22:42:34 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D7C41065670; Tue, 2 Feb 2010 22:42:34 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E9FAD8FC1B; Tue, 2 Feb 2010 22:42:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o12MgX7U097479; Tue, 2 Feb 2010 22:42:33 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o12MgXJR097475; Tue, 2 Feb 2010 22:42:33 GMT (envelope-from linimon) Date: Tue, 2 Feb 2010 22:42:33 GMT Message-Id: <201002022242.o12MgXJR097475@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: bin/143504: [patch] outgoing states are not killed by authpf(8) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Feb 2010 22:42:34 -0000 Old Synopsis: [patch] outgoing states are not killed by authpf New Synopsis: [patch] outgoing states are not killed by authpf(8) Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Tue Feb 2 22:41:40 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=143504 From owner-freebsd-pf@FreeBSD.ORG Wed Feb 3 02:59:59 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BCE106568B for ; Wed, 3 Feb 2010 02:59:59 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 5B09D8FC0C for ; Wed, 3 Feb 2010 02:59:59 +0000 (UTC) Received: by qw-out-2122.google.com with SMTP id 8so195782qwh.7 for ; Tue, 02 Feb 2010 18:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=pTyQaoAMntBe/rSardiu4Ex8o1VE4PhJV2xzU0KgH50=; b=wLXiGLob/TIlUrLFVJqh5v4V8CHJhb/Es7BAzj573iAnTFqu1Idr8plGJgwhSWoA7o Epo26tVUUtKyLbndaxOiOlIuCmn9a3ZxlB4fSpdK5l32GR7jo+rHywWVGB5kjNh4i26D 7kWKXdDQ640pNtLCN1F7yiwCp9NjRrtSY26Zo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=RxNJRFs/gxbAMlVYf+0d2OOUAmbJ+QATIZnkQZe2iop0KYRVMQPLBa2Ru5mTnLHeYI 2Nzx3Qu5r1KazWwZ3xa6jAegvG8MJn5lK5kbZesZG6okRyqQJVXG4wwt1HN8eMervrdg Ma0oRDO/8mNGyeLxdnY2NsGb65EGb2yPtjG+Y= Received: by 10.229.131.153 with SMTP id x25mr2951598qcs.23.1265165998454; Tue, 02 Feb 2010 18:59:58 -0800 (PST) Received: from ppp-19.189.dialinfree.com (ppp-19.189.dialinfree.com [209.172.19.189]) by mx.google.com with ESMTPS id 4sm24333779qwe.53.2010.02.02.18.59.53 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 02 Feb 2010 18:59:57 -0800 (PST) Sender: "J. Hellenthal" Date: Tue, 2 Feb 2010 21:59:34 -0500 From: jhell To: Stefan In-Reply-To: <4B6866D5.4060405@gmail.com> Message-ID: References: <4B6866D5.4060405@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: toute-to on lo0 not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 02:59:59 -0000 On Tue, 2 Feb 2010 12:54, stefanferreira@ wrote: > Hi > > In my quest to route traffic originating on the freebsd machine, I've managed > to loop back outbound traffic via lo0 so that I can try and route it inbound > on lo0 (pf can't apply route-to logic to outbound traffic; by then it's to > late to try and route it over a different interface). > > The loopback works when I switch off skip on lo0, and pass all lo0 traffic, > so that traffic is definitely processed by pf. I also know the looping works, > because when I try to ping an outside IP, I get a response that the TTL has > been exceeded, and traceroute shows repeating entries of 127.0.0.1 (in other > words, the packets jost loop back through the pf box repeatedly till their > TTL is exceeded). > > The problem is the moment I change my rule to try and route the inbound > traffic on lo0, the packets just seem to go nowhere. They are not routed > correctly and I can't tell what happens to them. In the ruleset below, > enabling the second rule results in the packets looping back to the pf box > repeatedly, and the first rule results in the packets "disappearing". The > only difference is the route-to statement, which works for all traffic > originating elsewhere on the lan. > > #pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any to ! > $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local > #pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label > zSA_Local tag zSA_Local > pass out quick all $KEEPSTATE tagged zSA_Local > pass quick on lo0 > > Please help! I really need to route traffic originating on the pf box via pf, > and not via rtables! > Have you tried implementing "binat" and possibly making use of rdr while using some tables to hold your addresses and subnets ? # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). binat on $ext_if from 10.1.2.150 to any -> $ext_ifA you could change that to: binat on $ext_if from to any -> $ext_ifA Looping traffic that is originating internally back around to a loopback interface is not going to solve this, and it will cause you a lot more frustration. Best of luck. -- jhell From owner-freebsd-pf@FreeBSD.ORG Wed Feb 3 20:17:57 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 055E9106566C for ; Wed, 3 Feb 2010 20:17:57 +0000 (UTC) (envelope-from stefanferreira@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A8C6E8FC15 for ; Wed, 3 Feb 2010 20:17:56 +0000 (UTC) Received: by vws11 with SMTP id 11so942175vws.13 for ; Wed, 03 Feb 2010 12:17:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=PlJvllCqVN1IaLUB6+mfa8ROMgY42nqUxIzl4XbgTAo=; b=O9iZCnHxch7zgzMCPAndlBr3aEmDDpWTjIZydhMTsHQP1kQxet/7OTyuIGQdepSh2/ 9hGUyblsy8x16+5fR9MowqqJ+vehaTpfkip2wnu0qNjZd7B/qUuddAY7EBvkcRr/IOgU Wxzu9CwyUbwDza1Tb0QqPm3ZtIxLKZgvJPt6s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=oJ9leBS6jlHrc55PK55NEP4z8jSW0V55mQU8khTn3usOrp+4FMhZTFATMRaB+L70fw Wp1KnM0nmViuB1HBtMuj1+mQlsn0haUKC7cO4+XYw4KxD7pn6cw1Pb6DKvkTmD8DDO3W p/ktCRT3iCxtmcVAuOMHalV4IiZdGVZonjjHM= Received: by 10.220.108.83 with SMTP id e19mr243469vcp.118.1265228271370; Wed, 03 Feb 2010 12:17:51 -0800 (PST) Received: from ?192.168.8.120? (196-215-4-63.dynamic.isadsl.co.za [196.215.4.63]) by mx.google.com with ESMTPS id 25sm83627931vws.20.2010.02.03.12.17.47 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 03 Feb 2010 12:17:50 -0800 (PST) Message-ID: <4B69D9E4.2040705@gmail.com> Date: Wed, 03 Feb 2010 22:17:40 +0200 From: Stefan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: jhell References: <4B6866D5.4060405@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: toute-to on lo0 not working? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Feb 2010 20:17:57 -0000 Wouldn't the same problem then apply? By the time pf sees packets originating on the pf box itself, they are already outbound on a specific interface, and cannot be routed to the correct interface. I think I'll have to use rtables after all. That just means I'm limited to destination routing only and not full policy routing. It also seems that the "loopback" option (two bridged tap interfaces) can't work because the packets always bypass the actual full stack of the interfaces. The only weird thing with that is that when I set my default route to tap0 and block inbound on tap1 (bridged to tap0), the pings are stopped, but when I pass the traffic it does loop until TTL expires. This suggests that pf does indeed see those packets, yet when I try to apply routes to them inbound on tap1, they go nowhere... I'm convinced that I just don't know the interactions between pf nat, pf route-to and rtables well enough to crack this one... On 2010-02-03 04:59, jhell wrote: > > On Tue, 2 Feb 2010 12:54, stefanferreira@ wrote: >> Hi >> >> In my quest to route traffic originating on the freebsd machine, I've >> managed to loop back outbound traffic via lo0 so that I can try and >> route it inbound on lo0 (pf can't apply route-to logic to outbound >> traffic; by then it's to late to try and route it over a different >> interface). >> >> The loopback works when I switch off skip on lo0, and pass all lo0 >> traffic, so that traffic is definitely processed by pf. I also know >> the looping works, because when I try to ping an outside IP, I get a >> response that the TTL has been exceeded, and traceroute shows >> repeating entries of 127.0.0.1 (in other words, the packets jost loop >> back through the pf box repeatedly till their TTL is exceeded). >> >> The problem is the moment I change my rule to try and route the >> inbound traffic on lo0, the packets just seem to go nowhere. They are >> not routed correctly and I can't tell what happens to them. In the >> ruleset below, enabling the second rule results in the packets >> looping back to the pf box repeatedly, and the first rule results in >> the packets "disappearing". The only difference is the route-to >> statement, which works for all traffic originating elsewhere on the lan. >> >> #pass in quick on lo0 route-to (adsl-int0 196.210.140.129) from any >> to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT label zSA_Local tag zSA_Local >> #pass in quick on lo0 from any to ! $IPs_LAN $KEEPSTATE $ALTQ_DEFAULT >> label zSA_Local tag zSA_Local >> pass out quick all $KEEPSTATE tagged zSA_Local >> pass quick on lo0 >> >> Please help! I really need to route traffic originating on the pf box >> via pf, and not via rtables! >> > > Have you tried implementing "binat" and possibly making use of rdr > while using some tables to hold your addresses and subnets ? > > # BINAT > # Translate outgoing packets' source address (any protocol). > # Translate incoming packets' destination address to an internal machine > # (bidirectional). > binat on $ext_if from 10.1.2.150 to any -> $ext_ifA > > you could change that to: > binat on $ext_if from to any -> $ext_ifA > > Looping traffic that is originating internally back around to a > loopback interface is not going to solve this, and it will cause you a > lot more frustration. > > Best of luck. > From owner-freebsd-pf@FreeBSD.ORG Thu Feb 4 10:21:41 2010 Return-Path: Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 38669106566B; Thu, 4 Feb 2010 10:21:41 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0FEA38FC0C; Thu, 4 Feb 2010 10:21:41 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o14ALeFJ015106; Thu, 4 Feb 2010 10:21:40 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o14ALedw015102; Thu, 4 Feb 2010 10:21:40 GMT (envelope-from linimon) Date: Thu, 4 Feb 2010 10:21:40 GMT Message-Id: <201002041021.o14ALedw015102@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-pf@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/143543: [pf] [panic] PF route-to causes kernel panic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Feb 2010 10:21:41 -0000 Old Synopsis: PF route-to causes kernel panic New Synopsis: [pf] [panic] PF route-to causes kernel panic Responsible-Changed-From-To: freebsd-bugs->freebsd-pf Responsible-Changed-By: linimon Responsible-Changed-When: Thu Feb 4 10:21:23 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=143543 From owner-freebsd-pf@FreeBSD.ORG Fri Feb 5 12:43:05 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7DC7106566B; Fri, 5 Feb 2010 12:43:05 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from smtp-int-m.obspm.fr (smtp-int-m.obspm.fr [145.238.187.15]) by mx1.freebsd.org (Postfix) with ESMTP id 4D0B48FC12; Fri, 5 Feb 2010 12:43:04 +0000 (UTC) Received: from obspm.fr (pcjas.obspm.fr [145.238.184.233]) by smtp-int-m.obspm.fr (8.14.3/8.14.3/SIO Observatoire de Paris - 07/2009) with ESMTP id o15CWsGN022893 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 5 Feb 2010 13:32:56 +0100 Date: Fri, 5 Feb 2010 13:32:54 +0100 From: Albert Shih To: freebsd-jail@freebsd.org, freebsd-pf@freebsd.org Message-ID: <20100205123254.GN11310@obspm.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.20 (2009-06-14) X-Miltered: at smtp-int-m.obspm.fr with ID 4B6C0FF6.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 4B6C0FF6.000/145.238.184.233/pcjas.obspm.fr/obspm.fr/ X-j-chkmail-Score: MSGID : 4B6C0FF6.000 on smtp-int-m.obspm.fr : j-chkmail score : . : R=. U=. O=. B=0.012 -> S=0.012 X-j-chkmail-Status: Ham Cc: Subject: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2010 12:43:05 -0000 Hi all, I've a problem with route-to. I've a server with 2 interfaces, and I'm running jail on this server. Each interface have is own public IP address. eth0 -- IP0 eth1 -- IP1 and I've a default route (for example in IP0 subnet). So if the jail is in the IP0 subnet no problem everything work. Now if I put a jail in IP1 subnet, and some client try to connect to this jail the answer come out through eth0 because of the default route (suppose the client is not on my subnet). I don't want that. I want the answer come out through the eth1 I'm trying to use pf to do that and put in my pf.conf something like pass in all pass out all pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subnet pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subnet but it's not working, if I run a tcpdump on the host I can see the incoming packet come in from eth1 and the outgoing come out on eth0. And if I try do remove default route the outgoing packet don't come out.... Any help ? Regards. -- Albert SHIH SIO batiment 15 Observatoire de Paris Meudon 5 Place Jules Janssen 92195 Meudon Cedex Téléphone : 01 45 07 76 26/06 86 69 95 71 Heure local/Local time: Ven 5 fév 2010 13:25:02 CET From owner-freebsd-pf@FreeBSD.ORG Fri Feb 5 12:56:49 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4FFF3106566B for ; Fri, 5 Feb 2010 12:56:49 +0000 (UTC) (envelope-from stefanferreira@gmail.com) Received: from mail-qy0-f190.google.com (mail-qy0-f190.google.com [209.85.221.190]) by mx1.freebsd.org (Postfix) with ESMTP id 03C778FC19 for ; Fri, 5 Feb 2010 12:56:48 +0000 (UTC) Received: by qyk28 with SMTP id 28so1730434qyk.25 for ; Fri, 05 Feb 2010 04:56:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=BVpEj1zvc7QxFQerdBMP3tM20/4LpoSSjefNViGoFJ8=; b=qBEPuAr8523tzQRII90QWOiY8mZNNEg9uCzx1GvzIuhrB8lF26YnMojyqZC9HwQp6/ UUzIs5zOKyUKnAIYOhXMfM9wQY4Y3DMq1ufnLol+kMz2BwFFiVaEDRyg0AcLjeoPmty2 4Pa2n5vtvmVViavyiVJyiajmVPcsiS9isQuLg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=PuN8fAX0xZzuRdefPWjCDLsaVRUwohXCqqgiipScB+SVaurJSug30QsB5RTSWwh/jV c3BHkJJ0YHI1nXo2jWHONOBQ+DD3tSu3iVES+Z8ab7aT3V+004DSvEvEwyP2KnKkqXWR TItv8FdnG4TYXSDwintKgjcQldkUzj5RhnXRI= Received: by 10.224.95.146 with SMTP id d18mr958326qan.83.1265374608081; Fri, 05 Feb 2010 04:56:48 -0800 (PST) Received: from ?192.168.8.120? (196-215-4-63.dynamic.isadsl.co.za [196.215.4.63]) by mx.google.com with ESMTPS id 21sm11406368vws.9.2010.02.05.04.56.45 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 05 Feb 2010 04:56:47 -0800 (PST) Message-ID: <4B6C157F.2080301@gmail.com> Date: Fri, 05 Feb 2010 14:56:31 +0200 From: Stefan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091204 Lightning/1.0b1 Thunderbird/3.0 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <20100205123254.GN11310@obspm.fr> In-Reply-To: <20100205123254.GN11310@obspm.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2010 12:56:49 -0000 Hi Pf doesn't seem to be able to route packets on the outbound interface. Therefore you have to always put the route-to statements on "pass in on..." rules. I don't have experience setting up pf in a server environment, but I believe that rdr rules are normally used for what you are trying to achieve... Regards, Stefan On 2010-02-05 14:32, Albert Shih wrote: > Hi all, > > I've a problem with route-to. > > I've a server with 2 interfaces, and I'm running jail on this server. Each > interface have is own public IP address. > > eth0 -- IP0 eth1 -- IP1 > > and I've a default route (for example in IP0 subnet). > > So if the jail is in the IP0 subnet no problem everything work. > > Now if I put a jail in IP1 subnet, and some client try to connect to this > jail the answer come out through eth0 because of the default route (suppose > the client is not on my subnet). > > I don't want that. I want the answer come out through the eth1 > > I'm trying to use pf to do that and put in my pf.conf something like > > pass in all > pass out all > pass out on eth0 route-to {(eth0 IP0_Gateway)} from to ! IP0_subnet > pass out on eth1 route-to {(eth1 IP1_Gateway)} from to ! IP1_subnet > > but it's not working, if I run a tcpdump on the host I can see the > incoming packet come in from eth1 and the outgoing come out on eth0. > > And if I try do remove default route the outgoing packet don't come out.... > > Any help ? > > Regards. > > > From owner-freebsd-pf@FreeBSD.ORG Fri Feb 5 19:26:07 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE9A41065672 for ; Fri, 5 Feb 2010 19:26:07 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id AD4A58FC0A for ; Fri, 5 Feb 2010 19:26:07 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id E613D1FF1001 for ; Fri, 5 Feb 2010 14:26:06 -0500 (EST) thread-index: AcqmmRA61b5Xl/1eSgmkB4DF+frgtg== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.33]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 5 Feb 2010 14:26:05 -0500 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Fri, 05 Feb 2010 13:26:04 +0000 Content-Transfer-Encoding: 7bit Date: Fri, 5 Feb 2010 13:26:04 -0600 From: "David DeSimone" Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 To: Message-ID: <20100205192604.GK5172@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <20100205123254.GN11310@obspm.fr> <4B6C157F.2080301@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <4B6C157F.2080301@gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 05 Feb 2010 19:26:05.0520 (UTC) FILETIME=[0F965D00:01CAA699] Subject: Re: How make the route-to working ? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2010 19:26:07 -0000 Stefan wrote: > > Pf doesn't seem to be able to route packets on the outbound interface. > Therefore you have to always put the route-to statements on "pass in > on..." rules. What you'd want to use for received traffic is "pass in" rules that make use of "reply-to". -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. From owner-freebsd-pf@FreeBSD.ORG Fri Feb 5 23:19:25 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48893106566B for ; Fri, 5 Feb 2010 23:19:25 +0000 (UTC) (envelope-from mauduro@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id CCE5F8FC16 for ; Fri, 5 Feb 2010 23:19:24 +0000 (UTC) Received: by wwj40 with SMTP id 40so706001wwj.13 for ; Fri, 05 Feb 2010 15:19:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=PvYYBXFbLyv/0yB/ePC9m1jcLkYvUMCbRGaom5Gkp9o=; b=NYquNyivMOU9rnU5/WWv1+KylDgSAobTjHXzhB9Q4GtRidGkDJEvlauM/xVhli51V6 ZjrKQGHyStAb/cUKHFL7kMnrniXWQcTyk+qFimH41F/hL0WVdC0DectVXmQwEIFuKZjX VCjtxzMexRo1yoAlQzNDASxJJEezqwtsai75Y= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=xP9p91bbyulrofmOadnlUOVBa/mxn8j83lbXQ7z2Na1enWpYQw9pnG37/c1ZSl00N1 j7O1ecoeyvSOsj19COMxRwS0YOVcJ204xr1x8kYeAlMaCUXKjOd19hs2qoaCxYK3Dh9V WCu0ujgqjIba3wx690lfmHgXzIJe6DhySjVwA= MIME-Version: 1.0 Received: by 10.216.90.195 with SMTP id e45mr1893316wef.189.1265410394750; Fri, 05 Feb 2010 14:53:14 -0800 (PST) Date: Fri, 5 Feb 2010 15:53:14 -0700 Message-ID: From: Maurice To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2010 23:19:25 -0000 Hi, I have been looking for a couple days now, with no luck, for some direction as to whether I can successfully configure my freebsd to NAT with only one NIC. This is because I am setting up my system to jail my webserver, and I don't think I can get it to work without NATting it. If you have an alternate solution that would be great too. This is what my pf.conf looks like right now: # $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15 03:14:26 kensmith Exp $ # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. block in all block out all ext_if="fxp0" #int_if="int0" all_if="{fxp0, lo0}" #Internal network subnet int_net="10.0.0.0/32" #name and IP of webserver APACHE="10.0.0.1" #table persist set skip on lo scrub in #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #nat on $ext_if from !($ext_if) -> ($ext_if:0) #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #no rdr on $ext_if proto tcp from to any port smtp #rdr pass on $ext_if proto tcp from any to any port smtp \ # -> 127.0.0.1 port spamd #anchor "ftp-proxy/*" #pass out #pass quick on $int_if no state #antispoof quick for { lo $int_if } block in quick from urpf-failed pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 nat on $ext_if from $APACHE to any -> fxp0 #pass in log on $ext_if proto tcp to ($ext_if) port smtp #pass out log on $ext_if proto tcp from ($ext_if) to port smtp That doesn't seem to be doing the trick, since I can't ping and DNS won't resolve anything from within the jail (APACHE). I am going off some examples I found that would seem to suggest it is possible with only one NIC, but I can't seem to get it to work. Any help/advice would be greatly appreciated. thanks, Maurice From owner-freebsd-pf@FreeBSD.ORG Sat Feb 6 00:47:04 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF45A1065676 for ; Sat, 6 Feb 2010 00:47:04 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-ew0-f211.google.com (mail-ew0-f211.google.com [209.85.219.211]) by mx1.freebsd.org (Postfix) with ESMTP id 71BBA8FC18 for ; Sat, 6 Feb 2010 00:47:04 +0000 (UTC) Received: by ewy3 with SMTP id 3so2118483ewy.13 for ; Fri, 05 Feb 2010 16:47:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=1v6KcNiDQtiuwY/vQwUxwhUeJ8vWFEfg50D/9RjMsOY=; b=SlbsBwvNz2CbYR/Beql0kSJrvBSm72flMssEkPiBevR6ORvRCUqgVTWa0EwjrKdroG +HSOcSAHqYqboVrDwXdGWa1I8sNPDNFZww9OLfUGaU8dsB+KpzaBPQ9wopHTvSNWxhFk viPv8OPqTMgmDsoVIl/xUEE0HeKR43hAH7f88= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=vTlW8Y8Ky7JD1ISwwtPwV1qvzWJU0UfiTQS6nlsmhF8gqRNiO+f7Zv67qlPGF0BOvG yrrbVNONy5YbijGPaWC+v2mBTGYbjddGWgQfAyfIEKqx0Sor4BCON//tJ0v3cBs+KMOP 0BcBR/FDTkXwKjKLApO3yAAdRLmN99DReZ3f4= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.213.100.203 with SMTP id z11mr164514ebn.51.1265417221990; Fri, 05 Feb 2010 16:47:01 -0800 (PST) In-Reply-To: References: Date: Sat, 6 Feb 2010 00:47:01 +0000 X-Google-Sender-Auth: 1f01f9c7537e497d Message-ID: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> From: Peter Maxwell To: Maurice , freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2010 00:47:05 -0000 Hi Maurice, Yes, you can do it without much difficulty and I've got my server setup in that manner: there's about twenty separate jails that can access the internet via specific NAT rules and incoming services handled via RDR rules. Note: you won't be able to ping from a jail, unless you want to allow your jailed processes to create raw sockets (you don't) :-) There's probably many ways it can be done, but what I did was something lik= e: i) create a second loopback interface, lo1 (c.f. cloned interfaces) and assign appropriate alias netblocks for your jails on that interface; ii) create your pf.conf, set skip on lo0 but not the external or lo1 interf= ace; iii) I'd set "set state-policy if-bound" so you know what's going on; iv) don't use the antispoof keyword, it will make a mess in this situation; v) setting up bind to handle local dns resolution is a good idea - point your jails towards this and you'll need to add in an appropriate rule(s) later on; vi) setup outgoing nat rules, e.g. nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port smtp -> $ext_ip vii) setup incoming services, e.g. rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port= smtp viii) put in pass rules to allow nat out and rdr in; remember NAT is done first, so your outgoing packets ALL have source IP of the external IP now and not the jail IP pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags S/SA modulate state pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp flags S/SA modulate state ix) allow jail implicit access to itself pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to $int_ip_mail flags S/SA keep state x) add in rules to allow any interjail communication as needed (remember the incoming/outgoing packets appear the other way round here - use tcpdump to check if in doubt) If you have any problems, run tcpdump in a serarate terminal window to determine what's going on. Peter On 5 February 2010 22:53, Maurice wrote: > Hi, > > I have been looking for a couple days now, with no luck, for some directi= on > as to whether I can successfully configure my freebsd to NAT with only on= e > NIC. =A0This is because I am setting up my system to jail my webserver, a= nd I > don't think I can get it to work without NATting it. If you have an > alternate solution that would be great too. This is what my pf.conf looks > like right now: > > > # =A0 =A0 =A0 $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/= 04/15 > 03:14:26 kensmith Exp $ > # =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ > # > # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. > # Remember to set net.inet.ip.forwarding=3D1 and/or net.inet6.ip6.forward= ing=3D1 > # in /etc/sysctl.conf if packets are to be forwarded between interfaces. > > block in all > block out all > > ext_if=3D"fxp0" > #int_if=3D"int0" > all_if=3D"{fxp0, lo0}" > > #Internal network subnet > int_net=3D"10.0.0.0/32" > > #name and IP of webserver > APACHE=3D"10.0.0.1" > > #table persist > > set skip on lo > > scrub in > > #nat-anchor "ftp-proxy/*" > #rdr-anchor "ftp-proxy/*" > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 > #no rdr on $ext_if proto tcp from to any port smtp > #rdr pass on $ext_if proto tcp from any to any port smtp \ > # =A0 =A0 =A0 -> 127.0.0.1 port spamd > > #anchor "ftp-proxy/*" > #pass out > > #pass quick on $int_if no state > #antispoof quick for { lo $int_if } > block in quick from urpf-failed > > pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state > rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 > nat on $ext_if from $APACHE to any -> fxp0 > > #pass in log on $ext_if proto tcp to ($ext_if) port smtp > #pass out log on $ext_if proto tcp from ($ext_if) to port smtp > > That doesn't seem to be doing the trick, since I can't ping and DNS won't > resolve anything from within the jail (APACHE). I am going off some examp= les > I found that would seem to suggest it is possible with only one NIC, but = I > can't seem to get it to work. Any help/advice would be greatly appreciate= d. > > thanks, > > Maurice > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > From owner-freebsd-pf@FreeBSD.ORG Sat Feb 6 05:10:23 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EDD51065670 for ; Sat, 6 Feb 2010 05:10:23 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 09FE88FC0A for ; Sat, 6 Feb 2010 05:10:22 +0000 (UTC) Received: by vws11 with SMTP id 11so2020329vws.13 for ; Fri, 05 Feb 2010 21:10:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type:content-transfer-encoding; bh=MipCBqh0sX/tuMp1MW0Sma0epJqgj3+Cs+9I8XJvHJE=; b=FQGypzUfr3m7AycgK51sxGq8zC1o11AB7KJxZXg3eF7ZpCH7ehpNipw+FAagtNokUj cC/4IGeo+OL0iYTP2RRMNpnbtjnktG2cjv0sj7hL9Ak+WZWVuBYy67KFHDkqvHyjBDlK 4eXlCU8+I0zNjUUEbybCYP9YcRi2k5XANRpPQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type:content-transfer-encoding; b=GLVdqGPz/Bez+gZ0ykg783F1XdjZM2s5KWtnibjkjrAgNxgJoX+5jzc0Cqsb56EjjM X73lsoA7r88g2Lo9/r5X0mC3bNU39C+xh1cq/wTJbZUwCvjR3TowBPnO8OlHJn6oleEh gq8jOBEd4KxdmYh2mh0WnuiFY28we57+QVHes= Received: by 10.220.124.106 with SMTP id t42mr6818386vcr.92.1265433022246; Fri, 05 Feb 2010 21:10:22 -0800 (PST) Received: from centel.dataix.local (ppp-22.17.dialinfree.com [209.172.22.17]) by mx.google.com with ESMTPS id 21sm18693377vws.9.2010.02.05.21.10.09 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 05 Feb 2010 21:10:20 -0800 (PST) Sender: "J. Hellenthal" Date: Sat, 6 Feb 2010 00:09:46 -0500 From: jhell To: Peter Maxwell In-Reply-To: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> Message-ID: References: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8BIT Cc: freebsd-pf@freebsd.org Subject: Re: using pf to NAT with only one NIC X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Feb 2010 05:10:23 -0000 On Fri, 5 Feb 2010 19:47, peter@ wrote: > Hi Maurice, > > Yes, you can do it without much difficulty and I've got my server > setup in that manner: there's about twenty separate jails that can > access the internet via specific NAT rules and incoming services > handled via RDR rules. Note: you won't be able to ping from a jail, > unless you want to allow your jailed processes to create raw sockets > (you don't) :-) > > There's probably many ways it can be done, but what I did was something like: > > > i) create a second loopback interface, lo1 (c.f. cloned interfaces) > and assign appropriate alias netblocks for your jails on that > interface; > > > ii) create your pf.conf, set skip on lo0 but not the external or lo1 interface; > > > iii) I'd set "set state-policy if-bound" so you know what's going on; > > > iv) don't use the antispoof keyword, it will make a mess in this situation; > > > v) setting up bind to handle local dns resolution is a good idea - > point your jails towards this and you'll need to add in an appropriate > rule(s) later on; > > > vi) setup outgoing nat rules, e.g. > > nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port > smtp -> $ext_ip > > > vii) setup incoming services, e.g. > > rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port smtp > > > viii) put in pass rules to allow nat out and rdr in; remember NAT is > done first, so your outgoing packets ALL have source IP of the > external IP now and not the jail IP > > pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags > S/SA modulate state > pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp > flags S/SA modulate state > > > ix) allow jail implicit access to itself > > pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to > $int_ip_mail flags S/SA keep state > > > x) add in rules to allow any interjail communication as needed > (remember the incoming/outgoing packets appear the other way round > here - use tcpdump to check if in doubt) > > > If you have any problems, run tcpdump in a serarate terminal window to > determine what's going on. > > > Peter > > > > > > > On 5 February 2010 22:53, Maurice wrote: >> Hi, >> >> I have been looking for a couple days now, with no luck, for some direction >> as to whether I can successfully configure my freebsd to NAT with only one >> NIC.  This is because I am setting up my system to jail my webserver, and I >> don't think I can get it to work without NATting it. If you have an >> alternate solution that would be great too. This is what my pf.conf looks >> like right now: >> >> >> #       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15 >> 03:14:26 kensmith Exp $ >> #       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ >> # >> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples. >> # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 >> # in /etc/sysctl.conf if packets are to be forwarded between interfaces. >> >> block in all >> block out all >> >> ext_if="fxp0" >> #int_if="int0" >> all_if="{fxp0, lo0}" >> >> #Internal network subnet >> int_net="10.0.0.0/32" >> >> #name and IP of webserver >> APACHE="10.0.0.1" >> >> #table persist >> >> set skip on lo >> >> scrub in >> >> #nat-anchor "ftp-proxy/*" >> #rdr-anchor "ftp-proxy/*" >> #nat on $ext_if from !($ext_if) -> ($ext_if:0) >> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 >> #no rdr on $ext_if proto tcp from to any port smtp >> #rdr pass on $ext_if proto tcp from any to any port smtp \ >> #       -> 127.0.0.1 port spamd >> >> #anchor "ftp-proxy/*" >> #pass out >> >> #pass quick on $int_if no state >> #antispoof quick for { lo $int_if } >> block in quick from urpf-failed >> >> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state >> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80 >> nat on $ext_if from $APACHE to any -> fxp0 >> Your placement of nat and redirect rules are a little bit worrisome. pf.conf as stated by its manual page is ordered (see following) # [Macros] i.e. variable=lo1 # [Options] i.e. set etc.. etc.. # [Normalization] i.e. scrub # [Queuing] i.e. ALTQ # [Translation] i.e. NAT RDR etc... # [Filtering] i.e. pass & block rules Beware that there is quite the change for rule-sets ahead if the newer version of pf that is in the works for OpenBSD ever makes it downstream to FreeBSD. I Personally do not know if the way you have your rule-set configured would cause any havoc with NAT since you have it mingled between filtering rules but it would be good practice to stick to whats already drawn in the manual page. Best of luck. >> #pass in log on $ext_if proto tcp to ($ext_if) port smtp >> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp >> >> That doesn't seem to be doing the trick, since I can't ping and DNS won't >> resolve anything from within the jail (APACHE). I am going off some examples >> I found that would seem to suggest it is possible with only one NIC, but I >> can't seem to get it to work. Any help/advice would be greatly appreciated. >> >> thanks, >> >> Maurice > -- jhell