Date: Sat, 6 Feb 2010 00:47:01 +0000 From: Peter Maxwell <peter@allicient.co.uk> To: Maurice <mauduro@gmail.com>, freebsd-pf@freebsd.org Subject: Re: using pf to NAT with only one NIC Message-ID: <7731938b1002051647y78be2d0dq56ac8f3c39d993e@mail.gmail.com> In-Reply-To: <d3e0b6a01002051453o377d6e45p3b3991552f37310c@mail.gmail.com> References: <d3e0b6a01002051453o377d6e45p3b3991552f37310c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Maurice,
Yes, you can do it without much difficulty and I've got my server
setup in that manner: there's about twenty separate jails that can
access the internet via specific NAT rules and incoming services
handled via RDR rules. Note: you won't be able to ping from a jail,
unless you want to allow your jailed processes to create raw sockets
(you don't) :-)
There's probably many ways it can be done, but what I did was something lik=
e:
i) create a second loopback interface, lo1 (c.f. cloned interfaces)
and assign appropriate alias netblocks for your jails on that
interface;
ii) create your pf.conf, set skip on lo0 but not the external or lo1 interf=
ace;
iii) I'd set "set state-policy if-bound" so you know what's going on;
iv) don't use the antispoof keyword, it will make a mess in this situation;
v) setting up bind to handle local dns resolution is a good idea -
point your jails towards this and you'll need to add in an appropriate
rule(s) later on;
vi) setup outgoing nat rules, e.g.
nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port
smtp -> $ext_ip
vii) setup incoming services, e.g.
rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port=
smtp
viii) put in pass rules to allow nat out and rdr in; remember NAT is
done first, so your outgoing packets ALL have source IP of the
external IP now and not the jail IP
pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags
S/SA modulate state
pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp
flags S/SA modulate state
ix) allow jail implicit access to itself
pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to
$int_ip_mail flags S/SA keep state
x) add in rules to allow any interjail communication as needed
(remember the incoming/outgoing packets appear the other way round
here - use tcpdump to check if in doubt)
If you have any problems, run tcpdump in a serarate terminal window to
determine what's going on.
Peter
On 5 February 2010 22:53, Maurice <mauduro@gmail.com> wrote:
> Hi,
>
> I have been looking for a couple days now, with no luck, for some directi=
on
> as to whether I can successfully configure my freebsd to NAT with only on=
e
> NIC. =A0This is because I am setting up my system to jail my webserver, a=
nd I
> don't think I can get it to work without NATting it. If you have an
> alternate solution that would be great too. This is what my pf.conf looks
> like right now:
>
>
> # =A0 =A0 =A0 $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/=
04/15
> 03:14:26 kensmith Exp $
> # =A0 =A0 =A0 $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=3D1 and/or net.inet6.ip6.forward=
ing=3D1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> block in all
> block out all
>
> ext_if=3D"fxp0"
> #int_if=3D"int0"
> all_if=3D"{fxp0, lo0}"
>
> #Internal network subnet
> int_net=3D"10.0.0.0/32"
>
> #name and IP of webserver
> APACHE=3D"10.0.0.1"
>
> #table <spamd-white> persist
>
> set skip on lo
>
> scrub in
>
> #nat-anchor "ftp-proxy/*"
> #rdr-anchor "ftp-proxy/*"
> #nat on $ext_if from !($ext_if) -> ($ext_if:0)
> #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> #no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
> #rdr pass on $ext_if proto tcp from any to any port smtp \
> # =A0 =A0 =A0 -> 127.0.0.1 port spamd
>
> #anchor "ftp-proxy/*"
> #pass out
>
> #pass quick on $int_if no state
> #antispoof quick for { lo $int_if }
> block in quick from urpf-failed
>
> pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
> rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
> nat on $ext_if from $APACHE to any -> fxp0
>
> #pass in log on $ext_if proto tcp to ($ext_if) port smtp
> #pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> That doesn't seem to be doing the trick, since I can't ping and DNS won't
> resolve anything from within the jail (APACHE). I am going off some examp=
les
> I found that would seem to suggest it is possible with only one NIC, but =
I
> can't seem to get it to work. Any help/advice would be greatly appreciate=
d.
>
> thanks,
>
> Maurice
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7731938b1002051647y78be2d0dq56ac8f3c39d993e>