From owner-freebsd-pf@FreeBSD.ORG Mon Apr 6 05:12:39 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E74389DE for ; Mon, 6 Apr 2015 05:12:39 +0000 (UTC) Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF92E10A for ; Mon, 6 Apr 2015 05:12:39 +0000 (UTC) Received: by igblo3 with SMTP id lo3so14094968igb.1 for ; Sun, 05 Apr 2015 22:12:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=2c7vSjWuwF70Jl46WywsVxy9nbLCetq34OELBARq8KU=; b=GMZ4viTKOk8LjHWGdf7vwCj4dRNIRN0eBKu/I/6ta+/1hnHJF+DcOk6PtjqvCqwUF6 UWhNQ8EoQOE7IfBD8t12TUudSqr+RHXt7Uc9H/WothpW/EM29MXrg4Sli3eAX0s43E/W n2EKOTP5VJbs/tXjokLDCxxOCHdZ68uiemIw1zvS82NxDy1ZH4rx4QRdg587FyVu7/WX +ecnW2SQxmYn8pNfodDQGU0jNA1aoNBtDxrVpjFdKitkyy28MXrtxoopLVz4ns7wX0jl WUOxph1zpjGPbMPEpDAjWNxAowoucuEZS+1ier0RgzqlXkCF1cNBRNj3txjhFcvdUyDV ffzQ== MIME-Version: 1.0 X-Received: by 10.107.148.198 with SMTP id w189mr20415633iod.14.1428297158988; Sun, 05 Apr 2015 22:12:38 -0700 (PDT) Received: by 10.36.194.1 with HTTP; Sun, 5 Apr 2015 22:12:38 -0700 (PDT) Date: Mon, 6 Apr 2015 09:42:38 +0430 Message-ID: Subject: Disable Firewall From: saeed hamid To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Apr 2015 05:12:40 -0000 Hi all I use freebsd 10.1, I create lun with zfs, I want see lun from windows, I when use from initiator for connect to lun it show error : Connection refused , can you help me for disable firewalls in freebsd,Please ? very thanks, From owner-freebsd-pf@FreeBSD.ORG Sat Apr 11 12:30:34 2015 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9580AE9C for ; Sat, 11 Apr 2015 12:30:34 +0000 (UTC) Received: from mail.familie-keil.de (mail.familie-keil.de [5.9.24.112]) by mx1.freebsd.org (Postfix) with ESMTP id 208A8CC8 for ; Sat, 11 Apr 2015 12:30:33 +0000 (UTC) Received: from familie-keil.de (unknown [10.100.0.1]) by mail.familie-keil.de (Postfix) with ESMTP id 57F05ECE6 for ; Sat, 11 Apr 2015 14:30:26 +0200 (CEST) MIME-Version: 1.0 Date: Sat, 11 Apr 2015 14:30:26 +0200 From: michael@familie-keil.de To: freebsd-pf@freebsd.org Subject: Re: Freebsd jail block out in lo1 while connecting back on ext_if In-Reply-To: References: Message-ID: <1d7343ce9ad936f2b3a00a26c68fd095@familie-keil.de> X-Sender: michael@familie-keil.de User-Agent: Roundcube Webmail/1.1.1 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Apr 2015 12:30:34 -0000 After some additional research on pf and the lecture of Peter Hansteen'S "The Book of PF", I was able to solve this issue by myself. Peter'S Book is worth each and every cent and a remarkable source of knowledge. The rootcause for my issue was a uncompleted nat/rdr setup alog with a too optimistic "skip on lo". So I someone will come 'cross this post and has trouble with NAT Setup and Freebsd jails on a cloned lo0 interface, please feel free to give some deeper thought to following solution. Please remember to tighten your rules. "from any" in the first inbound rdrs istn't a good idea. Maybe you want to block out fail2ban and bruteforce issues. ext_if = "re0" jail_if = "{ lo1, lo0 }" jail_net = "10.100.0.0/24" jail_web_adr = "10.100.0.1" jail_web_ports = "{ http, https }" jail_mail_adr = "10.100.0.2" jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps, submission } " nat on $ext_if from $jail_net to any -> ($ext_if) rdr pass log on $ext_if proto tcp from any to ($ext_if) port $jail_web_ports -> $jail_web_adr rdr pass log on $ext_if proto tcp from any to ($ext_if) port $jail_mail_ports -> $jail_mail_adr no nat log on $jail_if proto tcp from $jail_net nat log on $jail_if proto tcp from $jail_web_adr to ($ext_if) port $jail_web_ports -> $jail_web_adr rdr log on $jail_if proto tcp from $jail_net to $ext_if port $jail_web_ports -> $jail_web_adr nat log on $jail_if proto tcp from $jail_mail_adr to ($ext_if) port $jail_mail_ports -> $jail_mail_adr rdr log on $jail_if proto tcp from $jail_net to $ext_if port $jail_mail_ports -> $jail_mail_adr --- Cheers Michael