Date: Tue, 29 Mar 2016 09:59:59 +0100 From: krad <kraduk@gmail.com> To: tyler@tysdomain.com Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: question re: PF and forwarding Message-ID: <CALfReyeXphbXz3CMmNya69fd7ZtEMfR3impd%2BuOcQzpSJhgv=A@mail.gmail.com> In-Reply-To: <56F992AA.7070409@tysdomain.com> References: <56F992AA.7070409@tysdomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
what network topology are the jails nics on? I presume its not vnet as that
doesnt play well with PF. Your rules hint at the jails being on loopback.
If so can you put them on a separate ip on your subnet as pf can still
filter them fine there, and you will find the ruleset a bit easier to
manage. If those 192 addresses arent on loopback and are on the same subnet
as the hosts ip on igb0, why are you natting them, this will probably cause
issues?
On 28 March 2016 at 21:23, Littlefield, Tyler <tyler@tysdomain.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
> sorry for the multiple emails recently. I'm working to get my server
> set up here so I can begin doing some dev on BHyve once that is all
> finalized.
> I am jailing my services like minidlna samba and unbound and am using
> PF to forward those.
> For whatever reason I do not see the ports I specify as open ports,
> but the individual addresses show them when I connect from within my
> server. For example, I can telnet 192.168.0.2 445 and that works fine
> in terms of establishing a connection. I was hoping that someone might
> see any connection here. Here is my pf.conf.
> ***
> if="igb0"
> addr="10.21.96.128"
> samba_addr="192.168.0.2"
> dlna_addr="192.168.0.3"
> unbound_addr="192.168.0.4"
> tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}"
> udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}"
>
> set skip on lo
> set loginterface $if
> scrub in all
>
> #allow jails through
> nat on $if inet from $samba_addr to any tag jail_samba -> $addr
> nat on $if inet from $dlna_addr to any tag jail_dlna -> $addr
> nat on $if inet from $unbound_addr to any tag jail_unbound -> $addr
> #portforward to jails.
> #unbound
> rdr pass on $if proto tcp from any to $addr port 53 -> $unbound_addr
> port 53
> rdr pass on $if proto udp from any to $addr port 53 -> $unbound_addr
> port 53
> #samba
> rdr pass on $if proto tcp from any to $addr port 137 -> $samba_addr
> port 137
> rdr pass on $if proto tcp from any to $addr port 138 -> $samba_addr
> port 138
> rdr pass on $if proto tcp from any to $addr port 139 -> $samba_addr
> port 139
> rdr pass on $if proto tcp from any to $addr port 445 -> $samba_addr
> port 445
> rdr pass on $if proto udp from any to $addr port 137 -> $samba_addr
> port 137
> rdr pass on $if proto udp from any to $addr port 138 -> $samba_addr
> port 138
> rdr pass on $if proto udp from any to $addr port 139 -> $samba_addr
> port 139
> rdr pass on $if proto udp from any to $addr port 445 -> $samba_addr
> port 445
>
> #rules
> pass quick on lo1
> pass from igb0:network to any keep state
>
> #default policy: deny
> antispoof quick for { $if lo }
> block in all
> #accept TCP ports.
> pass in on $if proto tcp from any to any port $tcp_services
> pass in on $if proto udp from any to any port $udp_services
> ***
> - --
> Take care,
> Ty
> Twitter: @sorressean
> Web: https://tysdomain.com
> Pubkey: https://tysdomain.com/files/pubkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJW+ZKqAAoJEAdP60+BYxejccoIAJXdhyvB15PtXyBeA7K0e5tR
> MIP6SVWmdWpv/9AxPAodPvHgTiyJF4A50VsJ9Tcnq8v0gnulIKXytlBHwuJe0goI
> b8vJT+Sqq6d6ystnhGddh1npgHbwD8LwP5s7AA6LIhFxq84GIprC22+HCi/tTHXF
> AGX408PNJbNXXwA5F/tzBQH2uFXUA28d6NKkeOjrKkIn5ZwCB57ehmDO/3yNhZHT
> ONvzK83QbyYU2q+BRYIkqPNzpXIQgPGIULMHj57jymOZqdjDd6llSvmWdKWkhv9d
> BIRDcd513n+GjYc4fCzwTh110EOhC47IbBTK09l3SCgcvbztTKx0m1vQvNQk73Y=
> =Lvnv
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyeXphbXz3CMmNya69fd7ZtEMfR3impd%2BuOcQzpSJhgv=A>