Date: Thu, 21 Feb 2008 21:04:36 +0100 From: "cali clarke" <xorquewasp@googlemail.com> To: freebsd-questions@freebsd.org Subject: binat problem with jail loopback addresses Message-ID: <5a08be760802211204j6c7268ack2a0d931951d3aa19@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi.
I'm trying to set up a jail running on a loopback IP connected to the
outside world with pf and binat.
My interfaces are configured like this:
ifconfig lo1 inet 127.1.0.1 netmask 0xff000000 up
ifconfig lo1 alias 127.1.0.2 netmask 0xff000000
ifconfig lo1 alias 127.1.0.3 netmask 0xff000000
ifconfig fxp0 inet 192.168.2.5 netmask 0xffffff00 up
ifconfig fxp0 alias 192.168.2.9 netmask 0xffffff00
$ jls
JID IP Address Hostname Path
5 127.1.0.3 wwwproxy /usr/jail/wwwproxy
The idea is to have wwwproxy running on 127.1.0.3, with an externally
visible IP of 192.168.2.9 using pf binat.
Now, I have a pf ruleset like this:
#----------------------------------------------------------------------#
nic0 = "fxp0"
lo0 = "lo0"
lo1 = "lo1"
dns = "192.168.3.10"
me = "192.168.2.5"
wwwproxy = "127.1.0.3"
wwwproxy_e = "192.168.2.9"
table <net_priv> { 192.168.2.0/24 }
table <net_dmz> { 192.168.3.0/24 }
table <proxy_users> { $me, $wwwproxy_e }
#----------------------------------------------------------------------#
binat on $nic0 from $wwwproxy to any -> $wwwproxy_e
#----------------------------------------------------------------------#
block in log all
block out log all
# allow loopback
pass log quick on $lo0 from 127.0.0.1 to 127.0.0.1 modulate state
# allow wwwproxy to connect out and allow some connections in
pass out log quick proto udp from $wwwproxy_e to $dns port 53 keep state
pass out log quick proto tcp from $wwwproxy_e to any modulate state
pass in log quick proto tcp from <proxy_users> to $wwwproxy_e port
8080 modulate state
# allow me to connect out
pass out log quick on $nic0 proto udp from $me to any keep state
pass out log quick on $nic0 proto tcp from $me to any modulate state
#----------------------------------------------------------------------#
I have an HTTP proxy running inside the jail:
$ netstat -f inet -na
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 127.1.0.3.8080 *.* LISTEN
Inside the jail, I can connect to external sites:
wwwproxy% nc -z -v www.google.com 80
Connection to www.google.com 80 port [tcp/http] succeeded!
000000 rule 8/0(match): pass out on fxp0: 192.168.2.9.62735 >
192.168.3.10.53: UDP, length 32
001253 rule 8/0(match): pass out on fxp0: 192.168.2.9.61723 >
192.168.3.10.53: UDP, length 32
000955 rule 9/0(match): pass out on fxp0: 192.168.2.9.64134 >
66.249.91.104.80: tcp 0
Outside the jail (on the host machine), however, I cannot connect to the HTTP
proxy, despite pflog showing the connection being allowed:
$ nc -z -v 192.168.2.9 8080
nc: connect to 192.168.2.9 port 8080 (tcp) failed: Connection refused
3. 680214 rule 9/0(match): pass out on lo0: 192.168.2.9.60606 >
192.168.2.9.8080: tcp 0
000060 rule 10/0(match): pass in on lo0: 192.168.2.9.60606 >
192.168.2.9.8080: tcp 0
It appears that binat isn't actually doing what I think it should (a connection
to 192.168.2.9:8080 should connect to 127.1.0.3:8080).
What am I doing wrong?
XW
(ps: please CC, I'm not subscribed)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5a08be760802211204j6c7268ack2a0d931951d3aa19>