Date: Wed, 30 Mar 2016 09:27:55 +0100 From: krad <kraduk@gmail.com> To: sorressean <tyler@tysdomain.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: question re: PF and forwarding Message-ID: <CALfReyfFtA-=J%2BoL%2B8CevUfh7Ud6hRuUrEuER8kEBxAyg9FUyQ@mail.gmail.com> In-Reply-To: <56FB4076.3040501@tysdomain.com> References: <56F992AA.7070409@tysdomain.com> <CALfReyeXphbXz3CMmNya69fd7ZtEMfR3impd%2BuOcQzpSJhgv=A@mail.gmail.com> <56FB4076.3040501@tysdomain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think your service lines have to the comma delimited, check the output of
pfctl -sr as this will tell you want rules actually made it in, and all
macros will be expanded
On 30 March 2016 at 03:56, Littlefield, Tyler <tyler@tysdomain.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A bit more info:
> A bit more info:
> I've tried a bunch of different configurations and still can't get
> this to forward through. when I use tcpdump to debug, I get client->syn
> server->syn
> client->ack
> *hang*
> - From there nothing actually happens.
> If anyone has any other info I'd really appreciate it. I'm not sure
> where to go from here/how to troubleshoot farther.
> Thanks,
> On 3/29/2016 4:59 AM, krad wrote:
> > what network topology are the jails nics on? I presume its not vnet
> > as that doesnt play well with PF. Your rules hint at the jails
> > being on loopback. If so can you put them on a separate ip on your
> > subnet as pf can still filter them fine there, and you will find
> > the ruleset a bit easier to manage. If those 192 addresses arent on
> > loopback and are on the same subnet as the hosts ip on igb0, why
> > are you natting them, this will probably cause issues?
> >
> >
> >
> > On 28 March 2016 at 21:23, Littlefield, Tyler <tyler@tysdomain.com>
> > wrote:
> >
> > All, sorry for the multiple emails recently. I'm working to get my
> > server set up here so I can begin doing some dev on BHyve once that
> > is all finalized. I am jailing my services like minidlna samba and
> > unbound and am using PF to forward those. For whatever reason I do
> > not see the ports I specify as open ports, but the individual
> > addresses show them when I connect from within my server. For
> > example, I can telnet 192.168.0.2 445 and that works fine in terms
> > of establishing a connection. I was hoping that someone might see
> > any connection here. Here is my pf.conf. *** if="igb0"
> > addr="10.21.96.128" samba_addr="192.168.0.2"
> > dlna_addr="192.168.0.3" unbound_addr="192.168.0.4"
> > tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn
> > microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn
> > microsoft-ds}"
> >
> > set skip on lo set loginterface $if scrub in all
> >
> > #allow jails through nat on $if inet from $samba_addr to any tag
> > jail_samba -> $addr nat on $if inet from $dlna_addr to any tag
> > jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag
> > jail_unbound -> $addr #portforward to jails. #unbound rdr pass on
> > $if proto tcp from any to $addr port 53 -> $unbound_addr port 53
> > rdr pass on $if proto udp from any to $addr port 53 ->
> > $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to
> > $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp
> > from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if
> > proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr
> > pass on $if proto tcp from any to $addr port 445 -> $samba_addr
> > port 445 rdr pass on $if proto udp from any to $addr port 137 ->
> > $samba_addr port 137 rdr pass on $if proto udp from any to $addr
> > port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any
> > to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp
> > from any to $addr port 445 -> $samba_addr port 445
> >
> > #rules pass quick on lo1 pass from igb0:network to any keep state
> >
> > #default policy: deny antispoof quick for { $if lo } block in all
> > #accept TCP ports. pass in on $if proto tcp from any to any port
> > $tcp_services pass in on $if proto udp from any to any port
> > $udp_services ***
> >> _______________________________________________
> >> freebsd-questions@freebsd.org mailing list
> >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> >> unsubscribe, send any mail to "
> >> freebsd-questions-unsubscribe@freebsd.org"
> >>
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> > unsubscribe, send any mail to
> > "freebsd-questions-unsubscribe@freebsd.org"
> >
>
> - --
> Take care,
> Ty
> Twitter: @sorressean
> Web: https://tysdomain.com
> Pubkey: https://tysdomain.com/files/pubkey.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQEcBAEBAgAGBQJW+0B2AAoJEAdP60+BYxejJ0YH/0YTGHQD4UVaAausYfXxNXRQ
> cIjsNKqxco/v+EhmbfS51xKIe27yFouyuuREsZvztkks9QnAJ2X3/kYBLsNGfRsy
> tGe0I23Pe56DYOQqnB2+AmonpyL9Nay0DOACpvZR2eWSEn78NKENtffA7o8E+Swo
> J/NF4/yiU/mVw6+h9qqekT9mMz1aqykdKJtPWGHvR2QYRBPdrQymaNg6rlFACtl8
> XPrOIJD0PCyZXgCBg2S5hLCDGPaqDcHUbA1Bw8noIAQvIYrH8eBwPZ2hihKfD8On
> 1eouqzD2jpneCUVQUKAm3nfax25b54Itn6VSlrOyOXPtaZsny+DnuzSgbJw52ck=
> =mXEX
> -----END PGP SIGNATURE-----
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyfFtA-=J%2BoL%2B8CevUfh7Ud6hRuUrEuER8kEBxAyg9FUyQ>