From owner-freebsd-questions@FreeBSD.ORG Tue Jan 19 10:05:50 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A06AA106566B for ; Tue, 19 Jan 2010 10:05:50 +0000 (UTC) (envelope-from hiyorin@gmail.com) Received: from mail-pz0-f202.google.com (mail-pz0-f202.google.com [209.85.222.202]) by mx1.freebsd.org (Postfix) with ESMTP id 74C7C8FC18 for ; Tue, 19 Jan 2010 10:05:50 +0000 (UTC) Received: by pzk40 with SMTP id 40so52463pzk.7 for ; Tue, 19 Jan 2010 02:05:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=69IvlTnukvi+tel0SOhh4YBUrYTESUaYv7CpGaFJAy4=; b=AFnTCnU1EmMWlteDozCijtTybErCMgfZGCBbiaW8f/lor2M2yBcvFYznYLyvPKHJjq yJUoophD/XieQSvH4YhJqiK5GaEppkrPcqgKIP/jJgIQma+qhwOc3gHW6gq+zCRZRtYB aaKECrnUFkBFsbQOREAW5FlNkf7spmMpdQ7p0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=GMdUPRUdUG5NBcRBf0VgVApG7jJ22t+AyJ6xTJvqR1Lf0kgpUwresgKb5fF7y/TJ5K Y7oRunJXhheyjta67l6LpOiwzeEfdtDvt9qfE+bbwsVDaE4mo3eBj+0J+qGiTtYi484c PMz0NZ5YSw1GeH2Jvi4TEbuiHc24z+dsLy/Zg= Received: by 10.114.30.7 with SMTP id d7mr5067845wad.30.1263893802266; Tue, 19 Jan 2010 01:36:42 -0800 (PST) Received: from ?10.130.10.181? ([202.82.159.125]) by mx.google.com with ESMTPS id 22sm4967708pzk.6.2010.01.19.01.36.40 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 19 Jan 2010 01:36:41 -0800 (PST) Message-ID: <4B557D22.2090600@gmail.com> Date: Tue, 19 Jan 2010 17:36:34 +0800 From: "C. C. Tang" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091204 Thunderbird/3.0 MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: pf + jail question. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2010 10:05:50 -0000 Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~> ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~> ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-user>ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: =================================== ext_if="wan0" int_if="{ lan0 }" self="10.7.13.254" internal_net="{ 10.7.13.0/24, 10.7.14.0/24 }" scrub in nat pass on $ext_if from $internal_net to any -> ($ext_if) static-port # handling FTP nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 -> \ 127.0.0.1 port 8021 anchor "ftp-proxy/*" block quick proto tcp from any to any port 21 ============================ Thanks, C.C.