Date: Wed, 30 Mar 2016 11:24:39 -0400 From: "Littlefield, Tyler" <tyler@tysdomain.com> To: krad <kraduk@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: question re: PF and forwarding Message-ID: <56FBEFB7.2010704@tysdomain.com> In-Reply-To: <CALfReyfFtA-=J%2BoL%2B8CevUfh7Ud6hRuUrEuER8kEBxAyg9FUyQ@mail.gmail.com> References: <56F992AA.7070409@tysdomain.com> <CALfReyeXphbXz3CMmNya69fd7ZtEMfR3impd%2BuOcQzpSJhgv=A@mail.gmail.com> <56FB4076.3040501@tysdomain.com> <CALfReyfFtA-=J%2BoL%2B8CevUfh7Ud6hRuUrEuER8kEBxAyg9FUyQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/30/2016 4:27 AM, krad wrote:
> I think your service lines have to the comma delimited, check the
> output of pfctl -sr as this will tell you want rules actually made
> it in, and all macros will be expanded
>
>
I forget the command, but it's -sl or -sn. I added that to my pf.conf
on a note from someone in IRC and didn't get anywhere. The port is
still refusing to forrward. I've also changed subnets as well. I'm not
really sure what else to try, I've moved the jails from running on
igb0 to lo1 to see if that worked and back again.
> On 30 March 2016 at 03:56, Littlefield, Tyler <tyler@tysdomain.com
> <mailto:tyler@tysdomain.com>> wrote:
>
> A bit more info: A bit more info: I've tried a bunch of different
> configurations and still can't get this to forward through. when I
> use tcpdump to debug, I get client->syn server->syn client->ack
> *hang* - From there nothing actually happens. If anyone has any
> other info I'd really appreciate it. I'm not sure where to go from
> here/how to troubleshoot farther. Thanks, On 3/29/2016 4:59 AM,
> krad wrote:
>> what network topology are the jails nics on? I presume its not
>> vnet as that doesnt play well with PF. Your rules hint at the
>> jails being on loopback. If so can you put them on a separate ip
>> on your subnet as pf can still filter them fine there, and you
>> will find the ruleset a bit easier to manage. If those 192
>> addresses arent on loopback and are on the same subnet as the
>> hosts ip on igb0, why are you natting them, this will probably
>> cause issues?
>
>
>
>> On 28 March 2016 at 21:23, Littlefield, Tyler
>> <tyler@tysdomain.com <mailto:tyler@tysdomain.com>> wrote:
>
>> All, sorry for the multiple emails recently. I'm working to get
>> my server set up here so I can begin doing some dev on BHyve once
>> that is all finalized. I am jailing my services like minidlna
>> samba and unbound and am using PF to forward those. For whatever
>> reason I do not see the ports I specify as open ports, but the
>> individual addresses show them when I connect from within my
>> server. For example, I can telnet 192.168.0.2 445 and that works
>> fine in terms of establishing a connection. I was hoping that
>> someone might see any connection here. Here is my pf.conf. ***
>> if="igb0" addr="10.21.96.128" samba_addr="192.168.0.2"
>> dlna_addr="192.168.0.3" unbound_addr="192.168.0.4"
>> tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn
>> microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm
>> netbios-ssn microsoft-ds}"
>
>> set skip on lo set loginterface $if scrub in all
>
>> #allow jails through nat on $if inet from $samba_addr to any tag
>> jail_samba -> $addr nat on $if inet from $dlna_addr to any tag
>> jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag
>> jail_unbound -> $addr #portforward to jails. #unbound rdr pass
>> on $if proto tcp from any to $addr port 53 -> $unbound_addr port
>> 53 rdr pass on $if proto udp from any to $addr port 53 ->
>> $unbound_addr port 53 #samba rdr pass on $if proto tcp from any
>> to $addr port 137 -> $samba_addr port 137 rdr pass on $if proto
>> tcp from any to $addr port 138 -> $samba_addr port 138 rdr pass
>> on $if proto tcp from any to $addr port 139 -> $samba_addr port
>> 139 rdr pass on $if proto tcp from any to $addr port 445 ->
>> $samba_addr port 445 rdr pass on $if proto udp from any to $addr
>> port 137 -> $samba_addr port 137 rdr pass on $if proto udp from
>> any to $addr port 138 -> $samba_addr port 138 rdr pass on $if
>> proto udp from any to $addr port 139 -> $samba_addr port 139 rdr
>> pass on $if proto udp from any to $addr port 445 -> $samba_addr
>> port 445
>
>> #rules pass quick on lo1 pass from igb0:network to any keep
>> state
>
>> #default policy: deny antispoof quick for { $if lo } block in
>> all #accept TCP ports. pass in on $if proto tcp from any to any
>> port $tcp_services pass in on $if proto udp from any to any port
>> $udp_services ***
>>> _______________________________________________
>>> freebsd-questions@freebsd.org
>>> <mailto:freebsd-questions@freebsd.org>
> mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe@freebsd.org
> <mailto:freebsd-questions-unsubscribe@freebsd.org>"
>>>
>> _______________________________________________
>> freebsd-questions@freebsd.org
>> <mailto:freebsd-questions@freebsd.org>
> mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
>> unsubscribe, send any mail to
>> "freebsd-questions-unsubscribe@freebsd.org
> <mailto:freebsd-questions-unsubscribe@freebsd.org>"
>
>
>
>
--
Take care,
Ty
Twitter: @sorressean
Web: https://tysdomain.com
Pubkey: https://tysdomain.com/files/pubkey.asc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56FBEFB7.2010704>