0

Here's exact details of my configuration:

Firewall/DNS Server: 192.168.2.1 (local lan) which routes out to the internet. <-- NOT UNDER MY CONTROL My FreeBSD Server: 192.168.2.23 (LAN)

"Inside" of my server, I have a jail. (I will have more, once my firewall rules are working..) I'm setting this up using ezjail, and that much is working. I want to assign it an alias on my FreeBSD server's loopback device lo0, and to give this jail ip of 127.0.0.10

So far in my /etc/pf.conf, the following is working:

# allow the outside world or internet to hit my FreeBSD server on 6500, and send this traffic to 6500
# verified through nc -l 6500 inside the jail, and telnet in from outside world
rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500

However, I have 2 more needs:

1) The jail must be able to send TCP traffic to any INTERNET IP (not 192.* or 127.*) on ports 5555 or 7070 or TBD 2) The jail must be able to send TCP traffic to 192.168.2.1 on the DNS port only (I MUST use this as an NS because of the way the main firewall out of my control is set up, I cannot change that)

And I have no idea how to set up pf to do this. Any help would be appreciated. Exact pf.conf lines would be EXTREMELY appreciated. I'm not a networking guy, I have read many many faqs and man pages on this, and it always ends up I'm either following the pf >4.5 syntax or I'm totally confused by what they are digging in to. What I list here is literally everything my "firewall" needs to do so it's frustrating to do so much research and only get 1/3 of it going.. this seems like a very basic use-case

Supporting info:

In rc.conf I've set up:

defaultrouter="192.168.2.1"
ifconfig_em0="inet 192.168.2.23  netmask 255.255.255.0"
ifconfig_lo0_alias0="inet 127.0.0.10 netmask 255.255.255.0"
pf_enable="YES"
gateway_enable="YES"            # Enable as LAN gateway

My ifconfigs give me:

server# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:fc:6f:48
    inet 192.168.2.23 netmask 0xffffff00 broadcast 192.168.2.255
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    inet 127.0.0.10 netmask 0xffffff00 
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>


jail# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether 00:0c:29:fc:6f:48
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet 127.0.0.10 netmask 0xffffff00
Nektarios
  • 1
  • 1
  • 8

2 Answers2

1

I'm a little rusty with PF but are you looking for something like that?

match out on [interface] from 192.168.2.23 to any nat-to [ip]

pass on [interface] from 192.168.2.23 to !192.168.0.0/24 port {7070 5555}

pass on [interface] from 192.168.2.23 to 168.2.23.1 port domain

I've always found that both openBSD PF documentation and this site to be handy...

Edit:

match out on [interface] from 127.0.0.10 to any nat-to [ip]

pass quick on [interface] from 127.0.0.10 to 192.168.2.1 domain

pass on [interface] from 127.0.0.10 to {!192.168.2.0/24}

I believe that's what you are looking for based on the comment you left.

Alex
  • 3,129
  • 21
  • 28
  • That looks good maybe but the rules are on 192.168.2.23 with the NAT'd IP of 127.0.0.10 behind it.. is there a mistake in what you have here (I don't see 127.0.0.10) or where I see "interface" should I be creating an aliased interface or something? – Nektarios May 19 '11 at 13:33
  • I'm not sure I understand your setup, the nating behind the 127.0.0.10 part. But yes in the [interface] part you can put any interface that FreeBSD sees. – Alex May 19 '11 at 13:36
  • +1 for the example and adding references to the websites. – jftuga May 19 '11 at 13:43
  • I'm having 192.168.2.23 act as a firewall in front of a jail that has been given IP 127.0.0.10 and am trying to control the traffic from 127.0.0.10 and leave 192.168.2.23 fully unrestricted – Nektarios May 19 '11 at 13:58
  • One more question - what's [ip] supposed to be? IP of what? – Nektarios May 19 '11 at 14:22
  • The IP that you will NAT behind. – Alex May 19 '11 at 14:43
  • This doesn't work at all, I'm using PF < 4.5 so this syntax is incorrect – Nektarios May 20 '11 at 03:41
0
allowed_bounce_ports="{ 21, 23 }"

nat on em0 from 127.0.0.10 to 192.168.2.1 port = domain -> em0
nat on em0 from 127.0.0.10 to !192.168.0.0/24 port $allowed_bounce_ports -> em0

rdr pass on em0 inet proto tcp from any to 192.168.2.23 port = 6500 -> 127.0.0.10 port 6500

Thanks to jhell on freenode #freebsd (and thanks to me, finally figured most of it out)

Nektarios
  • 1
  • 1
  • 8