0

I am confused, I thought I understand those basics but now I'm not quite sure any more...

Considering that conf :

cloned_interfaces="lo7"

ifconfig_bce0="dhcp"
ifconfig_bce0_alias0="inet 192.168.0.1/24"

ifconfig_lo7="inet 192.168.0.2/24"

And that lease from dhcp :

lease {
  fixed-address 65.145.212.48;
  next-server 65.145.16.19;
  filename "pxelinux.0";
  option subnet-mask 255.255.255.0;
  option routers 65.145.212.1;
  option domain-name-servers 65.145.16.6,65.145.16.7;
  option domain-name "online.net";
  option dhcp-server-identifier 65.145.18.5;
}

My believes are :

  • If a packet is sent through 192.168.0.2 to 65.145.212.1, lo7 is traversed "out" to bce0 and bce0 is traversed "out" to the router
  • Interfaces are traversed "in" by packets coming in to the machine and traversed "out" by packets leaving out to another physical machine
  • rdr rules apply to packets that are "in" on interfaces to be "in" on a different ip address thus may be on another interface
  • nat rules apply to packets that are "out" from an interface to be out on another ip address thus may be on another interface

I would like to know if those are correct assumptions!

Not only I am quite new to server administration and have never studied that topic properly at school, but english is not my primary language and even though I'm not too bad at it, some tech concepts remain quite blurred... I think that well explained in english or well translated in french should be sufficient for me to understand!

Psyloh
  • 11
  • 4
  • I think [this](http://serverfault.com/a/443041/126632) covers your question. – Michael Hampton Mar 28 '17 at 01:18
  • Ok, that's what I thought... That means, if I rdr an incoming packet from my ext_if to some other interface, I can't control packets on that specific interface like `pass in on lo7...`? In that case this should be correct : `rdr on $ext_if proto tcp to ($ext_if) port $some -> $int_ip port $some` then `pass in quick on $ext_if proto tcp to $int_ip port $some keep-state ($ks_rules)`? Is there a way to emulate "in" and "out" on virtual interfaces like vlan + bridge? – Psyloh Mar 28 '17 at 07:26
  • No, in fact your link doesn't cover my question... I think that if I can `set skip on lo0` that means a pseudo interface can be considered traversed "in" or "out"... But packets from one jail to another are not coming from outside the machine, so how are these treated by PF..? And if they have to pass by a gateway ip on the ext_if to reach the other jail, are they "in" or "out"?? – Psyloh Mar 28 '17 at 18:30
  • Something goes "out" one jail and "in" another. It's just English. – Michael Hampton Mar 28 '17 at 20:05
  • I'm talking of "in" and "out" in the scope of packet filter rules. Your previous link stated that "in" means coming into the machine and "out" means going out from the machine, but traffic between pseudo interfaces doesn't leave the machine and so I wonder how pf considers packets, e.g. lo7 (192.168.0.2), lo8 (192.168.0.3) and an alias on ext_if that is the gateway for both cloned lo (192.168.0.1), if lo7 starts communication with lo8, does pf see the packet "out" from lo7 and "in" on lo8? I heard about tcpdump and pflog and I will perform some tests tomorrow, I guess it will be interesting! – Psyloh Mar 28 '17 at 21:40

0 Answers0