On Fri, 5 Feb 2010 19:47, peter@ wrote:
Hi Maurice,
Yes, you can do it without much difficulty and I've got my server
setup in that manner: there's about twenty separate jails that can
access the internet via specific NAT rules and incoming services
handled via RDR rules. Note: you won't be able to ping from a jail,
unless you want to allow your jailed processes to create raw sockets
(you don't) :-)
There's probably many ways it can be done, but what I did was something like:
i) create a second loopback interface, lo1 (c.f. cloned interfaces)
and assign appropriate alias netblocks for your jails on that
interface;
ii) create your pf.conf, set skip on lo0 but not the external or lo1 interface;
iii) I'd set "set state-policy if-bound" so you know what's going on;
iv) don't use the antispoof keyword, it will make a mess in this situation;
v) setting up bind to handle local dns resolution is a good idea -
point your jails towards this and you'll need to add in an appropriate
rule(s) later on;
vi) setup outgoing nat rules, e.g.
nat on $ext_if inet from $int_ip_smtp to ! $int_lo1_if:network port
smtp -> $ext_ip
vii) setup incoming services, e.g.
rdr on $ext_if proto tcp from any to $ext_ip port smtp -> $int_ip_mail port smtp
viii) put in pass rules to allow nat out and rdr in; remember NAT is
done first, so your outgoing packets ALL have source IP of the
external IP now and not the jail IP
pass out log on $ext_if proto tcp from $ext_ip to any port smtp flags
S/SA modulate state
pass in log on $ext_if proto tcp from any to $int_ip_mail port smtp
flags S/SA modulate state
ix) allow jail implicit access to itself
pass log on $int_lo1_if proto { udp, tcp } from $int_ip_mail to
$int_ip_mail flags S/SA keep state
x) add in rules to allow any interjail communication as needed
(remember the incoming/outgoing packets appear the other way round
here - use tcpdump to check if in doubt)
If you have any problems, run tcpdump in a serarate terminal window to
determine what's going on.
Peter
On 5 February 2010 22:53, Maurice <[email protected]> wrote:
Hi,
I have been looking for a couple days now, with no luck, for some direction
as to whether I can successfully configure my freebsd to NAT with only one
NIC. This is because I am setting up my system to jail my webserver, and I
don't think I can get it to work without NATting it. If you have an
alternate solution that would be great too. This is what my pf.conf looks
like right now:
# $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.6.1 2009/04/15
03:14:26 kensmith Exp $
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
block in all
block out all
ext_if="fxp0"
#int_if="int0"
all_if="{fxp0, lo0}"
#Internal network subnet
int_net="10.0.0.0/32"
#name and IP of webserver
APACHE="10.0.0.1"
#table <spamd-white> persist
set skip on lo
scrub in
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
#anchor "ftp-proxy/*"
#pass out
#pass quick on $int_if no state
#antispoof quick for { lo $int_if }
block in quick from urpf-failed
pass in on $ext_if proto tcp to ($ext_if) port ssh synproxy state
rdr on $all_if proto tcp from any to fxp0 port 80 -> $APACHE port 80
nat on $ext_if from $APACHE to any -> fxp0
Your placement of nat and redirect rules are a little bit worrisome.
pf.conf as stated by its manual page is ordered (see following)
# [Macros] i.e. variable=lo1
# [Options] i.e. set etc.. etc..
# [Normalization] i.e. scrub
# [Queuing] i.e. ALTQ
# [Translation] i.e. NAT RDR etc...
# [Filtering] i.e. pass & block rules
Beware that there is quite the change for rule-sets ahead if the newer
version of pf that is in the works for OpenBSD ever makes it downstream to
FreeBSD.
I Personally do not know if the way you have your rule-set configured would
cause any havoc with NAT since you have it mingled between filtering rules
but it would be good practice to stick to whats already drawn in the
manual page.
Best of luck.
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
That doesn't seem to be doing the trick, since I can't ping and DNS won't
resolve anything from within the jail (APACHE). I am going off some examples
I found that would seem to suggest it is possible with only one NIC, but I
can't seem to get it to work. Any help/advice would be greatly appreciated.
thanks,
Maurice
--
jhell
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
