1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unable to resolve FQDN jails

Discussion in 'Firewalls' started by thegolum35, Nov 9, 2012.

  1. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    Hello, I'm trying to get my jails working but I have a problem. Indeed, only ICMP connections work, I can't stat the problem.

    Here is my pf.conf
    Code:
    #Macro
    
    int_if = "fxp0"
    
    # Tables
    
    table <flood> persist
    table <*beep**beep**beep**beep*er> persist
    
    # Rules
    
    set skip on lo0
    set skip on lo1
    
    scrub in all
    
    nat on $int_if from lo1 to any -> ($int_if)
    
    antispoof for fxp0 inet
    block log all # Drop all
    
    pass quick log on $int_if proto { icmp icmp6 } # Allow ping
    pass out log on $int_if all
    
    pass in quick on $int_if proto tcp from 192.168.1.29 to 192.168.1.40 port ssh
    #pass in log on $int_if inet proto tcp from any to 192.168.1.40 port 30000 synproxy state (max-src-conn-rate 3/20, overload <flood> flush global)
    
    #pass in quick log on $int_if proto tcp from 192.168.1.0/24 to 192.168.1.40 port 9050
    #pass in log on $int_if proto tcp from {!192.168.1.0/24, 10.0.0.0/24} to 192.168.1.40 port 9001
    
    pass in quick log on $int_if from 192.168.50.2 to any
    
    #block quick on $int_if from <flood>
    #block quick on $int_if from <*beep**beep**beep**beep*er>


    Commented lines are useless for fixing the problem. 192.168.50.2 is the ip of my jail; 192.168.1.0/24 is my network.

    Thank you.
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    What exactly is the problem? You can't resolve your jail hostnames or you can't resolve anything inside a jail?
     
  3. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    Sorry, I can ping everything but resolving google.fr for example times out.
     
  4. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    Ah, so it's resolving inside the jail that's the issue. Is /etc/resolv.conf set up properly in the jail?

    There are also no rules allowing TCP/UDP port 53 out for DNS.
     
  5. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    Code:
    cat /etc/resolv.conf 
    nameserver 8.8.8.8
    nameserver 8.8.4.4


    And I can see the DNS query pass and the answer too but that one isn't forwarded to the jail.

    I think that rule does so, am I wrong ?
    Code:
    pass out log on $int_if all


    Beeblebrox:

    I told that ICMP connections worked, and I had to allow raw sockets for debugging :)
     
  6. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    It depends, that allows queries back into your network. But you are using Google's DNS servers, so they are external. Somewhere on your network they need a way out.
     
  7. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    I only have one interface on my server.
     
  8. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    Have a look with tcpdump(1). Pay close attention to the source addresses of the queries (the NAT might not work properly).

    # tcpdump -nvvi fxp0 port 53
     
  9. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    Code:
    tcpdump -nvvi fxp0 port 53

    It seems to work ...

    So the problem is that the server doesn't forward the query to jail. How may I fix this ?
     
  10. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    Is the jail bound to lo1? And what IP address does it have?
     
  11. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    No, she is not. I was looking for this, how do I do so ?
    Its ip is 192.168.1.52(/24)
     
  12. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    If the jail has 192.168.1.52 then why are the DNS queries coming from 192.168.1.40?
     
  13. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    Because of the nat rule. I know it's not compulsory but I'd like doing that way.
     
  14. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    And it's probably what's causing the issues. Remove it. As you don't have anything bound to lo1 anyway it's rather useless.
     
  15. thegolum35

    thegolum35 New Member

    Messages:
    71
    Thanks Received:
    0
    But it might work with nat, no ?
     
  16. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,622
    Thanks Received:
    2,384
    You don't need NAT.
     
  17. matoatlantis

    matoatlantis Member

    Messages:
    534
    Thanks Received:
    76
    Please can you share the exact network range for fpx0 lo1 ? As I understood it your jail IP is behind lo1 interface.
    Also share the output from:

    # netstat -nrfinet

    This is just my opinion, but it's better to call your external interface "ext_if" rather than "int_if" (short for external/internal). Also if you start to use macros use them throughout the whole configuration (e.g. line 10 vs line 11 /not counting spaces/).

    There's more way to do it, but as you started creating custom interfaces you must pay attention to what is visible and what not to external network. One way is to put all IPs to fxp0 and setup the jail. You don't need NAT for that.

    Or you can setup the custom interface with private range and NAT it through IP on fxp0.