Hi there,
as the thread description says, ping from inside ezjail to any server in the internet won't work.
I set
My rc.conf
My pf.conf
Regards
as the thread description says, ping from inside ezjail to any server in the internet won't work.
Code:
ping: socket: Operation not permitted
I set
# sysctl security.jail.allow_raw_sockets=1
but it also doesn't work.My rc.conf
Code:
# -- sysinstall generated deltas -- # Sun Apr 11 23:18:56 2010
# Created: Sun Apr 11 23:18:56 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="localhost.localdomain"
ifconfig_em0="DHCP" #Yes, its DHCP but the assigned IP-Adress wouln't change, so its OK.
ifconfig_em0_alias0="192.168.0.1/32"
ifconfig_em0_alias1="192.168.0.2/32"
ifconfig_em0_alias2="192.168.0.3/32"
keymap="german.iso"
sshd_enable="YES"
syslogd_flags="-s -s"
ezjail_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pf_flags=""
gateway_enable="YES"
My pf.conf
Code:
###INTERFACES
if = "{ lo0,em0 }"
###SETTINGS
set block-policy drop
###OFFENE TCP/UDP-PORTS
tcp_pass = "{ 22 53 80 }"
udp_pass = "{ 22 53 80 }"
icmp_types = "echoreq"
###NORMALISATION
scrub in all
#Jail www
rdr on $if proto tcp from any to any port 10022 -> 192.168.0.1 port 22
rdr on $if proto udp from any to any port 10022 -> 192.168.0.1 port 22
binat on em0 proto tcp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.1 to any -> 10.0.2.15
#Jail sql
rdr on $if proto tcp from any to any port 10023 -> 192.168.0.2 port 22
rdr on $if proto udp from any to any port 10023 -> 192.168.0.2 port 22
binat on em0 proto tcp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.2 to any -> 10.0.2.15
antispoof for $if
###TABLES
table <intranet> { 192.168.0.0/24 }
table <bruteforce> persist
###RULES
set skip on lo0
block all
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $if proto tcp to any port $tcp_pass keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state
#PING
pass in on $if inet proto icmp all icmp-type $icmp_types keep state
#TRACEROUTE
pass in on $if inet proto udp from any to any port 40000 >< 40100 keep state
Regards