Blocking the jails when PF is on

[licht77]

Dear community,

After a long time of getting clever hints from this forum I am at a dead end and hope some clever user can help me out. Problem: When activating PF, I cannot reach the jails anymore. Configuration: I have four real IPs as aliases on the NIC in the base system. Each of those aliases is used by a jail (ezjail) and are running different services which are all accessible from the internet via their alias IPs. (until I activate PF).

PF is installed in the base system - this is the pf.conf:

### INTERFACE ###
if = "{ re0 }"
mail = 144.x.x.138
www = 144.x.x.139


### SETTINGS ###
#set block-policy drop

### OFFENE PORTS ###
#Allgemein
tcp_pass = "{ ssh }"
udp_pass = "{ }"

#Jail Mail
tcp_pass_mail = "{ smtp smtps pop3 pop3s imap imaps }"
udp_pass_mail = "{ }"

#Jail Web
tcp_pass_www = "{ http https ftp ftp-data 9987 10123 10081 10091 30033 41144 10011 }"
udp_pass_www = "{ 9987 10123 10081 10091 }"

#Portsentry
tcp_honey="{1 11 15 111 540 635 1080 1524 2000 12345 12346 20034 32771 32772 32773 32774 49724 54320}"
udp_honey="{1 7 9 69 161 162 513 640 700 32770 32771 32772 32773 32774 31337 54321}"

icmp_types = "echoreq"

### NORMALISATION ###
scrub in all
#antispoof for $if  ##VORSICHT! BLOCKIERT ALLES?

### TABLES ###
table <intranet> { 212.x.x.x, !91.x.x.x }
table <bruteforce> persist
table <sshguard> persist

### REGELN ###
set skip on lo0
block all
pass in quick from <intranet> to any keep state

block quick from <bruteforce>
block quick from <sshguard>

pass in on $if proto tcp from any to any port $tcp_pass flags S/SA keep state
#pass in on $if proto udp to any port $udp_pass keep state

pass in on $if proto tcp from any to $mail port $tcp_pass_mail flags S/SA keep state 
#pass in on $if proto udp to $mail port $udp_pass_mail keep state

pass in on $if proto tcp from any to $www port $tcp_pass_www flags S/SA keep state 
pass in on $if proto udp to $www port $udp_pass_www keep state


pass out quick all keep state

# PING #
pass in on $if inet proto icmp all icmp-type $icmp_types keep state

# TRACEROUTE #
pass in on $if inet proto udp from any to any port 33433 >< 33626 keep state

This produces these rules:

scrub in all fragment reassemble
block drop all
pass in quick from <intranet> to any flags S/SA keep state
block drop quick from <bruteforce> to any
block drop quick from <sshguard> to any
pass in on re0 inet proto tcp from any to 144.x.x.139 port = http flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = https flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = ftp flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = ftp-data flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 9987 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 10123 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 10081 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 10091 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 30033 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 41144 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.139 port = 10011 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = smtp flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = smtps flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = pop3 flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = pop3s flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = imap flags S/SA keep state
pass in on re0 inet proto tcp from any to 144.x.x.138 port = imaps flags S/SA keep state
pass in on re0 inet proto udp from any to 144.x.x.139 port = 9987 keep state
pass in on re0 inet proto udp from any to 144.x.x.139 port = 10123 keep state
pass in on re0 inet proto udp from any to 144.x.x.139 port = 10081 keep state
pass in on re0 inet proto udp from any to 144.x.x.139 port = 10091 keep state
pass in on re0 proto tcp from any to any port = ssh flags S/SA keep state
pass out quick all flags S/SA keep state
pass in on re0 inet proto icmp all icmp-type echoreq keep state
pass in on re0 inet proto udp from any to any port 33433 >< 33626 keep state
block drop in all

Pretty lost I found out that tcpdump doesn't seem to see any packets when activating PF, but this may be a different problem.

[root@bsd]# tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

After sitting hours and hours on that problem and getting more and more frustrated - but the chance that someone here kicks me in the right direction makes me hope

 

[ShelLuser]

Well, this might be a good read. Basically it boils down to the need for setting up NAT or forwarding rules so that your host system basically serves as an interface between the jails and the outside.

I haven't tried any of this myself yet (so far I'm only using a local jail and am only in the process of preparing to move some services into it), but hopefully it gives you some useful tips nonetheless.

 

[licht77]

Dear @ShelLuser,

Thanks for the hint! I will read through that thread instantly, but I think the rdr/nat (redirect and NAT rules) thing is more suitable for "internal" ips IPs rather than for real routeble ips IPs.

 

[licht77]

Shame on me - I didn't see the obvious for several hours: the last line which added a "block all"

 

[J65nko]

Shame on me - I didn't see the obvious for several hours: the last line which added a "block all"

pf uses a "last matching rule wins" strategy, that is why that "block drop in all" rule kicked in.

If you would have added "block log all" you would have noticed that. Failing to use "log" in a "block" rule is like being an electrician who forgets to use his volt meter

Note that you can use "quick" to those rules that need to take effect immediately:

pass in quick on $if proto tcp from any to any port $tcp_pass

And stop torturing yourself with the pre-historic "flags S/SA keep state" stuff. For many years pf keeps state by default .

 

[kpa]

I tend to write my PF rules in this order to keep the default block rules at the beginning:

• Default block rule(s).
• Rules to block unwanted/malicious traffic.
• Pass out rules.
• Pass in rules.

I mostly use quick on the pass out/pass in rules and on rules for blocking unwanted traffic to keep the logic as simple as possible.

 

[Orum]

I mostly use quick on the pass out/pass in rules and on rules for blocking unwanted traffic to keep the logic as simple as possible.

Using all quick rules (i.e. "first match") is also better for performance.