Hi all,
I recently created three FreeBSD jails (10.1) for webserver (Nginx/PHP), database server (MariaDB/PostgreSQL), and appserver (Tomcat) (192.168.1.101 to 104).
The host running VDR (TV) and Kodi (10.0.0.193).
Everything's working as expected except I am not able to route from webserver to host for VDR running on port 8008.
If I remove the
part on pf.conf everything works fine, but I don't think it is safe to do so.
Please help.
Thanks,
My pf.conf:
I recently created three FreeBSD jails (10.1) for webserver (Nginx/PHP), database server (MariaDB/PostgreSQL), and appserver (Tomcat) (192.168.1.101 to 104).
The host running VDR (TV) and Kodi (10.0.0.193).
Everything's working as expected except I am not able to route from webserver to host for VDR running on port 8008.
If I remove the
Code:
block allPlease help.
Thanks,
My pf.conf:
Code:
int_if="bge0"
serverip="10.0.0.193"
set block-policy drop
jail_if="lo1"
IP_JAIL_ESCIXWEB="192.168.1.101"
IP_JAIL_MYAPPJAIL="192.168.1.104"
IP_JAIL_MYDATAJAIL="192.168.1.103"
NET_JAIL="192.168.1.0/24"
PORT_WWW="{80,443,9000}"
PORT_MYSQL="{3306,5432}"
PORT_OPENKM="{8484}"
PORT_VDR="{8008,3000}"
PORT_PRINT="{631}"
set skip on lo0
### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $int_if all fragment reassemble
nat pass on $int_if from $NET_JAIL to any -> $serverip
rdr pass on $int_if proto tcp from any to $serverip port $PORT_WWW -> $IP_JAIL_ESCIXWEB
block in log all
pass in quick on $jail_if proto tcp to $IP_JAIL_ESCIXWEB port $PORT_WWW
pass in quick on $jail_if proto tcp from $IP_JAIL_ESCIXWEB to $IP_JAIL_MYAPPJAIL port $PORT_OPENKM
pass in quick on $jail_if proto tcp from $IP_JAIL_ESCIXWEB to $IP_JAIL_MYDATAJAIL port $PORT_MYSQL
pass in quick on $jail_if proto tcp from $IP_JAIL_MYAPPJAIL to $IP_JAIL_MYDATAJAIL port $PORT_MYSQL
pass in quick on $jail_if proto tcp from $IP_JAIL_MYDATAJAIL port $PORT_MYSQL to $IP_JAIL_MYAPPJAIL
pass on $int_if inet proto tcp from any to $serverip port $PORT_PRINT
pass on $jail_if inet proto tcp from $serverip port $PORT_VDR to $IP_JAIL_ESCIXWEB
pass on $int_if inet proto tcp from any to $serverip port {1275}
### setup a table and ruleset that prevents excessive abuse by hosts
### that attempt to brute force the ssh daemon with repeated requests.
### any host that hammers more than 3 connections in 5 seconds gets
### all their packet states killed and dropped into a blackhole table.
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $int_if proto tcp to $serverip port 1275 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
# Default UDP policy
pass in quick on $int_if proto UDP from 10.0.0.0/24 to any port {34890,631,1900} keep state
# emerging threats list
# create empty table in memory
table <emerging-block-ips> persist
# in filter section block all ip in <et_block_ip>
block in log quick on $int_if from <emerging-block-ips>
# naxsi config 127.0.0.1:4242
# pass in quick on $int_if proto TCP from any to any port 4242
pass out quick on {$jail_if,$int_if} all