Hi,
I just finshed installing a new webserver on FreeBSD 11 using sysutils/cbsd.
I have 1 public IP so in order to serve all my jails, I use pf and a reverse web proxy server.
I have 3 jails:
- dbjail (database/mariadb101-server)
- reverse proxy jail (www/hiawatha)
- webjail (www/hiawatha)
The webjail can connect to the Mysql jail - No problem
The reverse proxy is redirecting all http (port 80) correctly to the webjail but https doesn't hit the webjail for some reason..
When I run
If I run
Could someone please help me see if my /etc/pf.conf rules are correct?
Is there any other security feature in FreeBSD 11 that I missed that could create such problem?
Thank you all in advance
I just finshed installing a new webserver on FreeBSD 11 using sysutils/cbsd.
I have 1 public IP so in order to serve all my jails, I use pf and a reverse web proxy server.
I have 3 jails:
- dbjail (database/mariadb101-server)
- reverse proxy jail (www/hiawatha)
- webjail (www/hiawatha)
The webjail can connect to the Mysql jail - No problem
The reverse proxy is redirecting all http (port 80) correctly to the webjail but https doesn't hit the webjail for some reason..
When I run
telnet 208.95.xx.xx 443
from my home computer, I get the following response which sugest that port 443 is open
Code:
Trying 208.95.xx.xx...
Connected to 208-95-xx-xx.datacenter.net.
Escape character is '^]'.
^]
telnet>
telnet 10.4.20.12 443
from the FreeBSD host, I get
Code:
Trying 10.4.20.12...
Connected to 10.4.20.12.
Escape character is '^]'.
Connection closed by foreign host.
Could someone please help me see if my /etc/pf.conf rules are correct?
Code:
### Interfaces ###
ExtIf = "xn0"
JailIf = "lo0"
### Hosts ###
WebProxy = "10.4.20.11"
### Services ###
webservices = "{80, 443, 8080, 8443}"
netbios_tcp = "{135, 139, 445}"
netbios_udp = "{135, 139, 445}"
IPv4_icmp_types="echoreq"
### Tables ###
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
169.254.0.0/16, 192.0.2.0/24, \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}
### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ExtIf all fragment reassemble
#nat on $ExtIf from $JailIf:network to any -> ($ExtIf)
nat on $ExtIf from 10.4.20.0/24 to any -> ($ExtIf)
# Hiawatha
# --- redirect http traffic to the internal web proxy server ---
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ExtIf port http -> $WebProxy port http
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ExtIf port https -> $WebProxy port https
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ExtIf port 8443 -> $WebProxy port 8443
rdr on $ExtIf inet proto tcp from !($ExtIf) to $ExtIf port 8080 -> $WebProxy port 8080
### set a default deny everything policy.
block log all
### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo
antispoof for $ExtIf inet
### get rid quick of Internet noise like microsoft netbios service.
### This accounts to 80% of dropped traffic. We don't need to log this also
block in quick on $ExtIf proto tcp from any to any port $netbios_tcp
block in quick on $ExtIf proto udp from any to any port $netbios_udp
### Quick blocks
block drop in log quick on $ExtIf from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKNETS> to any
### $ExtIf inbound
# --- pass icmp echo
pass in log on $ExtIf inet proto icmp all icmp-type $IPv4_icmp_types
# --- pass incoming http/https traffic --
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port $webservices
# --- pass incoming ssh traffic --
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port 222
### $ExtIf outbound
pass out log on $ExtIf inet proto { tcp, udp, icmp } from any to any modulate state
Thank you all in advance