Hello.
I will move my small production server from 13.2 to 14, and from ezjail do bastille. I decided to reproduce my settings on a raspberrypi, connected in the ISP modem/router for a test but I'm stuck with jails not accessing internet. This modem is mixed ipv4/ipv6 network and IP4 part is CGNAT. Jails are connected to cloned interface lo1 and PF rules.
Host rc.conf is:
pf.conf is:
The "Block all IPv6" is intentional, it's the same thing I have in the production server. By the other hand, trying settings like 'ipv6_activate_all_interfaces="NO"' and/or 'ip6addrctl_enable="NO"' and/or 'ipv6_enable="NO"' in this host makes absolutely no (visible) effect in the outputs or final result.
Host ifconfig output is:
Host 'netstat -r' output is:
Jail jail.conf is
Inside the jail I added 'defaultrouter="192.168.1.7"' to rc.conf and resolv.conf is only 'nameserver="192.168.1.7"
Previously to this actual setup, I tested connecting jail directly to ue0 interface with '192.168.1.14' IP and it works. Bootstraped pkg and installed lynx this way.
But at this point (actual setup) I can ping internet sites and IPs from the jail but stuff like installing packages with pkg and lynx doesn't work.
ifconfig output from the jail is:
What I cannot understand now is, after lynx try to connect google.com it exit with the message
It tries using a IPV6 address. But I have ' ip6 = disable;' in jail.conf.
If I trt lynx to a site I know is IPV4 only, lynx output is like:
I started tcpdump in the host while trying google.com in the jail with 'tcpdump -v -f "not host 192.168.1.2 and not arp and not llc and not udp" -i ue0' and output is, it keeps repeating is a loop until lynx giveup:
When I stop the jail I get: 'rdr-anchor not found in pf.conf'
But trying exactly the suggested pf.conf example from bastille docs, it's the same thing, I can ping sites but never get the content.
I tried what I could do with PF changes, host and jail rc.conf changes but nothing.
Any clues for this?
Thanks!
I will move my small production server from 13.2 to 14, and from ezjail do bastille. I decided to reproduce my settings on a raspberrypi, connected in the ISP modem/router for a test but I'm stuck with jails not accessing internet. This modem is mixed ipv4/ipv6 network and IP4 part is CGNAT. Jails are connected to cloned interface lo1 and PF rules.
Host rc.conf is:
Code:
hostname="generic"
ifconfig_ue0="inet 192.168.1.7 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
gateway_enable="YES"
dnsmasq_enable="YES"
bastille_enable="YES"
sshd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
dumpdev="AUTO"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"
pf_enable="YES"
pf.conf is:
Code:
ext_if="ue0"
ext_tcp_ports="{ 22 }"
ext_udp_ports="{ 0 }"
ext_udp6_ports="{ 0 }"
jail_server="192.168.1.10"
jail_tcp_services="{ 0 }"
jail_udp_services="{ 0 }"
#====== OPTIONS === https://www.openbsd.org/faq/pf/options.html
set block-policy drop
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set skip on lo0
set skip on lo1
set skip on bastille0
set state-policy if-bound
scrub in all
#====== OPTIONS =======================
nat on $ext_if from $jail_server to any -> $ext_if
#======== PORT FORWARDING ==============
rdr pass on $ext_if proto tcp from any to any port $jail_tcp_services -> $jail_server
rdr pass on $ext_if proto udp from any to any port $jail_udp_services -> $jail_server
#======== PORT FORWARDING ==============
block all
### Block all IPv6
block in quick inet6 all
block out quick inet6 all
pass in on $ext_if inet proto icmp to ($ext_if) icmp-type 8 code 0 keep state
pass in on $ext_if proto tcp to ($ext_if) port $ext_tcp_ports
pass in on $ext_if proto udp to ($ext_if) port $ext_udp_ports
pass in on $ext_if inet6 proto udp to ($ext_if) port $ext_udp6_ports
pass out on $ext_if keep state queue normal
pass in on $ext_if inet6 proto icmp6 to ($ext_if) icmp6-type { 128, 129, 135, 136 }
The "Block all IPv6" is intentional, it's the same thing I have in the production server. By the other hand, trying settings like 'ipv6_activate_all_interfaces="NO"' and/or 'ip6addrctl_enable="NO"' and/or 'ipv6_enable="NO"' in this host makes absolutely no (visible) effect in the outputs or final result.
Host ifconfig output is:
Code:
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:e7:24:3c
inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bastille0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 192.168.1.10 netmask 0xffffffff
inet6 fe80::1%bastille0 prefixlen 64 scopeid 0x3
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Host 'netstat -r' output is:
Code:
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 192.168.1.1 UGS ue0
localhost link#1 UH lo0
192.168.1.0/24 link#2 U ue0
192.168.1.7 link#1 UHS lo0
192.168.1.10 link#3 UH bastille
Internet6:
Destination Gateway Flags Netif Expire
::/96 link#1 URS lo0
localhost link#1 UHS lo0
::ffff:0.0.0.0/96 link#1 URS lo0
fe80::%lo0/10 link#1 URS lo0
fe80::%lo0/64 link#1 U lo0
fe80::1%lo0 link#1 UHS lo0
fe80::%bastille0/6 link#3 U bastille
fe80::1%lo0 link#1 UHS lo0
ff02::/16 link#1 URS lo0
Jail jail.conf is
Code:
mm2 {
devfs_ruleset = 4;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /var/log/bastille/mm2_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = mm2;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/mm2/fstab;
path = /usr/local/bastille/jails/mm2/root;
securelevel = 2;
interface = bastille0;
ip4.addr = 192.168.1.10;
ip6 = disable;
allow.raw_sockets = 1;
}
Inside the jail I added 'defaultrouter="192.168.1.7"' to rc.conf and resolv.conf is only 'nameserver="192.168.1.7"
Previously to this actual setup, I tested connecting jail directly to ue0 interface with '192.168.1.14' IP and it works. Bootstraped pkg and installed lynx this way.
But at this point (actual setup) I can ping internet sites and IPs from the jail but stuff like installing packages with pkg and lynx doesn't work.
ifconfig output from the jail is:
Code:
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether b8:27:eb:e7:24:3c
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
bastille0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 192.168.1.10 netmask 0xffffffff
groups: lo
What I cannot understand now is, after lynx try to connect google.com it exit with the message
Code:
Looking up google.com first
Looking up google.com
Making HTTP connection to google.com
socket failed: family 28 addr 2800:3f0:4004:80b::200e port 80.
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://google.com/
It tries using a IPV6 address. But I have ' ip6 = disable;' in jail.conf.
If I trt lynx to a site I know is IPV4 only, lynx output is like:
Code:
Looking up minasambiente.com.br first
Looking up minasambiente.com.br
Making HTTP connection to minasambiente.com.br
Alert!: Unable to connect to remote host.
lynx: Can't access startfile http://minasambiente.com.br/
I started tcpdump in the host while trying google.com in the jail with 'tcpdump -v -f "not host 192.168.1.2 and not arp and not llc and not udp" -i ue0' and output is, it keeps repeating is a loop until lynx giveup:
Code:
08:17:08.296820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.7.54058 > 142.250.78.238.http: Flags [S], cksum 0x2beb (correct), seq 2071022972, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3289324550 ecr 0], length 0
08:17:08.319169 IP (tos 0x0, ttl 118, id 0, offset 0, flags [DF], proto TCP (6), length 60)
142.250.78.238.http > 192.168.1.7.54058: Flags [S.], cksum 0x1592 (correct), seq 2353302014, ack 2071022973, win 65535, options [mss 1412,sackOK,TS val 1551672246 ecr 3289324550,nop,wscale 8], length 0
When I stop the jail I get: 'rdr-anchor not found in pf.conf'
But trying exactly the suggested pf.conf example from bastille docs, it's the same thing, I can ping sites but never get the content.
I tried what I could do with PF changes, host and jail rc.conf changes but nothing.
Any clues for this?
Thanks!