Cannot get bastille jails to access internet (Raspi freeBSD 14.0)

DanDare

DanDare

Hello.
I will move my small production server from 13.2 to 14, and from ezjail do bastille. I decided to reproduce my settings on a raspberrypi, connected in the ISP modem/router for a test but I'm stuck with jails not accessing internet. This modem is mixed ipv4/ipv6 network and IP4 part is CGNAT. Jails are connected to cloned interface lo1 and PF rules.

Host rc.conf is:

Code: 
hostname="generic"
ifconfig_ue0="inet 192.168.1.7 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
gateway_enable="YES"
dnsmasq_enable="YES"
bastille_enable="YES"

sshd_enable="YES"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
growfs_enable="YES"
dumpdev="AUTO"
cloned_interfaces="lo1"
ifconfig_lo1_name="bastille0"
pf_enable="YES"

pf.conf is:

Code: 
ext_if="ue0"
ext_tcp_ports="{ 22 }"
ext_udp_ports="{ 0 }"
ext_udp6_ports="{ 0 }"

jail_server="192.168.1.10"
jail_tcp_services="{ 0 }"
jail_udp_services="{ 0 }"

#====== OPTIONS === https://www.openbsd.org/faq/pf/options.html
set block-policy drop
set loginterface $ext_if
set optimization normal
set ruleset-optimization basic
set skip on lo0
set skip on lo1
set skip on bastille0
set state-policy if-bound
scrub in all
#====== OPTIONS =======================

nat on $ext_if from $jail_server to any -> $ext_if


#======== PORT FORWARDING ==============
rdr pass on $ext_if proto tcp from any to any port $jail_tcp_services -> $jail_server
rdr pass on $ext_if proto udp from any to any port $jail_udp_services -> $jail_server
#======== PORT FORWARDING ==============

block all

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

pass in on $ext_if inet proto icmp to ($ext_if) icmp-type 8 code 0 keep state
pass in on $ext_if proto tcp to ($ext_if) port $ext_tcp_ports
pass in on $ext_if proto udp to ($ext_if) port $ext_udp_ports
pass in on $ext_if inet6 proto udp to ($ext_if) port $ext_udp6_ports
pass out on $ext_if keep state queue normal
pass in on $ext_if inet6 proto icmp6 to ($ext_if) icmp6-type { 128, 129, 135, 136 }

The "Block all IPv6" is intentional, it's the same thing I have in the production server. By the other hand, trying settings like 'ipv6_activate_all_interfaces="NO"' and/or 'ip6addrctl_enable="NO"' and/or 'ipv6_enable="NO"' in this host makes absolutely no (visible) effect in the outputs or final result.

Host ifconfig output is:

Code: 
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
        ether b8:27:eb:e7:24:3c
        inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bastille0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.1.10 netmask 0xffffffff
        inet6 fe80::1%bastille0 prefixlen 64 scopeid 0x3
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Host 'netstat -r' output is:

Code: 
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.1.1        UGS         ue0
localhost          link#1             UH          lo0
192.168.1.0/24     link#2             U           ue0
192.168.1.7        link#1             UHS         lo0
192.168.1.10       link#3             UH     bastille

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              link#1             URS         lo0
localhost          link#1             UHS         lo0
::ffff:0.0.0.0/96  link#1             URS         lo0
fe80::%lo0/10      link#1             URS         lo0
fe80::%lo0/64      link#1             U           lo0
fe80::1%lo0        link#1             UHS         lo0
fe80::%bastille0/6 link#3             U      bastille
fe80::1%lo0        link#1             UHS         lo0
ff02::/16          link#1             URS         lo0

Jail jail.conf is

Code: 
mm2 {
  devfs_ruleset = 4;
  enforce_statfs = 2;
  exec.clean;
  exec.consolelog = /var/log/bastille/mm2_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = mm2;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/mm2/fstab;
  path = /usr/local/bastille/jails/mm2/root;
  securelevel = 2;

  interface = bastille0;
  ip4.addr = 192.168.1.10;
  ip6 = disable;
  allow.raw_sockets = 1;
}

Inside the jail I added 'defaultrouter="192.168.1.7"' to rc.conf and resolv.conf is only 'nameserver="192.168.1.7"

Previously to this actual setup, I tested connecting jail directly to ue0 interface with '192.168.1.14' IP and it works. Bootstraped pkg and installed lynx this way.

But at this point (actual setup) I can ping internet sites and IPs from the jail but stuff like installing packages with pkg and lynx doesn't work.

ifconfig output from the jail is:

Code: 
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
ue0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
        ether b8:27:eb:e7:24:3c
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
bastille0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.1.10 netmask 0xffffffff
        groups: lo

What I cannot understand now is, after lynx try to connect google.com it exit with the message

Code: 
Looking up google.com first
Looking up google.com
Making HTTP connection to google.com
socket failed: family 28 addr 2800:3f0:4004:80b::200e port 80.
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://google.com/

It tries using a IPV6 address. But I have ' ip6 = disable;' in jail.conf.
If I trt lynx to a site I know is IPV4 only, lynx output is like:

Code: 
 Looking up minasambiente.com.br first
Looking up minasambiente.com.br
Making HTTP connection to minasambiente.com.br
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://minasambiente.com.br/

I started tcpdump in the host while trying google.com in the jail with 'tcpdump -v -f "not host 192.168.1.2 and not arp and not llc and not udp" -i ue0' and output is, it keeps repeating is a loop until lynx giveup:

Code: 
 08:17:08.296820 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.7.54058 > 142.250.78.238.http: Flags [S], cksum 0x2beb (correct), seq 2071022972, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 3289324550 ecr 0], length 0
08:17:08.319169 IP (tos 0x0, ttl 118, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    142.250.78.238.http > 192.168.1.7.54058: Flags [S.], cksum 0x1592 (correct), seq 2353302014, ack 2071022973, win 65535, options [mss 1412,sackOK,TS val 1551672246 ecr 3289324550,nop,wscale 8], length 0

When I stop the jail I get: 'rdr-anchor not found in pf.conf'
But trying exactly the suggested pf.conf example from bastille docs, it's the same thing, I can ping sites but never get the content.

I tried what I could do with PF changes, host and jail rc.conf changes but nothing.
Any clues for this?
Thanks!
 
You must log in or register to reply here.
Back
Top