Since freebsd 7.2 I've been using a cloned loopback device lo1 with a subnet of 10.0.0.0/24 for jails. I use that device for a second ip for some machines, and for others with just one public ip, i use a nat rule with pf.
Now heres what i'm finding odd.....Why am i able to ssh into 10.0.0.1 from a LAN address (192.168.1.10) when the ip 10.0.0.1 is on my gateway but on the lo1 device. Shouldn't this device be invisible to the network at large?
Also, i have another machine on the network which ALSO uses this subnet on a lo1 device setup in the same way more or less, but it's not the gateway...i'm sure it has SOMETHING to do with the fact it's a gateway...or perhaps it's something to do with the NAT rules i had to set up to make the jails able to download ports....either way, i'm just currious.
heres my current firewall rules, go easy on me, i know they are prolly messed up..I plan to keep working on it, i know SOME is redundant and some is just plain WRONG.
Now heres what i'm finding odd.....Why am i able to ssh into 10.0.0.1 from a LAN address (192.168.1.10) when the ip 10.0.0.1 is on my gateway but on the lo1 device. Shouldn't this device be invisible to the network at large?
Also, i have another machine on the network which ALSO uses this subnet on a lo1 device setup in the same way more or less, but it's not the gateway...i'm sure it has SOMETHING to do with the fact it's a gateway...or perhaps it's something to do with the NAT rules i had to set up to make the jails able to download ports....either way, i'm just currious.
heres my current firewall rules, go easy on me, i know they are prolly messed up..I plan to keep working on it, i know SOME is redundant and some is just plain WRONG.
Code:
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if = "em1"
int_if = "em0"
wifi_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
rtor = "192.168.1.18"
scp_j = "192.168.1.53"
Xbox360 = "192.168.1.22"
#ports
Xlive_tcp = "{ http, https, 3074 }"
Xlive_udp = "{ 88, 3074 }"
rtor_ports = "{http, https }"
#nets
lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set skip on lo1
set optimization conservative
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub out all random-id
#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
#nat on egress from $Xbox360 to any tag EGRESS -> ($ext_if:0) static-port
nat on egress from (self) to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
nat on $ext_if from 10.0.0.0/24 to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to ($ext_if) port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to ($ext_if) port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
no nat on $int_if proto tcp from $int_if to $lan_net
nat on $int_if proto tcp from $lan_net to $rtor port $rtor_ports -> $int_if
no nat on $wifi_if proto tcp from $wifi_if to $lan_net
nat on $wifi_if proto tcp from $lan_net to $rtor port $rtor_ports -> $wifi_if
rdr on $int_if inet proto tcp from any to any port www -> 10.0.0.1 port 3128
rdr on $int_if inet proto tcp from any to any port 8080 -> 10.0.0.2 port www
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
block drop quick log on $ext_if from $priv_nets to any
anchor "ftp-proxy/*"
# anti spoofing
antispoof for { $int_if, $wifi_if, $ext_if }
pass log proto tcp from any to $rtor port $rtor_ports synproxy state
pass log proto tcp from any to $scp_j port ssh synproxy state
pass log proto tcp from any to $rtor port 10000:10040 synproxy state
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass in log on $int_if inet proto udp from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state
pass in log on $int_if inet proto tcp from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state
pass quick on $int_if keep state
pass quick on $wifi_if keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state
pass in on $int_if inet proto tcp from any to 10.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out from any to any keep state