PF Filtering Inbound Traffic to Jails using PF

AngryPanda

AngryPanda

I am running a public facing system that has some services I want to expose from a jail. I am using Bastille as the jail manager and have that successfully working and everything is working great when I use "rdr pass." However, I want to be able to use blocklists in the filter and using the pass function prevents filtering from being applied. I have read the PF man pages, documentation, and much of these forms to find working examples I might be able to leverage into my pf.conf; while many of those appeared promising, I have not been able to get any to work in my instance. I am in the beginning states of trying to migrate my infrastrucure from Linux to FreeBSD so, needless to say, I am very green when it comes to FreeBSD and PF and am hoping I'm just missing somthing fundamentally basic. Any help would be much appreciated.

Here is my pf.conf file.

Code: 
ext_if = "vtnet0"
jail_if = "bastille0"

shadowsocks = "172.16.10.100""

TCP_State = "flags S/SA keep state"
UDP_State = "keep state"

SSH_STO  = "(max 100, source-track rule, max-src-conn 2, max-src-nodes 100, max-src-conn-rate 5/3600, overload <bruteforce> flush global)"

table <jails> persist
table <bruteforce> persist
table <local_isp> { **redacted** }

set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}

scrub in on $ext_if all fragment reassemble no-df max-mss 1440

nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr on $ext_if inet proto {tcp,udp} from <local_isp> to ($ext_if) port 8388 -> $shadowsocks port 8388
rdr-anchor "rdr/*"

antispoof quick for $ext_if inet

block quick from <bruteforce>

block drop in log on $ext_if
pass in quick on $ext_if inet proto {tcp,udp} from any to $shadowsocks port 8388 keep state
pass in on $ext_if inet proto icmp from <local_isp> to any keep state
pass in on $ext_if inet proto tcp from <local_isp> to any port ssh $TCP_State $SSH_STO

pass out keep state


 
Allow the incoming traffic on $ext_if from any to ($ext_if) port 8388

$shadowsocks IP is private address and it's behind NAT so there's should be no rule matches from $ext_if (Internet) directly to your private $shadowsocks IP address.
pass in quick on $ext_if inet proto {tcp,udp} from any to $shadowsocks port 8388 keep state
Click to expand...

You can show the rules and the number of matched packets using:
pfctl -vvsr

Or you can use tcpdump and see the matched packets on pflog0 interface
 
You must log in or register to reply here.
Back
Top