Hi everyone.
My FreeBSD server (domain name: epopen.com) worked fine at ADSL(http/ssh/name/ftp @ jail inside), but work fail after moved to new house and use cable ISP....
Can help me for debug? Plesae.
Server description:
HW:
..fxp0: for internal LAN, fixed IP:192.168.0.254
..fxp1: for WAN, IP: DHCP, current IP: 123.194.237.215
SW:
..FreeBSD 9.1 i386 stable with some daemon...
..Daemon1: SSH server @ port 2222 in host.
..Daemon2: SSH server @ IP:10.0.0.4, port:22 in jail1.
..Daemon2: BIND9 server @ IP:10.0.0.1, port:53 in jail2.
..1.All of jail bind at lo1 IP:10.0.0.254, netmask:255.255.255.0, create by cloned_interfaces="lo1"
..2.For debug, remove addition http/ftp etc...
Test machine: windows vista
..1.ethernet connect to FreeBSD server's fxp1, fixed IP:192.168.0.1
..2.Wireless to internet.
FreeBSD server's /etc/rc.conf
Before, I used ADSL connection (ppp, interface=tun0) workable with under /etc/pf.conf
After, I moved to new house and use cable ISP, so I modified
PF final rule result:
And Ifconfig ...
But can't connect to my name & SSH server from WAN(ext_if) via pf redirect
NEXT thread continue...
My FreeBSD server (domain name: epopen.com) worked fine at ADSL(http/ssh/name/ftp @ jail inside), but work fail after moved to new house and use cable ISP....
Can help me for debug? Plesae.
Server description:
HW:
..fxp0: for internal LAN, fixed IP:192.168.0.254
..fxp1: for WAN, IP: DHCP, current IP: 123.194.237.215
SW:
..FreeBSD 9.1 i386 stable with some daemon...
..Daemon1: SSH server @ port 2222 in host.
..Daemon2: SSH server @ IP:10.0.0.4, port:22 in jail1.
..Daemon2: BIND9 server @ IP:10.0.0.1, port:53 in jail2.
..1.All of jail bind at lo1 IP:10.0.0.254, netmask:255.255.255.0, create by cloned_interfaces="lo1"
..2.For debug, remove addition http/ftp etc...
Test machine: windows vista
..1.ethernet connect to FreeBSD server's fxp1, fixed IP:192.168.0.1
..2.Wireless to internet.
FreeBSD server's /etc/rc.conf
Code:
kern_securelevel="2"
kern_securelevel_enable="YES"
pf_enable="YES" # Set to YES to enable packet filter (pf)
pflog_enable="YES"
ifconfig_fxp1="DHCP polling"
ifconfig_fxp0="inet 192.168.0.254 netmask 255.255.255.0 polling"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0" # Jail host
jail_enable="YES"
jail_list="sqld sshd" # Space separated list of names of jails
jail_interface="lo1" # Jail's NIC interface
jail_set_hostname_allow="NO" # Allow root user in a jail to change its hostname
jail_mount_enable="YES" # mount/umount jail's fs
jail_exec_start="/bin/sh /etc/rc.start" # command to execute in jail for starting
jail_exec_stop="/bin/sh /etc/rc.stop" # command to execute in jail for stoping
jail_devfs_enable="YES" # Devfs
jail_named_rootdir="/usr/jail/named" # Jail's root directory
jail_named_fstab="/etc/fstab.named" # fstab(5) for mount/umount
jail_named_hostname="dns.epopen.com" # Jail's hostname
jail_named_ip="10.0.0.1" # Jail's IP number
jail_sshd_rootdir="/usr/jail/sshd" # Jail's root directory
jail_sshd_fstab="/etc/fstab.sshd" # fstab(5) for mount/umount
jail_sshd_hostname="ssh.epopen.com" # Jail's hostname
jail_sshd_ip="10.0.0.4" # Jail's IP number
Before, I used ADSL connection (ppp, interface=tun0) workable with under /etc/pf.conf
Code:
ext_if="tun0"
int_if="fxp0"
jail_named_ip="10.0.0.1"
jail_sshd_ip="10.0.0.4"
jail_named_port="domain"
jail_sshd_port="ssh"
jail_ALL_port_tcp="{" $jail_named_port "}"
jail_ALL_port_udp="{" $jail_named_port "}"
priv_net_RFC1918 = " 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 "
priv_net_DUSA = " 0.0.0.0/8, 127.0.0.1/8, 169.254.0.0/16, 192.0.2.0/24, 224.0.0.0/4, 240.0.0.0/4 "
ext_if_upstream_speed="5120Kb"
table <priv_net> const { $priv_net_RFC1918, $priv_net_DUSA }
table <jail_ip_tcp> const { $jail_named_ip }
table <jail_ip_udp> const { $jail_named_ip }
table <bruteforce> persist
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set skip on lo0
set skip on lo1
set optimization aggressive
set block-policy drop
set state-policy if-bound
set require-order yes
scrub in all fragment reassemble
altq on $ext_if hfsc bandwidth $ext_if_upstream_speed queue { ext_std, ext_inet_serv, ext_inet_sys }
queue ext_std bandwidth 5% hfsc(default)
queue ext_inet_serv bandwidth 80% priority 6 hfsc(linkshare 60%, red) { ext_http, ext_ftp }
queue ext_ftp bandwidth 20% priority 6 hfsc(linkshare 10%, red)
queue ext_http bandwidth 80% priority 7 hfsc(linkshare 60%, red)
queue ext_inet_sys bandwidth 15% priority 7 hfsc(realtime 15%) { ext_ssh, ext_domain, ext_tcpack }
queue ext_ssh bandwidth 20% priority 5 hfsc(realtime 20%, linkshare 10%)
queue ext_domain bandwidth 20% priority 6 hfsc(realtime 20%, linkshare 10%)
queue ext_tcpack bandwidth 60% priority 7 hfsc(realtime 60%)
rdr on $ext_if inet proto { udp, tcp } from any to ($ext_if) port { $jail_named_port } -> $jail_named_ip
rdr on $ext_if inet proto { tcp } from any to ($ext_if) port { $jail_sshd_port } -> $jail_sshd_ip
block all
block in quick on $ext_if from { <priv_net>, <realtimeBlockList>, <bruteforce>, <blockList-File>, <emerging-threats>, <jail_blockIP-Pool> } to any
block out quick on $ext_if from any to { <priv_net>, <realtimeBlockList>, <bruteforce>, <blockList-File>, <emerging-threats>, <jail_blockIP-Pool> }
pass quick on { $ext_if } proto pfsync
# UDP
pass out on $ext_if proto udp all keep state queue ext_std
pass out quick on $ext_if proto udp from any to any port domain keep state queue ext_domain
pass in quick on $ext_if proto udp from any to <jail_ip_udp> port $jail_ALL_port_udp keep state
# TCP
pass out quick on $ext_if proto tcp all flags S/SA modulate state queue (ext_std, ext_tcpack) # TCP ACK Highest priority
pass out quick on $ext_if proto tcp from any to any port { $jail_sshd_port } flags S/SA modulate state queue ext_ssh
pass out quick on $ext_if proto tcp from any to any port { $jail_named_port } flags S/SA modulate state queue ext_domain
# pass in certain TCP connections and keep state (SSH, SMTP, DNS, IDENT)
pass in quick on $ext_if proto tcp from any to <jail_ip_tcp> port $jail_ALL_port_tcp flags S/SAFR synproxy state
# SSH rule
pass in quick on $ext_if proto tcp from any to $jail_sshd_ip port { $jail_sshd_port } flags S/SAFR synproxy state (max-src-conn-rate 3/30, overload <bruteforce> flush global)
pass in quick proto tcp from any to any port { 2222 } flags S/SAFR synproxy state (max-src-conn-rate 3/30, overload <bruteforce> flush global)
Code:
ext_if="fxp1"
PF final rule result:
Code:
# pfctl -sr
scrub in all fragment reassemble
block drop all
block drop in quick on fxp1 from <priv_net> to any
block drop in quick on fxp1 from <realtimeBlockList> to any
block drop in quick on fxp1 from <bruteforce> to any
block drop in quick on fxp1 from <blockList-File> to any
block drop in quick on fxp1 from <emerging-threats> to any
block drop in quick on fxp1 from <jail_blockIP-Pool> to any
block drop out quick on fxp1 from any to <priv_net>
block drop out quick on fxp1 from any to <realtimeBlockList>
block drop out quick on fxp1 from any to <bruteforce>
block drop out quick on fxp1 from any to <blockList-File>
block drop out quick on fxp1 from any to <emerging-threats>
block drop out quick on fxp1 from any to <jail_blockIP-Pool>
pass quick on fxp1 proto pfsync all keep state (if-bound)
pass out on fxp1 proto udp all keep state (if-bound) queue ext_std
pass out quick on fxp1 proto udp from any to any port = domain keep state (if-bound) queue ext_domain
pass in quick on fxp1 proto udp from any to <jail_ip_udp> port = domain keep state (if-bound)
pass out quick on fxp1 proto tcp all flags S/SA modulate state (if-bound) queue(ext_std, ext_tcpack)
pass out quick on fxp1 proto tcp from any to any port = ssh flags S/SA modulate state (if-bound) queue ext_ssh
pass out quick on fxp1 proto tcp from any to any port = domain flags S/SA modulate state (if-bound) queue ext_domain
pass in quick on fxp1 proto tcp from any to <jail_ip_tcp> port = domain flags S/FSRA synproxy state (if-bound)
pass in quick on fxp1 inet proto tcp from any to 10.0.0.4 port = ssh flags S/FSRA synproxy state (source-track rule, max-src-conn-rate 3/30, overload <bruteforce> flush global, if-bound, src.track 30)
pass in quick proto tcp from any to any port = 2222 flags S/FSRA synproxy state (source-track rule, max-src-conn-rate 3/30, overload <bruteforce> flush global, if-bound, src.track 30)
And Ifconfig ...
Code:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2049<RXCSUM,VLAN_MTU,POLLING,WOL_MAGIC>
ether 00:30:64:02:8a:48
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::230:64ff:fe02:8a48%fxp0 prefixlen 64 scopeid 0x2
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2049<RXCSUM,VLAN_MTU,POLLING,WOL_MAGIC>
ether 00:30:64:02:8a:49
inet 123.194.237.215 netmask 0xfffffc00 broadcast 255.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0<> metric 0 mtu 1500
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
syncpeer: 0.0.0.0 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 10.0.0.254 netmask 0xffffff00
inet 10.0.0.5 netmask 0xffffffff
inet 10.0.0.4 netmask 0xffffffff
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
NEXT thread continue...