Hi all,
I have an issue with my PF rules and I would like to understand why this is happening and how to solve it. I have very basic knowledge of PF and this is kind of learning curve for me.
I have gitea server https://www.freshports.org/www/gitea/ running inside a jail in a vm. It works perfectly. Yet I decided to close all unnecessary ports and keep only the ones that I run services on so I added
I realized since I added that I'm unable to push or fetch from the server and I am getting this error. (git commands work only when I comment it)
every time I do for example a
A bit more details on my curent setup:
I would like some help to understand why
I have an issue with my PF rules and I would like to understand why this is happening and how to solve it. I have very basic knowledge of PF and this is kind of learning curve for me.
I have gitea server https://www.freshports.org/www/gitea/ running inside a jail in a vm. It works perfectly. Yet I decided to close all unnecessary ports and keep only the ones that I run services on so I added
block all
to my /etc/pf.conf.I realized since I added that I'm unable to push or fetch from the server and I am getting this error. (git commands work only when I comment it)
Code:
Gitea: Internal error
UpdatePublicKey: Post https://localhost:2000/api/internal/ssh/5/update: dial tcp 127.0.0.1:2000: connect: permission denied
To ssh://myremoteserver:10000/Base/libdstruct.git
! [remote rejected] v1.1.0-development -> v1.1.0-development (pre-receive hook declined)
error: failed to push some refs to 'ssh://git@myremoteserver:10000/Base/libdstruct.git'
git pull
A bit more details on my curent setup:
- Gitea inside the jail runs under port 2000
- The jail ssh port is 10000 (so I can forward based on ports)
block all
is on.
Code:
/home/code/libdstruct >ssh git@myremoteserver -p 10000
Enter passphrase for key '/home/code/.ssh/id_rsa':
PTY allocation request failed on channel 0
Hi there, You've successfully authenticated, but Gitea does not provide shell access.
If this is unexpected, please log in with password and setup Gitea under another user.
Connection to myremoteserver closed.
I would like some help to understand why
block all
is blocking the git functionality, although it comes (in oder) after the rdr in the PF. Please find my pf.conf below,
Code:
#Define the interfaces
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
table <badhosts> persist file "/etc/badips"
table <bruteforce> persist
table <sshguard> persist
#Define the IP address and the ports of jail
git_jail = "192.168.1.1"
git_jail_http_port = "2000"
git_ext_http_port = "{https}"
git_jail_ssh_port = "10000"
# don't filter on the loopback interface
set skip on lo0
# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $ext_if all fragment reassemble
# Redirect traffic on port 3000 to the git jail
rdr pass on $ext_if inet proto tcp from { !<badhosts>, !<bruteforce>, !<sshguard> } to any port $git_ext_http_port -> $git_jail port $git_jail_http_port
rdr pass on $ext_if inet proto tcp from { !<badhosts>, !<bruteforce>, !<sshguard> } to any port $git_jail_ssh_port -> $git_jail port $git_jail_ssh_port
antispoof for $ext_if
antispoof for $int_if
block all
block quick from <badhosts> to any
block drop in quick on $ext_if inet from <sshguard> to any
block quick from <bruteforce>
pass inet proto tcp from any to $ext_if port 5566 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 10/5, overload <bruteforce> flush global)