How to manage a "nat/rdr" part of PF.

[bryn1u]

Hey,

I have a role of PF:

IP_PUB="37.187.x.x"
IP_JAIL="192.168.0.1"
NET_JAIL="192.168.0.0/24"
PORT_JAIL="{80,31337,21}"

nat pass on em0 from $NET_JAIL to any -> $IP_PUB
rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

block in all
pass on em0 proto tcp from any to any port 22

And i still can connect with jail on ports 80,31337,21. Port 31337 is a ssh port. How can i manage with ports, IPs when i redirected ? I cloned "lo0" interfeace for jail. My ifconfig:

em0: .............never mind .............

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.0.2 netmask 0xffffffff
        inet 192.168.0.3 netmask 0xffffffff
        inet 192.168.0.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Someone can tell for an example how to block 31337 port on lo0/lo01 ? I'd be very gratefull

 

[SirDice]

rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

Because of the pass keyword this rule also creates a pass rule to allow the traffic. The above line is the same as doing:

rdr on em0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL
pass in on em0 from any to $IP_JAIL port $PORT_JAIL

 

[bryn1u]

Thank you!