Hi guys,
I am scratching my head in creating a pf rules to redirect my external public IP to my jails IPs.
I have been given 8 IP addresses of which 5 are usable:96.205.75.242 /29
I have used my first IP 96.205.75.244 to connect my Dell iDRAC remote access and set my network in my /etc/rc.conf file as follow:
As far as my jails are concern, I use iocage and the the jails has been created using
Now I want to redirect my public IP 96.205.75.245 to my webjail IP 10.8.20.10
How can I achive this using pf??
As I NEVER managed to get this setup working, I have chnaged the IP address of my jail to
So my webjail has curently got my public IP 96.205.75.245.
Using the /etc/pf.conf rule bellow, I have a good working webserver but this is not what I want as Using OpenVPN is not easy with that setup
/etc/pf.conf
Thank you in advance
I am scratching my head in creating a pf rules to redirect my external public IP to my jails IPs.
I have been given 8 IP addresses of which 5 are usable:96.205.75.242 /29
Code:
96.205.75.242 255.255.255.248 Subnet Address
96.205.75.243 255.255.255.248 Default Gateway
96.205.75.244 255.255.255.248
96.205.75.245 255.255.255.248
96.205.75.246 255.255.255.248
96.205.75.247 255.255.255.248
96.205.75.248 255.255.255.248
96.205.75.249 255.255.255.248 Broadcast Address
Code:
hostname="FreeBSD.mydomain.co.uk"
ip6addrctl_enable="NO"
ip6addrctl_policy="ipv4_prefer"
ipv6_activate_all_interfaces="NO"
ifconfig_bce0="inet 96.205.75.245 netmask 255.255.255.248"
defaultrouter="96.205.75.243"
### Jail network interface aliases ###
cloned_interfaces="${cloned_interfaces} lo1"
ipv4_addrs_lo1="10.8.20.10-49/29"
Code:
iocage create tag=webjail.mydomain.co.uk ip4_addr="lo1|10.8.20.10"
iocage create tag=mailjail.mydomain.co.uk ip4_addr="lo1|10.8.20.11"
How can I achive this using pf??
As I NEVER managed to get this setup working, I have chnaged the IP address of my jail to
Code:
iocage set ip4_addr="bce0|96.205.75.245" <bignumber>
Using the /etc/pf.conf rule bellow, I have a good working webserver but this is not what I want as Using OpenVPN is not easy with that setup
/etc/pf.conf
Code:
################ Macros ###################################
### Interfaces ###
ExtIf = "bce0"
JailIf = "lo1"
### Hosts ###
#WebProxy = "10.8.20.10"
WebProxy = "96.205.75.245"
### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
TcpState ="flags S/UAPRSF modulate state"
UdpState ="keep state"
### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max 200, source-track rule, max-src-conn 10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO ="(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, max-src-conn-rate 100/30, overload <BLOCKTEMP> flush global)"
WebSTO ="(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"
### Tables ###
#table <spamd-white>
#table <BLACKLIST> persist persist "/etc/pf-files/blacklist.zone"
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
169.254.0.0/16, 192.0.2.0/24, \
192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}
################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}
################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub log on $ExtIf all reassemble tcp fragment reassemble
################ Translation #################################################
### NAT and Redirection rules are first match
# NAT all jail traffic
nat on $ExtIf from $JailIf:network to any -> ($ExtIf)
# Hiawatha web proxy server
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port https -> $WebProxy
rdr on $ExtIf inet proto tcp from !($ExtIf) to ($ExtIf) port http -> $WebProxy
# Anchors
nat-anchor "openvpn"
rdr-anchor "openvpn"
# DENY rogue redirection
#no rdr
################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.
### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
anchor "openvpn"
### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6
### $ExtIf inbound
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port https $TcpState $WebSTO
pass in log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxy port www $TcpState $WebSTO
pass in quick log on $ExtIf proto tcp from <TRUSTED> to $ExtIf port ssh $TcpState $SshSTO
### $ExtIf outbound
pass out log on $ExtIf inet proto tcp from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
Thank you in advance