PF issue routing zerotier to jailed jellyfin

A

averybullockcia

I'm trying to set up rules so I can access a few different jails from zerotier. I've already set up an ssh-x11 jail and the passthrough is working fine with:
Code: 
rdr on $ext_zero proto tcp from any to $ext_zero port 8000 -> 10.1.1.3 port 22
where $ext_zero is the variable for the zerotier bridge.

However, trying to stream music with jellyfin with:
Code: 
rdr on $ext_zero proto tcp from any to $ext_zero port 8096 -> 10.1.1.6 port 8096
I get consistent connection refused messages.

The full /etc/pf.conf for redirections:
Code: 
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
rdr on $ext_zero proto tcp from any to $ext_zero port 8000 -> 10.1.1.3 port 22
rdr on $ext_zero proto tcp from any to $ext_zero port 8096 -> 10.1.1.6 port 8096
rdr on $ext_zero proto tcp from any to $ext_zero port 8920 -> 10.1.1.6 port 8920
rdr on $ext_zero proto udp from any to $ext_zero port 1900 -> 10.1.1.6 port 1900
rdr on $ext_zero proto udp from any to $ext_zero port 7359 -> 10.1.1.6 port 7359

Jellyfin is set to accept remote connections, with the whitelist left blank as per their instructions to allow all addresses. Why will ssh connect but not jellyfin?
 
Last edited by a moderator:
SirDice said:
Connection refused means the port is closed, in other words, there's no service running on that port. If the firewall was an issue you would get a connection time out error.
Click to expand...
That's the thing, I can connect and stream on re0 on the local lan. Jellyfin is up and running when connected through 192.168.50.30:8096, but connections through the zerotier redirect in my pf.conf is not working.
 
The redirection only works for packets coming in on $ext_zero. Any other connection will just try to connect to 192.168.50.30 (where the service isn't running).
 
SirDice said:
The redirection only works for packets coming in on $ext_zero. Any other connection will just try to connect to 192.168.50.30 (where the service isn't running).
Click to expand...
Sorry SirDice, I think I muddied the waters here. There's two interfaces, ext_if, and ext_zero.

ext_if is re0, ext_zero is the zerotier interface. ext_if ip = 192.168.50.30, ext_zero ip = 10.144.117.48.

Bastille has an rdr placed in the jail to redirect connections incoming on 192.168.50.30:

Code: 
rdr pass on re0 inet proto tcp from any to any port = 8096 -> 10.1.1.6 port 8096
rdr pass on re0 inet proto tcp from any to any port = 8920 -> 10.1.1.6 port 8920
rdr pass on re0 inet proto udp from any to any port = 1900 -> 10.1.1.6 port 1900
rdr pass on re0 inet proto udp from any to any port = 7359 -> 10.1.1.6 port 7359

Below this in the conf I have my additions for ext_zero on 10.144.117.48:
Code: 
rdr on $ext_zero proto tcp from any to $ext_zero port 8000 -> 10.1.1.3 port 22
rdr on $ext_zero proto tcp from any to $ext_zero port 8096 -> 10.1.1.6 port 8096
rdr on $ext_zero proto tcp from any to $ext_zero port 8920 -> 10.1.1.6 port 8920
rdr on $ext_zero proto udp from any to $ext_zero port 1900 -> 10.1.1.6 port 1900
rdr on $ext_zero proto udp from any to $ext_zero port 7359 -> 10.1.1.6 port 7359

The re0 interface is working fine on redirects, but the zerotier interface is not redirecting to the jellyfin jail.
 
averybullockcia said:
Sorry SirDice, I think I muddied the waters here. There's two interfaces, ext_if, and ext_zero.

ext_if is re0, ext_zero is the zerotier interface. ext_if ip = 192.168.50.30, ext_zero ip = 10.144.117.48.

Bastille has an rdr placed in the jail to redirect connections incoming on 192.168.50.30:

Code: 
rdr pass on re0 inet proto tcp from any to any port = 8096 -> 10.1.1.6 port 8096
rdr pass on re0 inet proto tcp from any to any port = 8920 -> 10.1.1.6 port 8920
rdr pass on re0 inet proto udp from any to any port = 1900 -> 10.1.1.6 port 1900
rdr pass on re0 inet proto udp from any to any port = 7359 -> 10.1.1.6 port 7359

Below this in the conf I have my additions for ext_zero on 10.144.117.48:
Code: 
rdr on $ext_zero proto tcp from any to $ext_zero port 8000 -> 10.1.1.3 port 22
rdr on $ext_zero proto tcp from any to $ext_zero port 8096 -> 10.1.1.6 port 8096
rdr on $ext_zero proto tcp from any to $ext_zero port 8920 -> 10.1.1.6 port 8920
rdr on $ext_zero proto udp from any to $ext_zero port 1900 -> 10.1.1.6 port 1900
rdr on $ext_zero proto udp from any to $ext_zero port 7359 -> 10.1.1.6 port 7359

The re0 interface is working fine on redirects, but the zerotier interface is not redirecting to the jellyfin jail.
Click to expand...

This is the whole pf.conf:
Code: 
ext_if="re0"
ext_zero="zt66bl2i22mhp5d"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
rdr on $ext_zero proto tcp from any to $ext_zero port 8000 -> 10.1.1.3 port 22
rdr on $ext_zero proto tcp from any to $ext_zero port 8096 -> 10.1.1.6 port 8096
rdr on $ext_zero proto tcp from any to $ext_zero port 8920 -> 10.1.1.6 port 8920
rdr on $ext_zero proto udp from any to $ext_zero port 1900 -> 10.1.1.6 port 1900
rdr on $ext_zero proto udp from any to $ext_zero port 7359 -> 10.1.1.6 port 7359

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state
pass in inet proto tcp from any to any port {445,137,138,139,10000} flags S/SA keep state
 
SirDice said:
What is this zerotier interface you keep talking about?
Click to expand...
I have the zerotier package installed and it creates an interface on ifconfig:
Code: 
zt66bl2i22mhp5d: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 5000 mtu 2800
        options=80000<LINKSTATE>
        ether ae:92:dd:a4:c6:88
        hwaddr 58:9c:fc:10:ff:95
        inet 10.144.117.148 netmask 0xffff0000 broadcast 10.144.255.255
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 79277

By default it can connect to ports on the local instance. For instance ssh onto the server will work with a simple "ssh admin@10.144.117.148". It won't however follow bastille's rdr pass redirections as they only listen on re0. I'm trying to add pass commands to pf so requests on "zt66bl2i22mhp5d" will redirect to the jails in question like they do on the local lan (re0) interface.
 
Well I just figured it out, and as expected it was my own stupidity. I had put
Code: 
rdr on
at the start of the lines, when it should have been
Code: 
rdr pass on
 
Note that using rdr pass means that the rest of your rule set is completely ignored. This means you cannot block abusers any more for example.
 
SirDice said:
Note that using rdr pass means that the rest of your rule set is completely ignored. This means you cannot block abusers any more for example.
Click to expand...
That is a good point, for my usage there's nothing from the open internet coming into either zerotier or re0 so I'm not too concerned about abusers on this platform. If you have the time, do you know why rdr on would fail but rdr pass would be fine for this redirect?
 
You must log in or register to reply here.
Back
Top