PF Issues with filtering.

[rigoletto@]

Hello,

I have a few jails running. One of them run www/nginx with several things working as expected except www/davical which needs to access another jail running PostgresSQL and it doesn't unless I disable the firewall.

I have the rule to allow it but for some reason IDK it is not working anymore, it used to work but suddetly stopped - but I may or may not have been tweaking something in there.

SQL_Jail = PostgreSQL
WEB_Jail = Nginx

### Interfaces ------------------------------------------------------------------
ext_if = "re0"


### Hosts -----------------------------------------------------------------------
HOST            = "10.0.0.1"
DNS_Jail        = "10.0.1.10"
SQL_Jail        = "10.0.1.30"
WEB_Jail        = "10.0.1.100"


### Queues, States and Types ------
IcmpType  = "{echoreq, unreach}"
SynState  = "flags S/SAFR synproxy state"
TcpState  = "flags S/SAFR modulate state"


### Stateful Tracking Options (STO) ---------------------------------------------
Open_STO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
Ssh_STO  = "(max  100, source-track rule, max-src-conn 10, max-src-nodes 100, \
        max-src-conn-rate  100/30, overload <bruteforce> flush global)"
Web_STO  = "(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, \
        max-src-conn-rate 500/100, overload <bruteforce> flush global)"


### Tables ----------------------------------------------------------------------
table <bruteforce> persist
table <blocktemp>  counters
#table <blockperm>  counters file "/usr/local/etc/blocked/geoblock"
table <local>      { 10.0.0.0/16 }
table <vmach>      { 172.16.0.1/24 }


### Misc. Options ---------------------------------------------------------------
set skip on lo
set skip on lo1
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"


### Normalization ---------------------------------------------------------------
scrub out on $ext_if all fragment reassemble random-id
scrub in  on $ext_if all fragment reassemble


### NAT Translation -------------------------------------------------------------
#nat on re0 from <vmach> to any -> (ext_if)


### Filtering Rules -------------------------------------------------------------

# Antispoof ---------------------------------------------------------------------
antispoof for $ext_if inet


# Block anything coming from sources that we #
# have no back routes for.                   #
block in from no-route to any


# Block packets that fail a reverse path check  #
# If not, it is probably source address spoofed #
block in from urpf-failed to any


# Keep state on any outbound tcp, udp or icmp traffic. Modulate the ISN   #
# (initial sequence number) of outgoing packets. Broken operating systems #
# sometimes don't randomize this number, making it guessable.             #
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state


# Block IN ----------------------------------------------------------------------
block in quick from <bruteforce>
block in log all


# Pass IN ICMP ------------------------------------------------------------------
pass inet proto icmp all icmp-type $IcmpType keep state


# Pass IN TCP -------------------------------------------------------------------
pass in log on $ext_if inet proto tcp from !($ext_if) to $WEB_Jail port 80 \
    $TcpState $Web_STO
pass in log on $ext_if inet proto tcp from !($ext_if) to $WEB_Jail port 443 \
    $TcpState $Web_STO

pass in quick proto tcp from <local>    to $DNS_Jail port 53
pass in quick proto tcp from <vmach>    to $DNS_Jail port 53
pass in quick proto tcp from $WEB_Jail  to $SQL_Jail port 5432

    # MusicPD
# pass in quick proto tcp from <local> to $HOST port 6600

    # Transmisison
pass in quick proto tcp from !($ext_if) to $HOST port 6880


# Pass IN UDP -------------------------------------------------------------------
pass in quick proto udp from <local> to $DNS_Jail port 53

    # Transmisison
pass in quick proto udp from !($ext_if) to $HOST port 6880