rigoletto@
Developer
Hello,
I have a few jails running. One of them run www/nginx with several things working as expected except www/davical which needs to access another jail running PostgresSQL and it doesn't unless I disable the firewall.
I have the rule to allow it but for some reason IDK it is not working anymore, it used to work but suddetly stopped - but I may or may not have been tweaking something in there.
I have a few jails running. One of them run www/nginx with several things working as expected except www/davical which needs to access another jail running PostgresSQL and it doesn't unless I disable the firewall.
I have the rule to allow it but for some reason IDK it is not working anymore, it used to work but suddetly stopped - but I may or may not have been tweaking something in there.
SQL_Jail = PostgreSQL
WEB_Jail = Nginx
Code:
### Interfaces ------------------------------------------------------------------
ext_if = "re0"
### Hosts -----------------------------------------------------------------------
HOST = "10.0.0.1"
DNS_Jail = "10.0.1.10"
SQL_Jail = "10.0.1.30"
WEB_Jail = "10.0.1.100"
### Queues, States and Types ------
IcmpType = "{echoreq, unreach}"
SynState = "flags S/SAFR synproxy state"
TcpState = "flags S/SAFR modulate state"
### Stateful Tracking Options (STO) ---------------------------------------------
Open_STO = "(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
Ssh_STO = "(max 100, source-track rule, max-src-conn 10, max-src-nodes 100, \
max-src-conn-rate 100/30, overload <bruteforce> flush global)"
Web_STO = "(max 4096, source-track rule, max-src-conn 64, max-src-nodes 512, \
max-src-conn-rate 500/100, overload <bruteforce> flush global)"
### Tables ----------------------------------------------------------------------
table <bruteforce> persist
table <blocktemp> counters
#table <blockperm> counters file "/usr/local/etc/blocked/geoblock"
table <local> { 10.0.0.0/16 }
table <vmach> { 172.16.0.1/24 }
### Misc. Options ---------------------------------------------------------------
set skip on lo
set skip on lo1
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
### Normalization ---------------------------------------------------------------
scrub out on $ext_if all fragment reassemble random-id
scrub in on $ext_if all fragment reassemble
### NAT Translation -------------------------------------------------------------
#nat on re0 from <vmach> to any -> (ext_if)
### Filtering Rules -------------------------------------------------------------
# Antispoof ---------------------------------------------------------------------
antispoof for $ext_if inet
# Block anything coming from sources that we #
# have no back routes for. #
block in from no-route to any
# Block packets that fail a reverse path check #
# If not, it is probably source address spoofed #
block in from urpf-failed to any
# Keep state on any outbound tcp, udp or icmp traffic. Modulate the ISN #
# (initial sequence number) of outgoing packets. Broken operating systems #
# sometimes don't randomize this number, making it guessable. #
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
# Block IN ----------------------------------------------------------------------
block in quick from <bruteforce>
block in log all
# Pass IN ICMP ------------------------------------------------------------------
pass inet proto icmp all icmp-type $IcmpType keep state
# Pass IN TCP -------------------------------------------------------------------
pass in log on $ext_if inet proto tcp from !($ext_if) to $WEB_Jail port 80 \
$TcpState $Web_STO
pass in log on $ext_if inet proto tcp from !($ext_if) to $WEB_Jail port 443 \
$TcpState $Web_STO
pass in quick proto tcp from <local> to $DNS_Jail port 53
pass in quick proto tcp from <vmach> to $DNS_Jail port 53
pass in quick proto tcp from $WEB_Jail to $SQL_Jail port 5432
# MusicPD
# pass in quick proto tcp from <local> to $HOST port 6600
# Transmisison
pass in quick proto tcp from !($ext_if) to $HOST port 6880
# Pass IN UDP -------------------------------------------------------------------
pass in quick proto udp from <local> to $DNS_Jail port 53
# Transmisison
pass in quick proto udp from !($ext_if) to $HOST port 6880