PF jail 2 jail communication with pf (nat & rdr)

G

Gavilaan

Hi,
i have a host with one external ip-address, created some jails with vnet, using nat for outgoing trraffic an rdr to access services inside the jails. Everything works fine, there's just one smaller problem. When i try to access a service from one jail in another jail and dns delivers the external ip address, the access is rejected.
Temporarily i helped myself writing the hostnames with the vnet ip addresses into the /etc/hosts file which worked, but this seems not a proper solution.

Can anybody give me a hint for a better solution?
Thanks
 
You need to look into DNS reverse lookup zones, if you're the one running the DNS.

Since I've never really setup a bind server myself, I'll refrain from giving concrete tips.
 
SKull said:
You need to look into DNS reverse lookup zones, if you're the one running the DNS.

Since I've never really setup a bind server myself, I'll refrain from giving concrete tips.
Click to expand...

Sorry, i havn't made myself clear. It isn't a dns problem.

When i'm doing a 'nc -4 external-ip 80' from my home pc, i got some http stuff as answer
When i'm doing this from one jail to the jail-ip where the webserver runs, i got an answer too
When i'm doing this from a jail to the external ip, nc ends instantly, no connection at all.

The way should be jail1 -> host -> nat -> host -> rdr -> jail2
I hope this explains it better.
 
just use rdr in your pf and redirect all traffic e.g. <externalip:80> -> <jailip:80> inside the respective jail
 
rootbert said:
just use rdr in your pf and redirect all traffic e.g. <externalip:80> -> <jailip:80> inside the respective jail
Click to expand...
That already work. I can access my webserver in the jail from an external address without any problem, but not from another jail on the same host.
 
SKull said:
You need to look into DNS reverse lookup zones, if you're the one running the DNS.

Since I've never really setup a bind server myself, I'll refrain from giving concrete tips.
Click to expand...

Actually, a reverse lookup zone is not relevant here. That would map IP -> hostname. While that is best practice and they'll want to do that on any IPs they have, it's not the problem at hand.

Maybe you were thinking of views? This would provide a different set of responses based on the source of the query. It's one solution, but views are a quick way to shoot yourself in the foot so I really don't recommend them.


Gavilaan said:
When i try to access a service from one jail in another jail and dns delivers the external ip address, the access is rejected.
Click to expand...

There are many ways to set this kind of thing up and rootbert's solution will do depending on your requirements. I personally prefer to use an on the box separate netgraph subnet which I create using jng (from /usr/src/share/examples/jails/jng) so that I don't expose internal only services to the Internet.

e.g.
Code: 
ns0 {
  host.hostname = "dns0.example.com";
  exec.prestart += "jng bridge dns0 bridge0 bridge1";
  exec.poststop += "jng shutdown dns0";
  vnet.interface = ng0_dns0,ng1_dns0;
}

Then have the services use the local subnet (which is on one of the bridges).

This is, of course, a more complex setup as it requires filtering on multiple interfaces etc (and in my case, a local DNS zone, but I'm pedantic and have BIND running on the machine for other reasons anyway).

If you're having trouble with pf and would like help debugging, please post a sanitised (no public IP addresses, no hostnames) copy of your pf.conf
 
Take a look at these URLs:
forums.freebsd.org

Jails on same interface can't communicate

Running 11-1 Release, and have created 2 jails using qjail, each with different IP addresses, but on the same subnet and physical interface (em0). Both jails have internet connectivity, and can communicate fine in both directions with other computers on that subnet. But neither jail can...
forums.freebsd.org forums.freebsd.org
forums.freebsd.org

Solved - EzJail Networking (Public Static) + (Private LAN) - How to? (Web Servers (Public) + MySQL- [Private])

EzJail Networking (Public Static) + (Private LAN) - How to? (Web Servers (Public) + MySQL- [Private]) I started a thread in networking over here and it resulted in lots of testing and discovering new things. I am getting closer to a solution; however I cannot seem to figure out how to use...
forums.freebsd.org forums.freebsd.org

Given that you are using vlan/vnet, you may need make some additional changes. Otherwise, only few changes are required in pf.conf to get jails to communicate. One of them is "set skip interface loX". Where X =0,1,2...
 
You must log in or register to reply here.
Back
Top