Jail and Firewall

Sisler_Ohan · Oct 19, 2011

Hello,

I am using IPF and PF on my system.
I have 2 jails. 1 is my mysql-server, the other is my web-server. (ezjail)
I need to know how i can setup firewall rules for this 2 jails.
Is it only edit the firewall.rules on the host-system or every jail need his own firewall?

SirDice · Oct 19, 2011

Sisler_Ohan said:
I am using IPF and PF on my system.

Use one or the other, not both.

I need to know how i can setup firewall rules for this 2 jails.
Is it only edit the firewall.rules on the host-system or every jail need his own firewall?

You need to edit the host's firewall. You can't do inside the jail itself with a 'standard' jail. It's should be possible to do this by using VIMAGE but it's relatively new and barely documented so I don't recommend it for new users (which you appear to be).

Sisler_Ohan · Oct 19, 2011

Hey,

So if i open some ports in the firewall.rules they are open too for the jails?
Same for the closed/blocked ports?

geodni · Oct 19, 2011

Hi,

Try something like this with /etc/pf.conf and fill the ext_if and ext_addr variables with the interface name and IP address you use as external and fill int_net, www_addr and mysql_addr with the IP of your jailed subnet and jails IP adresses

Code:

ext_if=""
ext_addr=""

int_net=""
www_addr=""
mysql_addr=""

nat on $ext_if from $int_net to any -> $ext_if:0

# WWW
rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 -> $www_addr port 80
rdr on $ext_if proto tcp from any to $ext_addr/32 port 443 -> $www_addr port 443

## MYSQL
rdr on $ext_if proto tcp from any to $ext_addr/32 port 3306 -> $mysql_addr port 3306

# do not block rest of traffic or replace with real filtering rules
pass in all
pass out all

Sisler_Ohan · Oct 19, 2011

Hey

If i type pfctl -vnf to check the conf i get this:

Code:

# pfctl -vnf /etc/pf.conf
ext_if = "em0"
ext_addr = "xxx.xxx.xxx.xxx"
int_net = "255.255.255.255"
mysql_addr = "xxx.xxx.xxx.xxx"
nat on em0 inet from 255.255.255.255 to any -> xxx.xxx.xxx.xxx
pass in all flags S/SA keep state
pass out all flags S/SA keep state

I just filled the config with my subnet and ip of jails.

Why i can't see the # WWW commands with rdr on $ext_if

Btw, how i can block ports with pf on the host system and on the jails?

SirDice · Oct 20, 2011

Why don't you start off with a block all and only allow the traffic you want/need?

Sisler_Ohan · Oct 20, 2011

SirDice said:
Why don't you start off with a block all and only allow the traffic you want/need?

Exactly this I want to. Can you give me a little pf.conf for this? Would be nice, because I'm not very good with this.

ecazamir · Oct 21, 2011

Basic rules

Code:

block in log all
block out log all
pass in on $ext_if inet proto tcp from any to $www port 80 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $mysql port 3306 flags S/SA keep state

enable and start pflog:

Code:

echo 'pflog_enable="YES"' >> /etc/rc.conf
/etc/rc.d/pflog start

Check what is blocked by the rules containing 'log':

Code:

tcpdump -n -e -ttt -i pflog0

Sisler_Ohan · Oct 22, 2011

geodni said:
Hi,

Try something like this with /etc/pf.conf and fill the ext_if and ext_addr variables with the interface name and IP address you use as external and fill int_net, www_addr and mysql_addr with the IP of your jailed subnet and jails IP adresses

Code:

ext_if="" ext_addr="" int_net="" www_addr="" mysql_addr="" nat on $ext_if from $int_net to any -> $ext_if:0 # WWW rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 -> $www_addr port 80 rdr on $ext_if proto tcp from any to $ext_addr/32 port 443 -> $www_addr port 443 ## MYSQL rdr on $ext_if proto tcp from any to $ext_addr/32 port 3306 -> $mysql_addr port 3306 # do not block rest of traffic or replace with real filtering rules pass in all pass out all

Well, if i use this rules (modified) the host system redirect me to a jail.
If i connect to the host ip:22 so, to ssh it redirects me to the ssh of the jail
My rules are like this now

Code:

ext_if="em0"
ext_addr="myiphere"

int_net="255.255.255.255"
jailmysql="jailmysqlip"

nat on $ext_if from $int_net to any -> $ext_if:0

# JAIL

rdr on $ext_if proto tcp from any to $ext_addr/32 port 22 -> $jail port 22

This means, how i can connect to the SSH from the jails?
I wont login via host system to the jails ssh

geodni · Oct 22, 2011

Yes, that's the way it works.
Make your jails' ssh listening on other ports like 4122 for first jail, 4222 for second jail, etc... Use redirect for each jail :

host:4122 ==> jail1:22
host:4222 ==> jail2:22

Or just use jexec from host.
Using NAT is not mandatory if you have several external Ip adresses. Give one to each jail you want to directly connect to using SSH, or something else. Don't forget to restrict ListenAdress xx.xx.xx.xx in host and jails SSH configuration /etc/ssh/sshd_config, as for all IP services running on host and jails.

Sisler_Ohan · Oct 22, 2011

geodni said:
Yes, that's the way it works.
Make your jails' ssh listening on other ports like 4122 for first jail, 4222 for second jail, etc... Use redirect for each jail :

host:4122 ==> jail1:22

host:4222 ==> jail2:22

Or just use jexec from host.
Using NAT is not mandatory if you have several external Ip adresses. Give one to each jail you want to directly connect to using SSH, or something else. Don't forget to restrict ListenAdress xx.xx.xx.xx in host and jails SSH configuration /etc/ssh/sshd_config, as for all IP services running on host and jails.

Hi,

That works, thank you very much.
Im not very good in port forwarding, thats my first time setting up new jails with pf.

Sisler_Ohan · Oct 22, 2011

Hi,

If i connect directly to the ip of the jail how i can open the port for this?
e.g. 10.0.0.1 is the ip for the webserver
If i type 10.0.0.1 i want to connect to the webserver, but how open the ports for this without portforwarding?
Its of course a jail.

Something like this?

Code:

#-------
ext_if="em0"		        # Extern Interface
int_if="lo0"	                # Local Interface
external_addr="192.168.178.20"	# Extern IP
internal_net="255.255.255.255"	# Subnet
jail="192.168.178.85"           # Jail ip
#-------

nat on $ext_if from $internal_net to any -> ($ext_if)

# Forward port 10022 to $JAIL SSH
rdr on $ext_if proto tcp from any to $external_addr/32 port 10022 > $JAIL port 22
pass in on $ext_if proto tcp from any to $JAIL port 80

???

ed: all working fine now thx thread can closed!

geodni · Oct 22, 2011

Sisler_Ohan said:

Hi,

Code:

#-------
ext_if="em0"		        # Extern Interface
int_if="lo0"	                # Local Interface
external_addr="192.168.178.20"	# Extern IP
[b]internal_net="255.255.255.255"	# Subnet[/b]
jail="192.168.178.85"           # Jail ip
#-------

It's not a sunbnet, it's a netmask !!! Can you provide an output of ifconfig -a ? I think you make big mistakes and you mix things.

Personally I don't use ezjail, but nevermind. I have my external network interface located on one subnet (192.168.0.140/24) and I use the same physical card re0 with aliases (10.200.0.20/32, 10.200.0.21/32, ...) for each jail BUT on a different subnet, that's why I use redirect.
I didn't try using loopback interface to bring jails' IP adresses, it might work the same way.

If your jails are on the same subnet as your external interface, bring up the IP aliases on the same interface, then you won't have to use redirect, or I know nothing. Can someone confirm that or tell me how it should be ?

Jail and Firewall

Sisler_Ohan

SirDice

Administrator

Sisler_Ohan

geodni

Sisler_Ohan

SirDice

Administrator

Sisler_Ohan

ecazamir

Sisler_Ohan

geodni

Sisler_Ohan

Sisler_Ohan

geodni