Hello,
i am struggling with pf and i don't know what i miss...
Any help is super welcome
I've got a jail-A with openldap running, a jail-B which run ejabberd, both on the same host, and a Nextcloud instance on a separate machine.
The Nextcloud instance can communicate with the Jail-A without trouble, it works well, but the Jail-B can't join slapd on the Jail-A.
- Jail-A can ping Jail-B
- Jail-B can ping Jail-A
Jail-A is listening on both: 389 and 636 ports
The ldap server is working and reachable from the outside:
But when i try from the other jail (with fqdn or ip):
The pf.conf from the host:
I don't know what i'm missing...
i am struggling with pf and i don't know what i miss...
Any help is super welcome
I've got a jail-A with openldap running, a jail-B which run ejabberd, both on the same host, and a Nextcloud instance on a separate machine.
The Nextcloud instance can communicate with the Jail-A without trouble, it works well, but the Jail-B can't join slapd on the Jail-A.
- Jail-A can ping Jail-B
Bash:
[root@ldap /]# ping -c 3 192.168.0.X
PING 192.168.0.X (192.168.0.X): 56 data bytes
64 bytes from 192.168.0.X: icmp_seq=0 ttl=64 time=0.065 ms
64 bytes from 192.168.0.X: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 192.168.0.X: icmp_seq=2 ttl=64 time=0.218 ms
--- 192.168.0.X ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.061/0.115/0.218/0.073 ms
Bash:
[root@jabber /]# ping -c 3 192.168.0.Y
PING 192.168.0.Y (192.168.0.Y): 56 data bytes
64 bytes from 192.168.0.Y: icmp_seq=0 ttl=64 time=0.047 ms
64 bytes from 192.168.0.Y: icmp_seq=1 ttl=64 time=0.216 ms
64 bytes from 192.168.0.Y: icmp_seq=2 ttl=64 time=0.150 ms
--- 192.168.0.Y ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.047/0.138/0.216/0.070 ms
Bash:
[root@ldap /]# sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
...
ldap slapd 29964 6 stream /var/run/openldap/ldapi
ldap slapd 29964 7 tcp4 *:636 *:*
ldap slapd 29964 8 tcp4 *:389 *:*
The ldap server is working and reachable from the outside:
Bash:
dervishe@moss ~ $ ldapsearch -H "ldaps://ldap.mydoma.in" -D "cn=admin,dc=mydoma,dc=in" "(uid=operator)" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=membres,dc=mydoma,dc=in> (default) with scope subtree
# filter: (uid=operator)
# requesting: ALL
#
# operator, membres, mydoma.in
dn: cn=operator,ou=membres,dc=mydoma,dc=in
cn: operator
objectClass: inetOrgPerson
objectClass: shadowAccount
sn: operator
uid: operator
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Bash:
[root@jabber ~]# ldapsearch -H "ldaps://ldap.mydoma.in" -D "cn=admin,dc=mydoma,dc=in" -W "(uid=operator)"
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
[root@jabber ~]# ldapsearch -H "ldaps://192.168.0.Y" -D "cn=admin,dc=mydoma,dc=in" -W "(uid=operator)"
Enter LDAP Password:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Bash:
ext_if = igb0
int_if = bridgepub
int_priv = bridgepriv
jabber = "192.168.0.X"
oldap = "192.168.0.Y"
icmp_types = "{ echoreq unreach }"
ports_tcp = "{ domain }"
jabber_ports = "{ 5222 5223 5269 5280 5349 }"
ldap_ports = "{ 389 636 }"
martians="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12
10.0.0.0/8 169.254.0.0/16 192.0.2.0/24
0.0.0.0/8 240.0.0.0/4 }"
set skip on lo0
set block-policy return
set loginterface $ext_if
scrub in on $ext_if all fragment reassemble
rdr on $ext_if inet proto tcp from any to ($ext_if) port $jabber_ports -> $jabber
rdr on $ext_if inet proto tcp from any to ($ext_if) port $ldap_ports -> $oldap
nat on $ext_if inet from $int_if:network to any -> ($ext_if)
nat on $ext_if inet from $int_priv:network to any -> ($ext_if)
antispoof quick for $ext_if
block return in log all
block out all
anchor "blacklistd/*" in on $ext_if
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
pass inet proto icmp icmp-type $icmp_types
pass proto udp to port domain
pass proto udp to port 6277
pass proto tcp to port ssh
pass proto tcp to port $ports_tcp
pass proto tcp to port $jabber_ports
pass proto tcp to port $ldap_ports