Hi everyone.
Recently I have upgraded to 12.2-Release-p1 from 11.4-Release-p4
And have composed a new firewall script for server with jails etc. based on the handbook: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
So ... everything is working except port redirection to access services inside jails from the outside. I can access jails, jails can access host, jails can access the internet, etc... but not possible to access services inside the jail from the outside.
Ii have tried everything, read a lot of threads .. and the problem seems to be similar to https://forums.freebsd.org/threads/ipfw-kernel-nat-port-redirection-not-working.76311/post-470916 and https://forums.freebsd.org/threads/ipfw-kernel-nat-port-redirection-not-working.76311/post-475554
My config:
/usr/local/etc/ipfw.rules (stripped for ip's)
/etc/sysctl.conf
I hope someone would point me to what I'm doing wrong.
Best
willy.
Recently I have upgraded to 12.2-Release-p1 from 11.4-Release-p4
And have composed a new firewall script for server with jails etc. based on the handbook: https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
So ... everything is working except port redirection to access services inside jails from the outside. I can access jails, jails can access host, jails can access the internet, etc... but not possible to access services inside the jail from the outside.
Ii have tried everything, read a lot of threads .. and the problem seems to be similar to https://forums.freebsd.org/threads/ipfw-kernel-nat-port-redirection-not-working.76311/post-470916 and https://forums.freebsd.org/threads/ipfw-kernel-nat-port-redirection-not-working.76311/post-475554
My config:
ifconfig host
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
ether 60:a4:00:00:00:00
inet X.Y.Z.138 netmask 0xffffffc0 broadcast X.Y.Z.191
inet X.Y.Z.166 netmask 0xffffffc0 broadcast X.Y.Z.191
inet X.Y.Z.167 netmask 0xffffffc0 broadcast X.Y.Z.191
inet X.Y.Z.168 netmask 0xffffffc0 broadcast X.Y.Z.191
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vm-public: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 6a:60:de:d1:94:0f
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: vnet0.1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 2000
groups: bridge vm-switch viid-4c918@
nd6 options=1<PERFORMNUD>
tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether 58:9c:fc:10:ff:83
groups: tap
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vnet0.1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: associated with jail: asma as nic: epair0b
options=8<VLAN_MTU>
ether 60:a4:4c:00:00:01
hwaddr 02:39:fe:a8:a3:0a
inet6 fe80::62a4:4cff:fee8:3f5d%vnet0.1 prefixlen 64 scopeid 0x5
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> ifconfig jail
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 60:a4:4c:00:00:02
hwaddr 02:39:fe:a8:a3:0b
inet 10.0.0.10 netmask 0xff000000 broadcast 10.255.255.255
inet6 fe80::62a4:4cff:fee8:3f5e%epair0b prefixlen 64 tentative scopeid 0x2
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>/usr/local/etc/ipfw.rules (stripped for ip's)
Code:
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=em0
ks="keep-state"
good_tcpo="22,25,37,53,80,123,443,110"
dns_list="1.2.3.4,2.3.4.5,3.4.5.6"
#disable one pass
ipfw disable one_pass
#NAt
ipfw -q nat 1 config if $pif redirect_port tcp 10.0.0.10:80 X.Y.Z.138:82
#unreg_only same_port reset
#redirect_port tcp 10.0.0.10:80 X.Y.Z.138:82
#allow internal traffic from jails/(lan)
#moved to rule 490/495
#$cmd 00005 allow all from any to any via vm-public
# No restrictions on Loopback Interface - a lot of traffic here
$cmd 00010 allow all from any to any via lo0
# reassemble inbound packets
$cmd 00070 reass all from any to any in
# NAT any inbound packets
$cmd 00080 nat 1 ip from any to any in recv $pif
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 00090 check-state
#inbount traffic is the most important 100-299
#drop all inbound traffic from non-routable reserved address spaces etc
$cmd 00100 drop ip from "table(1)" to any in via $pif
# Allow HTTP connections to internal web server
$cmd 00110 allow tcp from any to me 80,443 in via $pif setup keep-state
# Allow public pings
$cmd 00120 allow icmp from any to any in via $pif keep-state
# Deny ident & Netbios
$cmd 00130 deny tcp from any to any 113,81,137,138,139 in via $pif
# Deny fragments
$cmd 00140 deny all from any to any frag in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00150 deny tcp from any to any established in via $pif
# Deny ACK packets that did not match the dynamic rule table
$cmd 00150 deny tcp from any to any established in via $pif
# Allow inbound SSH connections
$cmd 00170 allow tcp from any to me 45222 in via $pif setup keep-state
#Email server activities in one line SMTP-25, SMTP-MSA-587, IMAP-SSL-993, POP3-SSL-995
$cmd 00190 allow tcp from any to X.Y.Z.138 25,587,993,995 in via $pif setup keep-state
#mysql acess from jails to the host available on 10.0.0.1:3306
$cmd 00290 fwd 127.0.0.1,3306 tcp from 10.0.0.0/24 to 10.0.0.1 3306 in via vm-public setup keep-state
#allow traffic from jails - its low priority rule ... so its at the end of input
$cmd 00295 allow all from any to any via vm-public
# Reject and log all other incoming connections
$cmd 00299 deny log all from any to any in via $pif
#outbound traffic, low prio 300-499
# Allow access to public DNS
$cmd 00310 $skip tcp from any to $dns_list 53 out via $pif setup keep-state
$cmd 00311 $skip udp from any to $dns_list 53 out via $pif keep-state
#allow oubound traffic on/to ports: 22,25,37,53,80,123,443,110
$cmd 00325 $skip tcp from any to any $good_tcpo out via $pif setup $ks
# Allow outbound ping
$cmd 00350 $skip icmp from any to any out via $pif keep-state
# deny and log all other outbound connection
$cmd 00499 deny log all from any to any out via $pif
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
# skipto location for outbound stateful rules
$cmd 1000 nat 1 ip from any to any out xmit $pif
$cmd 1001 allow ip from any to any
#load/create table #1 .. it takes a quite long time .. so it's at the end of this script.
. /usr/local/blacklist/create_table1/etc/sysctl.conf
Code:
net.inet.ip.fw.one_pass=0
net.inet.tcp.tso=0I hope someone would point me to what I'm doing wrong.
Best
willy.
