Solved local telnet in jail for postfix

R

r7st

Hello, I am trying to run a mailserver (postfix, dovecot, roundcube) from within a jail. I am trying to `telnet localhost 25` from within a jail to test postfix. my pf conf is preventing this, as I can disable pf and it will work. I can also add `set skip on lo1` and that works, but breaks some other things I have going on. How do I configure pf to allow local telnet from within the jail? (Roundcube also cannot connect to the db on localhost, but one problem at a time. I have not included that part here or the config. Plus, I think it might be the same problem. Hopefully the same fix will work for both.) If anyone has some advice I would appreciate it!

The relevant config is below:

rc.conf:
Code: 
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-9/29"
ifconfig (within jail):
Code: 
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 192.168.0.8 netmask 0xffffffff
    groups: lo
jail.conf:
Code: 
mail {
    host.hostname = mail;
    ip4.addr = "192.168.0.8";
    interface = "lo1";
    path = "/jails/mail";
    mount.devfs;
    exec.start = "/bin/sh /etc/rc";
    exec.stop = "/bin/sh /etc/rc.shutdown";
}
pf.conf: # I have removed ports/ & additional conf for other things to reduce clutter
Code: 
IP_PUB="[REDACTED]"
IP_MAIL="192.168.0.8" # jail for mail
NET_JAIL="192.168.0.0/24"
MAIN_PORT="{ssh}"
PORT_MAIL="{25, 110, 143, 465, 587, 993, 995, 8090, 3306}"

scrub in all
nat pass on vtnet0 from $NET_JAIL to any -> $IP_PUB
#rdr pass on vtnet0 proto tcp from any to 0.0.0.0 port 25 -> $IP_MAIL
rdr pass on vtnet0 proto tcp from any to $IP_PUB port $PORT_MAIL -> $IP_MAIL
block in all
pass in proto tcp to port $MAIN_PORT 
pass out all keep state
 
A user on irc recommended "any to any" so I added "pass in inet proto tcp from any to any port 25" to pf.conf and it seems to be working. Still having issues with the db, but that is separate issue. If that is the correct way to handle this, suppose this thread can be marked resolved!
 
I suspect the problem is not PF but the fact that "localhost" always points to 127.0.0.1, which is still the hosts ip address!
Try the actual ip of the jail (or its distinct loopback address if it has one) and it should work. Some services that rely on "localhost" might require you to tweak the /etc/hosts as well.


BTW: I use to assign only addresses in the loopback-prefix on loopback devices (i.e. 127.0.1.0/24 on lo1) so it is perfectly clear in any logs or traffic flows that they reside on a loopback device, not on a device in the internal network. This also prevents any leakage e.g. due to fat-fingering a PF rule, because 127.0.0.0/8 addresses are never routed anywhere outside of the box.
Actually connecting the services in jails to the outer world (possibly with their own IP) is exclusively handled by PF 'rdr' and 'nat' rules. This also keeps the routing tables of jails on a bare minimum (only a default route is needed, e.g. 127.0.1.1) even if the host resides in multiple networks and the jail/service should be accessible from all/some/none of them (all handled in PF, not with routing entries).
 
You must log in or register to reply here.
Back
Top