Solved New VPS, NAT question

fred974

fred974

Hello,

I have aquired a new VPS and I am trying to write the /etc/pf.conf rules for it..
As the firewall id dealt with by the VPS provider, and they deal with DNS and IP, my question is:
Do I need to create any NAT rules in my config files?
I have access to only 1 public IP and have got 1 network interface...

I am not sure if the jails inside the FreeBSD host need to be NAT to lo1 or not. Do I need to set Stateful Tracking Options ?

Thank you for your advises
 
You don't need NAT for the machine to access the internet. You may need NAT if you have jails bound to lo1 for example. The NAT would be needed for the jails to access the internet, the host doesn't need it.
 
Thank you SirDice
It that case I use jails, so I better look into adding this rule.
Could you please tell me what is the difference between using
Code: 
scrub in all no-df max-mss 1440
and
Code: 
scrub  log on $ExtIf all reassemble tcp fragment reassemble
I also came across with
Code: 
scrub out log on $ExtIf all random-id min-ttl 15 set-tos 0x1c fragment reassemble
 
And another one that I am confused with are:
Code: 
TcpState ="flags S/SA synproxy state"
and
Code: 
TcpState ="flags S/SA modulate state"
 
fred974 said:
And another one that I am confused with are:
Code: 
TcpState ="flags S/SA synproxy state"
and
Code: 
TcpState ="flags S/SA modulate state"
Click to expand...

You don't need to use either of the state options, they are for very special use cases. Especially the synproxy option should never be on by default.
 
SirDice said:
You may need NAT if you have jails bound to lo1 for example. The NAT would be needed for the jails to access the internet
Click to expand...
I created a rule to nat the jails using nat on $ExtIf from $JailIf:network to any -> ($ExtIf) but I get the error message
Code: 
no IP address found for lo1:network
Do I need to assign an IP address to the cloned interface? This is how the jails IP were created.
Code: 
cloned_interfaces="${cloned_interfaces} lo1"  # allows loopback isolation in the jail
ifconfig_xn0_alias0="inet 10.8.20.10 netmask 255.255.255.255" # website www.domain1.com
ifconfig_xn0_alias1="inet 10.8.20.11 netmask 255.255.255.255" # hiawatha web proxy server
ifconfig_xn0_alias2="inet 10.8.20.12 netmask 255.255.255.255" # mariaDB database server
ifconfig_xn0_alias3="inet 10.8.20.13 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias4="inet 10.8.20.14 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias5="inet 10.8.20.15 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias6="inet 10.8.20.16 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias7="inet 10.8.20.17 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias8="inet 10.8.20.18 netmask 255.255.255.255" # unallocated
ifconfig_xn0_alias9="inet 10.8.20.19 netmask 255.255.255.255" # unallocated
 
Umm just realised by reading my previous event that I set the jails to xn0 and not lo1
Once I sorted this out, will this be ok to solved the issue?
Code: 
ipv4_addrs_lo1="192.168.0.1-9/29"
 
You must log in or register to reply here.
Back
Top