Hey guys,
I'm having an issue with my current setup- I have nginx running inside of a jail, and PF is supposed to be configured to NAT connections to 80/443 to the jail. however,
nginx is configured to listen on 10.0.0.1:80 and 10.0.0.1:443, and I haven't seen any issues on startup or in error logs.
I can't see any reason that this isn't working, hence my being at a complete loss. Any help is appreciated!
Relevant info is below:
pf.conf
I'm having an issue with my current setup- I have nginx running inside of a jail, and PF is supposed to be configured to NAT connections to 80/443 to the jail. however,
tcpdump is showing that while HTTP traffic gets to the host, it does not get to the jail, or through the NAT from what I can tell.nginx is configured to listen on 10.0.0.1:80 and 10.0.0.1:443, and I haven't seen any issues on startup or in error logs.
I can't see any reason that this isn't working, hence my being at a complete loss. Any help is appreciated!
Relevant info is below:
pf.conf
Code:
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
ngx_ip = "10.0.0.1"
ngx_ports = "{ 80, 443 }"
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp to port $ngx_ports -> $ngx_ip
block all
pass from { lo0, $jail_net } to any keep state
pass in inet proto tcp to $ext_if port ssh
pass out all keep state pfctl -sa
Code:
TRANSLATION RULES:
nat on vtnet0 inet from 10.0.0.0/24 to any -> (vtnet0) round-robin
rdr pass on vtnet0 inet proto tcp from any to any port = http -> 10.0.0.1
rdr pass on vtnet0 inet proto tcp from any to any port = https -> 10.0.0.1
FILTER RULES:
block drop all
pass inet from 127.0.0.1 to any flags S/SA keep state
pass inet from 10.0.0.0/24 to any flags S/SA keep state
pass in inet proto tcp from any to 107.191.40.105 port = ssh flags S/SA keep state
pass inet6 from ::1 to any flags S/SA keep state
pass on lo0 inet6 from fe80::1 to any flags S/SA keep state
pass out all flags S/SA keep state
STATES:
all tcp 107.191.40.105:22 <- xxxxxx:59016 ESTABLISHED:ESTABLISHED
INFO:
Status: Enabled for 0 days 15:42:44 Debug: Urgent
State Table Total Rate
current entries 1
searches 9306 0.2/s
inserts 678 0.0/s
removals 677 0.0/s
Counters
match 1470 0.0/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 5 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 30s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
table-entries hard limit 200000
TABLES:
OS FINGERPRINTS:
710 fingerprints loaded