Hey,
Could anyone please explain why my traffic is being dropped in PF.
I will attach my pf.conf below.
My interjail traffic is being dropped.
So far its only been for jplex.
What i've tried so far.
Restarted PF instead of reloading.
Added these rules;
After that it still drops the traffic inside the jail.
Im probably missing something.
My pf.conf:
pflog0 output:
Could anyone please explain why my traffic is being dropped in PF.
I will attach my pf.conf below.
My interjail traffic is being dropped.
So far its only been for jplex.
What i've tried so far.
Restarted PF instead of reloading.
Added these rules;
Code:
pass on $jif inet proto tcp from $jplex to any
pass on $jif inet proto tcp from any to $jplexAfter that it still drops the traffic inside the jail.
Im probably missing something.
My pf.conf:
Code:
###############################################################################
### Macros
ext_if="bge0"
jif="lo1" # jail interface
me="192.168.1.200" # sometimes this is useful to have =)
host="10.10.0.1"
# Jails VLAN
jailnetwork="10.10.0.0/16"
# Jail IPs
jweb="10.10.0.10"
jtorrent="10.10.0.15"
jsamba="10.10.0.20"
jafp="10.10.0.25"
jftp="10.10.0.30"
jircd="10.10.0.50"
jtor="10.10.0.70"
jdns="10.10.0.100"
jsonarr="10.10.0.120"
jcouchpotato="10.10.0.130"
jbot="10.10.0.150"
jplex="10.10.0.200"
jarchive="10.10.0.201"
###############################################################################
### Tables
#table <ssh_whitelist> persist file "/etc/pf.d/ssh_whitelist" # explicit whitelist
#table <http_whitelist> persist file "/etc/pf.d/http_whitelist"
#table <webmin_whitelist> persist file "/etc/pf.d/webmin_whitelist"
table <samba_whitelist> persist file "/etc/pf.d/samba_whitelist"
#table <blacklist> persist file "/etc/pf.d/blacklist" # explicit blacklist
###############################################################################
### Global options
set block-policy drop
set skip on lo0
#set skip on $jif
# Increase PF limits
set limit { states 40000, frags 20000, src-nodes 20000 }
set timeout { adaptive.start 18000, adaptive.end 39000 }
###############################################################################
### Traffic normalisation
scrub in all
###############################################################################
### Queueing rules
###############################################################################
### Translation rules (NAT)
nat on egress from $jif:network to any -> (egress:0)
# rdr log (all) on ...
rdr on egress inet proto { tcp } to (egress) port { http, https, 8000 } -> $jweb
rdr on egress inet proto { tcp, udp } to (egress) port { 137, 138, 139, 445 } -> $jsamba
rdr on egress inet proto { tcp } to (egress) port { 20, 21, 1023, 35000:35999 } -> $jftp
rdr on egress inet proto { tcp } to (egress) port { 6667, 6697, 6678, 6679 } -> $jircd
rdr on egress inet proto { tcp, udp } to (egress) port { 53 } -> $jdns
rdr on egress inet proto { tcp } to (egress) port { 8112 } -> $jtorrent
rdr on egress inet proto { tcp } to (egress) port { 548, 4700, 5353, 44529 } -> $jafp
rdr on egress inet proto { tcp } to (egress) port { 32400, 1900, 3005, 8324, 32410, 32412, 32413, 32414, 32469 } -> $jplex
rdr on egress inet proto { tcp } to (egress) port { 8989 } -> $jsonarr
rdr on egress inet proto { tcp } to (egress) port { 5050 } -> $jcouchpotato
###############################################################################
### Filter rules
antispoof quick for egress
antispoof quick for ($jif)
### Lets get this out of the way first
#block in quick from <blacklist>
### Default policy
block quick inet6
block quick inet proto igmp
block in log (all)
pass out on egress inet keep state
### block in
# everything is blocked by default, this section is only here for symmerty
### pass in on host
# allow:
pass in on egress inet proto { tcp } from { any } to (egress) port ssh # SSH
#pass in on egress inet proto { udp } from { any } to (egress) port { 9987 } # TS3
#pass in on egress inet proto { tcp } from { any } to (egress) port { 30033, 10011, 41144 } # TS3
## pass in on jails
# Allow LAN -> jails.
pass in on egress inet proto { tcp } from { any } to $jweb port { http, https, 8000 } # nginx webpool
pass in on egress inet proto { tcp, udp } from { any } to $jsamba port { 137, 138, 139, 445 } # Samba Backup/Pool.
pass in on egress inet proto { tcp } from { any } to $jftp port { 20, 21, 1023, 35000:35999 } # FTP
pass in on egress inet proto { tcp } from { any } to $jircd port { 6667, 6697, 6678, 6679 } # IRC
pass in on egress inet proto { tcp, udp } from { any } to $jdns port { 53 } # BIND/DNS
pass in on egress inet proto { tcp } from { any } to $jtorrent port { 8112 } # Deluge
pass in on egress inet proto { tcp } from { any } to $jafp port { 4700, 548, 5353, 44529 } # AFP TimeMachine
pass in on egress inet proto { tcp, udp } from { any } to $jplex port { 32400, 1900, 3005, 8324, 32410, 32412, 32413, 32414, 32469 } # Plex.
pass in on egress inet proto { tcp } from { any } to $jsonarr port { 8989 } # Sonarr
pass in on egress inet proto { tcp } from { any } to $jcouchpotato port { 5050 } # Couchpotato
## Allow broadcasts.
#pass in on $ext_if proto udp to 255.255.255.255 keep state
#pass in on $ext_if proto udp to $ext_if:broadcast keep state
### inter-jail communication rules
## allow connection to ``self''
pass on $jif inet proto { tcp, udp } from $jweb to $jweb
pass on $jif inet proto { tcp, udp } from $jftp to $jftp
pass on $jif inet proto { tcp, udp } from $jsamba to $jsamba
pass on $jif inet proto { tcp, udp } from $jircd to $jircd
pass on $jif inet proto { tcp, udp } from $jtor to $jtor
pass on $jif inet proto { tcp, udp } from $jdns to $jdns
pass on $jif inet proto { tcp, udp } from $jtorrent to $jtorrent
pass on $jif inet proto { tcp, udp } from $jbot to $jbot
pass on $jif inet proto { tcp, udp } from $jarchive to $jarchive
pass on $jif inet proto { tcp, udp } from $jafp to $jafp
pass on $jif inet proto { tcp, udp } from $jplex to $jplex
pass on $jif inet proto { tcp, udp } from $jsonarr to $jsonarr
pass on $jif inet proto { tcp, udp } from $jcouchpotato to $jcouchpotato
### let jails use other jails/host.
## Plex
pass on $jif inet proto tcp from $jplex to any
pass on $jif inet proto tcp from any to $jplex
### Socks Proxy
pass on $jif inet proto { tcp } from $jtorrent to localhost port { 9050 }
## DNS
# Let them use internal DNS:
pass on $jif inet proto { tcp, udp } from $jif:network to $jdns port domain
### Allow host to Jails.
## DNS
pass on $jif inet proto { tcp, udp } from $host to $jdns port domain
## IRC
pass on $jif inet proto { tcp } from $host to $jircd port { 6667, 6697, 6679 }
pass on $jif inet proto { tcp } from $jbot to $jircd port { 6667, 6697 }
## WEB
pass on $jif inet proto { tcp } from $jweb to $jarchive port 8080
## Sonarr/Couchpotato
# Let Jails use deluge.
pass on $jif inet proto { tcp } from $jsonarr to $jtorrent port 8112
pass on $jif inet proto { tcp } from $jcouchpotato to $jtorrent port 8112
## TOR
# Let host/jails access TOR
pass on $jif inet proto { tcp } from $host to $jtor port 9050
pass on $jif inet proto { tcp } from $jsonarr to $jtor port 9050pflog0 output:
Code:
00:00:01.315191 rule 5/0(match): block in on lo1: 10.10.0.200.33875 > 10.10.0.200.64742: tcp 0
00:00:03.115129 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64977: tcp 0
00:00:01.801954 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64959: tcp 0
00:00:00.411804 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64961: tcp 0
00:00:01.235764 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64874: tcp 0
00:00:05.213628 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64930: tcp 0
00:00:04.756590 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64924: tcp 0
00:00:00.713631 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64955: tcp 0
00:00:00.213242 rule 5/0(match): block in on lo1: 10.10.0.200.40819 > 10.10.0.200.64956: tcp 0