Hello
Except for a problem I've had in which my firewall is not blocking the addresses from a table (I have not yet discovered because) it works correctly (though sure it can be improved, I am a novice).
On my server, I use jails to separate the various services. Today they have assigned me new services and new directions IPs, but because NAT stopped an apache service I have in another jail from working, I think it is a bad configuration on the routes or the NAT of the services.
I followed the following steps:
IP jail (in lo1 other jails for other "public" IP):
My PF is this (It includes the new blocks added (they are replicated from the previous configuration)):
I check my file:
line so that he should return to work (in fact the first minutes showed the same error randomly, it seems that after a few minutes it remained stable and does not cause NAT table errors?).
I've been checking the file several times, I have done several tests, I have read documentation and in my opinion it does not seem wrong. Is this right? What can be the cause of the error?
Now I have the uncertainty that it fails occasionally , because at some time I commented that line and recharged the firewall rules, the first minutes also returned "bad gateway" error, but after a few minutes/seconds have not returned to detect the error (which can be because the NAT table was empty or had something of the above rules?).
Thanks.
Except for a problem I've had in which my firewall is not blocking the addresses from a table (I have not yet discovered because) it works correctly (though sure it can be improved, I am a novice).
On my server, I use jails to separate the various services. Today they have assigned me new services and new directions IPs, but because NAT stopped an apache service I have in another jail from working, I think it is a bad configuration on the routes or the NAT of the services.
I followed the following steps:
IP jail (in lo1 other jails for other "public" IP):
Code:
# ifconfig lo create
lo2
# ifconfig lo2 10.0.1.10 netmask 255.255.255.128 broadcast 10.0.1.127
# ifconfig em0 {IPPUBLIC2} netmask {MASK} broadcast {BROADCAST}
# route add {IPPUBLIC2}.0/27 -iface em0
Code:
ext_if="em0"
int_if="lo1"
loop="lo0"
# ADDED
int_web2="lo2"
int_web3="lo3"
int_web4="lo4"
int_net="10.0.0.0/26"
IP_PUB="PUBLIC1"
#ADDED
ip_pub_web02="PUBLIC2"
ip_pub_web03="PUBLIC3"
ip_pub_web04="PUBLIC4"
ip_jail="10.0.0.10"
#ADDED
ip_jail_web02="10.0.1.10"
ip_jail_web03="10.0.2.10"
ip_jail_web04="10.0.3.10"
www_service="{80}"
set optimization normal
set block-policy drop
set skip on $loop
set loginterface $ext_if
scrub in on $ext_if all
nat pass on $ext_if from $int_if:network to any -> $IP_PUB
rdr pass on $ext_if proto tcp from any to $IP_PUB port $www_service -> $ip_jail
#ADDED
#nat pass on $ext_if from $int_web2:network to any -> $ip_jail_web02
rdr pass on $ext_if proto tcp from any to $ip_pub_web02 port http -> $ip_jail_web02
rdr pass on $ext_if proto tcp from any to $ip_pub_web02 port https -> $ip_jail_web02
block in all
block log all
table <abusive_hosts> persist
block quick from <abusive_hosts>
antispoof quick for $ext_if
pass in quick on $ext_if proto tcp from any to $IP_PUB port $www_service flags S/SA synproxy state
#ADDED
pass in quick on $ext_if proto tcp from any to $ip_pub_web02 port http flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $ip_pub_web02 port https flags S/SA synproxy state
pass in quick on $int_if from $int_if:network to any
pass out quick on $int_if from any to $int_if:network
#ADDED
pass in quick on $int_web2 from $int_web2:network to any
pass out quick on $int_web2 from any to $int_web2:network
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { icmp, udp } all keep state
I check my file:
pfctl -vnf /etc/pf.conf
and load: pfctl -F all -f /etc/pf.conf
. Once the new rules of the firewall had been loaded, my main cage with mod_proxy stopped responding, returning bad gateway error. I had to comment out the
Code:
nat pass on $ext_if from $int_web2:network to any -> $ip_jail_web02
I've been checking the file several times, I have done several tests, I have read documentation and in my opinion it does not seem wrong. Is this right? What can be the cause of the error?
Now I have the uncertainty that it fails occasionally , because at some time I commented that line and recharged the firewall rules, the first minutes also returned "bad gateway" error, but after a few minutes/seconds have not returned to detect the error (which can be because the NAT table was empty or had something of the above rules?).
Thanks.