PF PF: Lost packets (or connections) with NAT and new IPs

S

SacamantecaS

Hello

Except for a problem I've had in which my firewall is not blocking the addresses from a table (I have not yet discovered because) it works correctly (though sure it can be improved, I am a novice).

On my server, I use jails to separate the various services. Today they have assigned me new services and new directions IPs, but because NAT stopped an apache service I have in another jail from working, I think it is a bad configuration on the routes or the NAT of the services.

I followed the following steps:

IP jail (in lo1 other jails for other "public" IP):
Code: 
# ifconfig lo create
lo2
# ifconfig lo2 10.0.1.10 netmask 255.255.255.128 broadcast 10.0.1.127

# ifconfig em0 {IPPUBLIC2} netmask {MASK} broadcast {BROADCAST}
# route add {IPPUBLIC2}.0/27 -iface em0
My PF is this (It includes the new blocks added (they are replicated from the previous configuration)):
Code: 
ext_if="em0"
int_if="lo1"
loop="lo0"
# ADDED
int_web2="lo2"
int_web3="lo3"
int_web4="lo4"

int_net="10.0.0.0/26"

IP_PUB="PUBLIC1"
#ADDED
ip_pub_web02="PUBLIC2"
ip_pub_web03="PUBLIC3"
ip_pub_web04="PUBLIC4"

ip_jail="10.0.0.10"
#ADDED
ip_jail_web02="10.0.1.10"
ip_jail_web03="10.0.2.10"
ip_jail_web04="10.0.3.10"

www_service="{80}"

set optimization normal
set block-policy drop
set skip on $loop
set loginterface $ext_if

scrub in on $ext_if all

nat pass on $ext_if from $int_if:network to any -> $IP_PUB
rdr pass on $ext_if proto tcp from any to $IP_PUB port $www_service -> $ip_jail
#ADDED
#nat pass on $ext_if from $int_web2:network to any -> $ip_jail_web02
rdr pass on $ext_if proto tcp from any to $ip_pub_web02 port http -> $ip_jail_web02
rdr pass on $ext_if proto tcp from any to $ip_pub_web02 port https -> $ip_jail_web02

block in all
block log all

table <abusive_hosts> persist
block quick from <abusive_hosts>

antispoof quick for $ext_if

pass in quick on $ext_if proto tcp from any to $IP_PUB port $www_service flags S/SA synproxy state
#ADDED
pass in quick on $ext_if proto tcp from any to $ip_pub_web02 port http flags S/SA synproxy state
pass in quick on $ext_if proto tcp from any to $ip_pub_web02 port https flags S/SA synproxy state

pass in quick on $int_if from $int_if:network to any
pass out quick on $int_if from any to $int_if:network
#ADDED
pass in quick on $int_web2 from $int_web2:network to any
pass out quick on $int_web2 from any to $int_web2:network

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { icmp, udp } all keep state

I check my file: pfctl -vnf /etc/pf.conf and load: pfctl -F all -f /etc/pf.conf. Once the new rules of the firewall had been loaded, my main cage with mod_proxy stopped responding, returning bad gateway error. I had to comment out the
Code: 
nat pass on $ext_if from $int_web2:network to any -> $ip_jail_web02
line so that he should return to work (in fact the first minutes showed the same error randomly, it seems that after a few minutes it remained stable and does not cause NAT table errors?).

I've been checking the file several times, I have done several tests, I have read documentation and in my opinion it does not seem wrong. Is this right? What can be the cause of the error?

Now I have the uncertainty that it fails occasionally :(, because at some time I commented that line and recharged the firewall rules, the first minutes also returned "bad gateway" error, but after a few minutes/seconds have not returned to detect the error (which can be because the NAT table was empty or had something of the above rules?).

Thanks.
 
UPDATE:

The jail has access from the outside, so the port mapping works :).

The error of connection for a few seconds was by time of grace to know if this raised :rolleyes:.
[ What? -- Mod]

But I do not discover the NAT error :confused:

Thanks.
 
Allright. So if I get this, you have four public IP addresses which you use the IP_PUB_* variables for. You have four jails bound to a loopback with addresses in 10.0.0.0/8 and you use the IP_JAIL_* variables for those. Your goal is that reply traffic leaving from jails gets NAT'ed to the correct IP address. Does that sound accurate?

Here is what I see. This line should NAT to an address that is still internal to your network.
Code: 
nat pass on $ext_if from $int_web2:network to any -> $ip_jail_web02

At a minimum, this may be more appropriate and would accommodate each jail having the public address you want.
Code: 
nat pass on $ext_if from $ip_jail_web02 to any -> $ip_pub_web02
nat pass on $ext_if from $ip_jail_web03 to any -> $ip_pub_web03
nat pass on $ext_if from $ip_jail_web04 to any -> $ip_pub_web04
Let me know if that makes sense. I haven't tested the rules above, but that should get you on track.
 
You must log in or register to reply here.
Back
Top