Good day,
I had a problem with a service provider that annoyed me to the point that I removed my wireless router and several other pieces of equipment to put my dual interface server as the gateway right after the cable modem.
I'm running FreeBSD 10-Release #4 r261677
The interfaces are em0 (external), em1 (internal) and lo1 where all my service providing jails live.
I'm not posting my /etc/pf.conf as it is a monster due to all the jails and a need to keep the configuration pseudo-private.
Here are the issues:
em0 is DHCP
em1 is on 192.168.0.1
lo1 has an initial address of 127.0.0.2 and has jails on a totally different address space in the 172.x.x.x arena.
I have several problems with outbound and inbound.
I thought I understood rdr and NAT but something doesn't seem to be behaving as I think it should.
Basically, I have specific jails handling specific functions.
On lo1 I have 20 jails that are of the form:
I'd like to just have all incoming connections on em0 go to the well-known ports get redirected to the services on the loopback jails
In /etc/pf.conf:
Ok, so what's the problem behavior? If I try from the outside, I get "connection refused".
If I try putting in "any" for the ( em0 ) in the rdr rules, all my internal traffic bound for any of these ports external, goes to the internal machines.
So, is the problem in the nat/rdr rules or is it in the policy rules?
Thank you,
P.
I had a problem with a service provider that annoyed me to the point that I removed my wireless router and several other pieces of equipment to put my dual interface server as the gateway right after the cable modem.
I'm running FreeBSD 10-Release #4 r261677
The interfaces are em0 (external), em1 (internal) and lo1 where all my service providing jails live.
I'm not posting my /etc/pf.conf as it is a monster due to all the jails and a need to keep the configuration pseudo-private.
Here are the issues:
em0 is DHCP
em1 is on 192.168.0.1
lo1 has an initial address of 127.0.0.2 and has jails on a totally different address space in the 172.x.x.x arena.
I have several problems with outbound and inbound.
I thought I understood rdr and NAT but something doesn't seem to be behaving as I think it should.
Basically, I have specific jails handling specific functions.
On lo1 I have 20 jails that are of the form:
172.1.1.1 DNS
172.1.1.2 Mail (25,143,etc)
172.1.1.3 Web (80, 443, etc)
I'd like to just have all incoming connections on em0 go to the well-known ports get redirected to the services on the loopback jails
In /etc/pf.conf:
Code:
nat on em0 from any to any -> (em0)
rdr proto tcp from ( em0 ) to any port 53 -> 172.1.1.1 port 53
rdr proto udp from ( em0 ) to any port 53 -> 172.1.1.1 port 53
rdr proto tcp from ( em0 ) to any port 25 -> 172.1.1.1.2 port 25
rdr proto tcp from ( em0 ) to any port 465 -> 172.1.1.2 port 465
rdr proto tcp from ( em0 ) to any port 143 -> 172.1.1.2 port 143
rdr proto tcp from ( em0 ) to any port 993 -> 172.1.1.2 port 993
rdr proto tcp from ( em0 ) to any port 110 -> 172.1.1.2 port 110
rdr proto tcp from ( em0 ) to any port 995 -> 172.1.1.2 port 995
rdr proto tcp from ( em0 ) to any port 80 -> 172.1.1.3 port 80
rdr proto tcp from ( em0 ) to any port 443 -> 172.1.1.3 port 443
block in log quick on em0 inet from self to any no state
pass log quick on loopback inet from any to any
pass log quick on lo1 inet from any to any
pass log quick inet from 192.168.0.0/24 to any
pass log quick on em0 inet proto udp from any to any port { 5036, 4569, 2727, 9998 >< 20002, 5060 }
pass log quick on em0 inet proto tcp from any to any port 5060
pass log quick inet proto tcp from any to 172.1.1.0/24 port { 53, 80, 443, 143, 993, 389, 636, 110, 995, 5432, 25, 465, 22 }
2 }
pass log quick inet proto udp from any to 172.1.1.0/24 port { 1194, 53, 135, 138, 137, 139, 123, 514, 33433 >< 33525 }
pass log quick inet proto tcp from any to 172.1.1.0/24 port { 8051, 4351, 2251, 8019, 4319, 2219, 8053, 4353, 2253, 8089,
4389, 2289, 8025, 4325, 2225, 8061, 4361, 2261, 8026, 4326, 2226, 8050, 4350, 2250, 2280 }
pass log quick inet proto tcp from any to 192.168.0.0/24 port { 53, 80, 443, 143, 993, 389, 636, 110, 995, 5432, 25, 465,
22 }
pass log quick inet proto udp from any to 192.168.0.0/24 port { 1194, 53, 135, 138, 137, 139, 123, 514, 33433 >< 33525 }
pass log quick inet proto tcp from any to 192.168.0.0/24 port { 8051, 4351, 2251, 8019, 4319, 2219, 8053, 4353, 2253, 8089
, 4389, 2289, 8025, 4325, 2225, 8061, 4361, 2261, 8026, 4326, 2226, 8050, 4350, 2250, 2280 }
pass log quick on em0 inet proto tcp from any to any
pass log quick on em0 inet proto udp from any to any
pass log quick on em0 inet proto icmp from any to any
block log quick inet from any to any no state
block log quick inet from any to any no stateOk, so what's the problem behavior? If I try from the outside, I get "connection refused".
If I try putting in "any" for the ( em0 ) in the rdr rules, all my internal traffic bound for any of these ports external, goes to the internal machines.
So, is the problem in the nat/rdr rules or is it in the policy rules?
Thank you,
P.
