Hello
I have a server connected to the public network (em0) and internal (em1). On this server I have created jails for different services: web server, dns, etc. These jails have private ip, linked to the internal interface. I try to redirect the traffic from the external ip to internal ip of the jail, but I see no traffic in the jail. I do not understand what can go wrong, as I've tried many settings and I've even done the setup again, but does not redirect traffic to the jail. Does anyone can guide me?
rc.conf
pf.conf
Thanks !
Regards
I have a server connected to the public network (em0) and internal (em1). On this server I have created jails for different services: web server, dns, etc. These jails have private ip, linked to the internal interface. I try to redirect the traffic from the external ip to internal ip of the jail, but I see no traffic in the jail. I do not understand what can go wrong, as I've tried many settings and I've even done the setup again, but does not redirect traffic to the jail. Does anyone can guide me?
Code:
srv02# sysctl -a | grep forward
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0rc.conf
Code:
srv02# cat /etc/rc.conf
defaultrouter="188.X.X.X"
#static_routes="internal"
#route_internal="-net 10.0.0.0/8 10.0.10.1"
ifconfig_em0="inet 188.X.X.X netmask 255.255.255.0"
ifconfig_em0_alias0="inet 188.X.X.X netmask 255.255.255.0"
ifconfig_em1="inet 10.0.10.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.21.1.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.20.10.1 netmask 255.0.0.0"
cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass foo advskew 10 188.X.X.22 netmask 255.255.255.0"
ipv6_enable="YES"
hostname="srv01.firw.local"
gateway_enable="YES"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ezjail_enable="YES"pf.conf
Code:
# Interfaces
extif="em0"
intif="em1"
carpo="carp0"
carp0_ip="188.X.X.22"
intnet="{ 10.0.0.0/8 }"
webserver="188.X.X.22"
table <privnets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
icmp_types="echoreq"
set block-policy drop
set loginterface $extif
set skip on lo0
nat on $extif from $intif:network to any -> $extif
#HTTP, HTTPS
rdr on $extif proto {tcp, udp} from any to $webserver port {http, https} -> 10.20.10.1
rdr on $carpo proto {tcp, udp} from any to $webserver port {http, https} -> 10.20.10.1
block in log all
#pass quick on lo0 all
block in quick from urpf-failed
antispoof log quick for { $intif, $extif }
block drop quick on $extif from <privnets> to any
block drop quick on $extif from any to <privnets>
# WebServer jail HA
#pass in log on $extif inet proto tcp from any to $intif:network port { http, https } synproxy state
#pass out log on $intif inet proto tcp from any to $intif:network port { http, https } keep state
#pass in log on $extif inet proto tcp from any to $webserver port { http, https } synproxy state
#pass out log on $intif inet proto tcp from any to $extif port { http, https } keep state
pass in log on $extif proto { tcp, udp } from any to $intif:network port { http, https } flags S/SA synproxy state
pass in log on $carpo proto { tcp, udp } from any to $intif:network port { http, https } flags S/SA synproxy state
pass in log on $extif proto { tcp, udp } from any to $webserver port { http, https } flags S/SA synproxy state
pass in log on $carpo proto { tcp, udp } from any to $webserver port { http, https } flags S/SA synproxy state
pass in log on $intif proto { tcp, udp } from any to 10.20.10.1 port { http, https } flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $intif from $intif:network to any keep state
pass out quick on $intif from any to $intif:network keep state
pass out on $extif proto tcp all flags S/SA modulate state
pass out on $extif all keep stateThanks !
Regards
