[RESOLVED] Zabbix and jails redirection

[fred974]

/------------------------------ My host ------------------------------\
---{ internet } { 82.36.74.191-ExtFixIP } --- [ 192.168.0.1-local gateway ] --- [ 192.168.0.198-FreeBSD Host ] --- jails --- [ 192.168.0.115 ] webjail
.........................................................................................................................................|---[ 192.168.0.120 ] DBjail
.........................................................................................................................................|--- [ 192.168.0.125 ] mailjail

Hello everyone,
I have 3 jails in my FreeBSd jail...

I just finish to install zabbix-server and zabbix-agent on my Host.
At the moment I haven't yet installed the agent on the jails and its a nightmare of its own..
Could someone help me to make sure tcp port 10050 is open.
so far i have the following in my pf.conf file:

ext_if="em0"
zabbix={ 10050 }
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

Do I need to do any redirection? I the above rule enough?

 

[_martin]

Re: Zabbix and jails redirection

If you have a look on my howto here: http://forums.freebsd.org/viewtopic.php?f=39&t=30063 you'll see how to set it up. When it comes to opening a port only (from outside), you should have the following in the filtering section:

pass in quick proto tcp to 82.36.74.191 port 10050

Your pf.conf seems to be either not complete or is missing some parts you actually have there.
But you didn't share your intentions. I don't know where the service using 10050 is running actually.

 

[fred974]

Re: Zabbix and jails redirection

Sorry ...
/etc/rc/conf

### Network configuration
ifconfig_bge0="inet 192.168.0.198 netmask 255.255.255.0"                                 
defaultrouter="192.168.0.1"                                                                                                                     
### internal network configuration Jail interface aliases                         
ifconfig_bge0_alias0="inet 192.168.0.115 netmask 255.255.255.0" # webjai
ifconfig_bge0_alias1="inet 192.168.0.120 netmask 255.255.255.0" # sqljail
ifconfig_bge0_alias2="inet 192.168.0.125 netmask 255.255.255.0" # mailjail

/etc/pf.conf

### jail IPs
webjail   ="192.168.0.115"
sqljail   ="192.168.0.120"
mailjail ="192.168.0.125"

### jail Ports
webports ="{ http,https }"
sqlports ="{ 3306 }"
mailports ="{ 25 }"
zabbix= "{ 10050 }"

### nat all jail traffis
nat on $ext_if from 192.168.0.0/24 to any -> ($ext_if)

### Translation
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webjail
rdr on $ext_if proto tcp from any to $ext_if port $sqlports -> $sqljail
rdr on $ext_if proto tcp from any to $ext_if port $mailports -> $mailjail
pass in on $ext_if proto tcp from any to ($ext_if) port $zabbix flags S/SA keep state
... More rule bellow

The zabbix-server and zabbix-agent are running on the host (192.168.0.198) and zabbix listen on port 10050 .
Now..this is were I lack of knowledge as I'm new to zabbix.
I don't know if the zabbix port is open externally or internally

 

[_martin]

Re: Zabbix and jails redirection

I don't use zabbix either, but this not the issue right now.

I can't figure out your topology drawing. Can you elaborate on that ? I don't know what "EstFixIP" is, I don't know what's the difference between "my host" and "FreeBSD host". I'd need more details on that.
Looking at the pf.conf you pasted NAT setup does not make much sense - you are NATing to the same network you have on your (assuming to be) an egress interface (assuming that pf.conf is from "FreeBSD host").

Right now it seems that "FreeBSD host" is on the local network and have jail IPs assigned to its outgoing interface (bge0). In this setup no NAT is needed.

Question is: where from are you trying to reach that zabbix port?

 

[fred974]

Re: Zabbix and jails redirection

Hi @matoatlantis,

Looking at the info I have given, I must admit, its a mess...

82.36.74.191 - ExtFixIP ==> is my my public fix IP address
192.168.0.198 - FreeBSD_Host ==> is the my physical machine with FreeBSD 10 ZFS Operative system. All my jails reside inside the FreeBSD_Host
webjail IP ==> 192.168.0.115
DBjail IP ==> 192.168.0.120
mailjail IP ==> 192.168.0.125

My Server has a single Ethernet card - bge0 The jail network is an alias onbge0 - lo1 is not used here as per @SirDice advise

pf.conf is on FreeBSD_Host and redirect traffic to all jails and secure the FreeBSD_Host itself.

now taking your previous comment on-board, I change the pf.conf. bellow is my full file (still learning pf):

### macro name for external interface.
ext_if = "bge0"

### jail IPs
webjail   ="192.168.0.115"
sqljail   ="192.168.0.120"
mailjail ="192.168.0.125"

### jail Ports
webports ="{ http,https }"
sqlports ="{ 1913 }"
mailports ="{ 25 }"
bfports = "{ 22 }" # SSH brute force prevention
zabbixport = "{ 10050 }"

table <fail2ban> counters persist file "/var/db/pf/bf.table"
table <ssh_abuse> counters persist file "/var/db/pf/sshabuse.table"

scrub in on $ext_if all fragment reassemble

### nat all jail traffis
nat on $ext_if from $ext_if:network to any -> ($ext_if)

### Translation
rdr on $ext_if proto tcp from any to $ext_if port $webports -> $webjail
rdr on $ext_if proto tcp from any to $ext_if port $sqlports -> $sqljail
rdr on $ext_if proto tcp from any to $ext_if port $mailports -> $mailjail

### set a default deny everything policy.
block all

### exercise antispoofing on the external interface, add the local loopback interface as an exception
set skip on lo0
antispoof for $ext_if inet

### block anything coming from sources that we have no back routes for.
block in from no-route to any

### block packets that fail a reverse path check.
block in from urpf-failed to any

### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255

### block packets claiming to come from reserved internal address blocks
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### block probes that can possibly determine our operating system 
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

### open ports for OpenNTPD time service 
# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $ext_if proto tcp to any port ntp
# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $ext_if proto udp to any port ntp

### allow inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state

### allow inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state

### open zabbix traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to ($ext_if) port $zabbixport flags S/SA keep state

###  ruleset that prevents excessive abuse by hosts
block in quick from <ssh_abuse>
block in quick on $ext_if from <fail2ban> to any

### send all ssh excessive abuse connection to blackhole table
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)

 

[SirDice]

Re: Zabbix and jails redirection

Remove all the NAT and redirections, you don't need them. Other hosts can connect to the 192.168.0.0/24 addresses on the interface directly.

 

[fred974]

Re: Zabbix and jails redirection

Remove all the NAT and redirections, you don't need them. Other hosts can connect to the 192.168.0.0/24 addresses on the interface directly.

As sugested i removed the NAT and redirections and the web is no longer accessible..
tried to add

pass in on $ext_if from any to $webjail port $webport
pass in on $ext_if from any to $sqljail port $sqlport
pass in on $ext_if from any to $mailjail port $mailport

But with no success

 

[SirDice]

Re: Zabbix and jails redirection

This rule:

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

Also blocks all your incoming packets from 192.168.0.0/24 (192.168.0.0/16 includes 192.168.0.0/24). And because it uses the quick keyword no other rules will be evaluated.

 

[fred974]

Re: Zabbix and jails redirection

This rule:

block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

Also blocks all your incoming packets from 192.168.0.0/24 (192.168.0.0/16 includes 192.168.0.0/24). And because it uses the quick keyword no other rules will be evaluated.

So should I remove that line all together?
will that work?

table <blocked_nets> { 10.0.0.0/8, \
                       172.16.0.0/12 \
                       192.168.0.0/16, \
					   255.255.255.255/32 }
					   
block in log on $ext_if from <blocked_nets> to any

 

[_martin]

Re: Zabbix and jails redirection

Ok, so let's see if I got it right. Your default gateway is 192.168.0.1 which is some sort of home router (NAT box). It is also a box where your public IP is assigned to. This box is not FreeBSD and it's not part of your problem you are trying to solve.

You are trying to reach a web page within your network (192.168.0.0/24) hosted on FreeBSD box (192.168.0.198) inside of a jail (192.168.0.115). Zabbix is installed on the FreeBSD host. Correct ?

If so, your rc.conf seems ok. I see you have more services running on this host, but I'll focus on the zabbix (10050), web (80,443) and and SSH (22) only. Other services are to be configured the same way.
Any other traffic to the server will be denied. For the demonstration purposes I'll allow tcp/udp on 10050 port.

/etc/pf.conf:

ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.198"
IP_WEB="192.168.0.115"

PORT_WEB="{80,443}"
PORT_SSH="{22}"
PORT_ZABBIX="{10050}"

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all

pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX

 

[fred974]

Re: Zabbix and jails redirection

Ok, so let's see if I got it right. Your default gateway is 192.168.0.1 which is some sort of home router (NAT box). It is also a box where your public IP is assigned to. This box is not FreeBSD and it's not part of your problem you are trying to solve.

You are trying to reach a web page within your network (192.168.0.0/24) hosted on FreeBSD box (192.168.0.198) inside of a jail (192.168.0.115). Zabbix is installed on the FreeBSD host. Correct ?

Bingo! you are 100% correct
I'll start with the example you provided and build on that.
I'll let you know how I get on.

thank you
Fred

 

[fred974]

Re: Zabbix and jails redirection

Hi @matoatlantis,
Sorry to be a pain..but I have done a copy and past of the example you gave me and restarted the server.
Once the rules was loaded, I still had ssh connection but no access to my website.
Are you guys sure I don't need the redirect rule?

 

[_martin]

Re: Zabbix and jails redirection

Hi @matoatlantis,
Sorry to be a pain..but I have done a copy and past of the example you gave me and restarted the server.
Once the rules was loaded, I still had ssh connection but no access to my website.
Are you guys sure I don't need the redirect rule?

No pain. I did test those rules and they are working. You don't need to redirect, you have those IP addresses assigned directly on outgoing interface; IPs are locally accessible.
Where did you test it from ? I'm assuming you are accessing the web page from a computer within your local network.

You don't need to reboot, just do a

pfctl -f /etc/pf.conf

to apply new PF config.

To avoid issues with webserver configuration itself do a test of your setup using e.g. nc. In jail, make sure web server is down (that means nothing has opened a socket 192.168.0.115:80). Then launch the following command:

webjail# nc -l -80

And try to telnet to it from a computer within your network:

telnet 192.168.0.115 80

You can also check the traffic on your BSD host:

tcpdump -n -f port 80
pfctl -ss

EDIT: I also assume you are using my pf.conf and you didn't just merge it with your current config. As @SirDice said below, your pf.conf is way too complicated.

 

[SirDice]

Re: Zabbix and jails redirection

I've only seen parts of it but your pf.conf seems overly complicated. I'd just move it to the side and start with a new ruleset. Build it up slowly and each time you add something test it. Don't put all those odd tests in there to prevent scans and such. A scrub takes care of most of the crappy packets. Don't worry about those OS fingerprints. Hardly anybody uses scans like that because it's usually easier to find the info in other ways.

 

[fred974]

Re: Zabbix and jails redirection

Hi @matoatlantis

EDIT: I also assume you are using my pf.conf and you didn't just merge it with your current config. As @SirDice said below, your pf.conf is way too complicated.

Yes I am starting from scratch using the example you provided.

/etc/pf.conf:

ext_if="bge0"

IP_FREEBSD_HOST="192.168.0.198"
IP_WEB="192.168.0.115"

PORT_WEB="{80,443}"
PORT_SSH="{22}"
PORT_ZABBIX="{10050}"

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all

pass in quick proto tcp from any to $IP_FREEBSD_HOST port $PORT_SSH
pass in quick proto tcp from any to $IP_WEB port $PORT_WEB
pass in quick proto {tcp,udp} from any to $IP_FREEBSD_HOST port $PORT_ZABBIX

root@FREEBSD_HOST:/ # jexec 1
root@webjail:/ # nc -l 80

nc: Address already in use

root@webjail:/ # service nginx stop

Stopping nginx.
Waiting for PIDS: 1047.

root@webjail:/ # nc -l 80

no response ... so port 80 is not listened on

root@FREEBSD_LAPTOP_ON LAN:/ # ping 192.168.0.115

no response

root@FREEBSD_LAPTOP_ON LAN:/ # telnet 192.168.0.115

no response

root@FREEBSD_LAPTOP_ON LAN:/ # telnet 192.168.0.115 80

no response

root@FREEBSD_HOST:/ # telnet 192.168.0.115 80

Trying 192.168.0.115...
telnet: connect to address 192.168.0.115: Operation timed out
telnet: Unable to connect to remote host

root@FREEBSD_HOST:~ # telnet 192.168.0.115 80

Trying 192.168.0.115...
Connected to 192.168.0.115.
Escape character is '^]'.
Connection closed by foreign host.

root@FREEBSD_HOST:~ # tcpdump -n -f port 80

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bge0, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled

root@FREEBSD_HOST:~ # pfctl -ss

No ALTQ support in kernel
ALTQ related functions disabled
all udp 192.168.0.198:20609 -> 109.169.89.48:123       MULTIPLE:MULTIPLE
all tcp 192.168.0.198:22 <- 213.146.159.254:2709       ESTABLISHED:ESTABLISHED

root@webjail:/ # whois google.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COM
GOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM
GOOGLE.COM.ZNAET.PRODOMEN.COM ....

root@FREEBSD_HOST:~ # vi /etc/jails.conf

webjail {
   path = /local/jails/webjail;
   mount.devfs;
   devfs_ruleset = 4;
   host.hostname = webjail.mydomain.com;
   ip4.addr = 192.168.0.115;
   exec.start = "/bin/sh /etc/rc";
   exec.stop = "/bin/sh /etc/rc.shutdown";
}

sqljail {
   path = /local/jails/sqljail;
   mount.devfs;
   devfs_ruleset = 4;
   host.hostname = sqljail.mydomain.com;
   ip4.addr = 192.168.0.120;
   exec.start = "/bin/sh /etc/rc";
   exec.stop = "/bin/sh /etc/rc.shutdown";
}

mailjail {
   path = /local/jails/mailjail;
   mount.devfs;
   devfs_ruleset = 4;
   host.hostname = mailjail.mydomain.com;
   ip4.addr = 192.168.0.125;
   exec.start = "/bin/sh /etc/rc";
   exec.stop = "/bin/sh /etc/rc.shutdown";
}

root@webjail:/ # vi /etc/rc.conf

# Miscellaneous Configuration
hostname="webjail.mydomain.com"
#network_interfaces="lo1"
kern_securelevel_enable="YES"
kern_securelevel="1"
rpcbind_enable="NO"
cron_flags="$cron_flags -J 15"
syslogd_flags="-ss"
sendmail_enable="NONE"
clear_tmp_enable="YES"
## Mail Config
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
# SSHD Configuration
sshd_enable="YES"
nginx_enable="YES"
php_fpm_enable="YES"

/etc/sysctl.conf

kern.ipc.maxsockbuf=2097152
net.inet.tcp.sendbuf_max=2097152
net.inet.tcp.recvbuf_max=2097152
net.inet.tcp.cc.algorithm=htcp
net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=1
net.inet.tcp.hostcache.expire=900
kern.ipc.somaxconn=1024
net.inet.tcp.mssdflt=1460
net.inet.tcp.nolocaltimewait=1
net.inet.tcp.experimental.initcwnd10=1
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc3390=1
net.inet.tcp.sendspace=262144
net.inet.tcp.syncache.rexmtlimit=1
net.inet.tcp.syncookies=0
net.inet.ip.check_interface=1
net.inet.ip.portrange.randomized=1
net.inet.ip.process_options=0
net.inet.ip.random_id=1
net.inet.ip.redirect=0
net.inet.ip.accept_sourceroute=0
net.inet.ip.sourceroute=0
net.inet.icmp.bmcastecho=0
net.inet.icmp.maskfake=0
net.inet.icmp.maskrepl=0
net.inet.icmp.log_redirect=0
net.inet.icmp.drop_redirect=1
net.inet.icmp.icmplim_output=1
net.inet.tcp.drop_synfin=1
net.inet.tcp.ecn.enable=0
net.inet.tcp.fast_finwait2_recycle=1
net.inet.tcp.icmp_may_rst=0
net.inet.tcp.msl=5000
net.inet.tcp.path_mtu_discovery=0
net.inet.tcp.rfc3042=0
net.inet.tcp.sack.enable=1
net.inet.udp.blackhole=1
net.inet.tcp.blackhole=2
security.bsd.see_other_uids=0
net.local.stream.sendspace=164240  # (default 8192)
net.local.stream.recvspace=164240  # (default 8192)
###### jails #########
security.jail.allow_raw_sockets=1       # (default 0)
security.jail.enforce_statfs=2          # (default 2)
security.jail.set_hostname_allowed=0    # (default 1)
security.jail.socket_unixiproute_only=1 # (default 1)
security.jail.sysvipc_allowed=0         # (default 0)
security.jail.chflags_allowed=0         # (default 0)
#security.jail.mount_zfs_allowed: 1
#security.jail.mount_allowed: 1

Guys,

You cannot imagine how much I do appreciate your help here.. Thank you very much for assisting me.
I have no clue as to why This is hapening

 

[_martin]

Re: Zabbix and jails redirection

Ping was disabled in the config I made. You can allow it by the following pf.conf modification:

ICMP_TYPES="{echoreq,unreach}"

# in filtering
pass inet proto icmp all icmp-type $ICMP_TYPES keep state

Can you also share the output of ifconfig and netstat -nr command ? Just to be sure, also pfctl -snat, pfctl -sr and arp -an after the rules are applied.

Strange thing is that you have not even received a packet to 192.168.0.115 when you tried to reach it from FREEBSD_LAPTOP_ON LAN. This suggests that the problem occurs before PF filtering.

 

[SirDice]

Re: Zabbix and jails redirection

The standard tool to use is tcpdump(1). With it you can see the packets arriving on the interface. Even if the host itself is completely firewalled the packets should still arrive. If nothing gets to the server the issue is somewhere else on the network.

 

[fred974]

Re: Zabbix and jails redirection

Ok, I restarted the laptop and I now get the following result (Nginx was running at the time)
root@FREEBSD_LAPTOP_ON LAN:/root # telnet 192.168.0.115 80

Trying 192.168.0.115...
Connected to 192.168.0.115.
Escape character is '^]'.
Connection closed by foreign host.

root@FREEBSD_HOST:~ # ifconfig

bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether d4:85:64:6a:6a:8c
        inet 192.168.0.198 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::d685:64ff:fe6a:6a8c%bge0 prefixlen 64 scopeid 0x1
        inet 192.168.0.115 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.120 netmask 0xffffff00 broadcast 192.168.0.255
        inet 192.168.0.125 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

root@FREEBSD_HOST:~ # netstat -nr

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0      775   bge0
127.0.0.1          link#2             UH          0      578    lo0
192.168.0.0/24     link#1             U           0       21   bge0
192.168.0.115      link#1             UHS         0        0    lo0
192.168.0.120      link#1             UHS         0    10454    lo0
192.168.0.125      link#1             UHS         0        0    lo0
192.168.0.198      link#1             UHS         0     8175    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#2                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%bge0/64                    link#1                        U          bge0
fe80::d685:64ff:fe6a:6a8c%bge0    link#1                        UHS         lo0
fe80::%lo0/64                     link#2                        U           lo0
fe80::1%lo0                       link#2                        UHS         lo0
ff01::%bge0/32                    fe80::d685:64ff:fe6a:6a8c%bge0 U          bge0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%bge0/32                    fe80::d685:64ff:fe6a:6a8c%bge0 U          bge0
ff02::%lo0/32                     ::1                           U           lo0

root@FREEBSD_HOST:~ # pfctl -snat

No ALTQ support in kernel
ALTQ related functions disabled

root@FREEBSD_HOST:~ # pfctl -sr[cmd]
[code]
No ALTQ support in kernel
ALTQ related functions disabled
scrub in all fragment reassemble
pass out all flags S/SA keep state
block drop in all
pass in quick inet proto tcp from any to 192.168.0.115 port = http flags S/SA keep state
pass in quick inet proto tcp from any to 192.168.0.115 port = https flags S/SA keep state
pass in quick inet proto tcp from any to 192.168.0.198 port = ssh flags S/SA keep state
pass in quick inet proto tcp from any to 192.168.0.198 port = 10050 flags S/SA keep state
pass in quick inet proto udp from any to 192.168.0.198 port = 10050 keep state
[/code]
[cmd]root@FREEBSD_HOST:~ # arp -an

? (192.168.0.198) at d4:85:64:6a:6a:8c on bge0 permanent [ethernet]
? (192.168.0.1) at 9c:d3:6d:d3:17:1b on bge0 expires in 928 seconds [ethernet]
? (192.168.0.120) at d4:85:64:6a:6a:8c on bge0 permanent [ethernet]
? (192.168.0.125) at d4:85:64:6a:6a:8c on bge0 permanent [ethernet]
? (192.168.0.115) at d4:85:64:6a:6a:8c on bge0 permanent [ethernet]

Any idea why using my original pf.conf file, the web worked?

 

[_martin]

Re: Zabbix and jails redirection

Ok, I restarted the laptop and I now get the following result (Nginx was running at the time)
root@FREEBSD_LAPTOP_ON LAN:/root # telnet 192.168.0.115 80

Trying 192.168.0.115...
Connected to 192.168.0.115.
Escape character is '^]'.
Connection closed by foreign host.

But hey, now it's working! So problem was with your notebook maybe ?

Configuration (in config files) and output from the commands is what one expects -- that is all ok.

 

[fred974]

Re: Zabbix and jails redirection

Configuration (in config files) and output from the commands is what one expects -- that is all ok.

Ho well, I'll have to carry on looking . Thank you very much for all the time you spent on helping me
One last thing,when doing lynx [url=http://192.168.0.115]http://192.168.0.115[/url] from FREEBSD_LAPTOP_ON LAN I can see the webpages using the pf rules you provided.
Is that an indication of anything?

 

[_martin]

Re: Zabbix and jails redirection

Configuration (in config files) and output from the commands is what one expects -- that is all ok.

Ho well, I'll have to carry on looking . Thank you very much for all the time you spent on helping me
One last thing,when doing lynx [url=http://192.168.0.115]http://192.168.0.115[/url] from FREEBSD_LAPTOP_ON LAN I can see the webpages using the pf rules you provided.
Is that an indication of anything?

Well, that's the indication that it is working. That's what I said actually above. First, when you pasted the output of tcpdump, I said that this suggests that the problem is somewhere before PF - meaning it has to be somewhere else (as later @SirDice said). It doesn't matter if you use telnet or lynx, result is the same.

As it is working after you rebooted the notebook I'd say you had some problems with the notebook itself.
So the question now - is it now working as you expected ?

 

[fred974]

Re: Zabbix and jails redirection

From the notebook, I can see the pages but only to lynx [url=http://IP]http://IP[/url], not using lynx [url=http://domain.com]http://domain.com[/url]
I assume the problem is not with DNS as when using the old rules, I can access the domain webpage's

 

[SirDice]

Re: Zabbix and jails redirection

Resolving happens on the client, not on the server you're connecting to. TCP/IP doesn't understand names, only IP addresses. So the name must be resolved to an IP address before the client can connect to it.

 

[_martin]

Re: Zabbix and jails redirection

From the notebook, I can see the pages but only to lynx [url=http://IP]http://IP[/url], not using lynx [url=http://domain.com]http://domain.com[/url]
I assume the problem is not with DNS as when using the old rules, I can access the domain webpage's

Ok, but that is not the PF problem any more . Goal was to set the firewall and allow the traffic for the respected jails. If you can reach the service in jail, all is ok.

Make sure jails have the proper method of resolving set too (hosts, resolv.conf, nsswitch.conf .. ). Also check the configuration of the web server itself.
Do tests that jail can resolve its hostname properly.

 

[fred974]

Re: Zabbix and jails redirection

Ok, but that is not the PF problem any more . Goal was to set the firewall and allow the traffic for the respected jails. If you can reach the service in jail, all is ok.

Make sure jails have the proper method of resolving set too (hosts, resolv.conf, nsswitch.conf .. ). Also check the configuration of the web server itself.
Do tests that jail can resolve its hostname properly.

No it cannot resolved by hostname. Actually none of my boxes do...
I might need to set a dnsserver to achieve that.
Am I right there?