Routing tables and firewall

Good afternoon everyone,

I am trying to setup jail that will run some gaming server using linux_base-c7-7.9.2009 inside of jail. I am using ezjail to manage all jails (find it easier). Problem I have is I cannot get rdr rule to work properly and I cannot ping my jail from my laptop. Server is Dell PowerEdge 1950.
uname -a:

Code:
FreeBSD ldrive 13.1-RC3 FreeBSD 13.1-RC3 #1 r372073M: Thu May  5 11:08:31 BST 2022     root@ldrive:/usr/obj/usr/src/amd64.amd64/sys/LDRIVE amd64

pf.conf:

Code:
##################################################
# Firewall (PF) by Airost made on 27/04/2022     #
##################################################

##############################
# Makra i tabele             #
##############################

lo_if="lo0"                     #loopback
wan_if="tun0"                   #PlusNet
lan_if="bce1"                   #LAN
lan_net="172.16.0.1/16"         #Siec LAN
my_ip="212.159.22.253"          #IP WAN

uzytkownicy="{          172.16.0.1,
                        172.16.0.2,
                        172.16.0.3,
                        172.16.0.4,
                        172.16.0.5,
                        172.16.0.6,
                        172.16.0.7,
                        172.16.0.8,
                        172.16.0.9,
                        172.16.0.10,
                        172.16.0.11,
                        172.16.0.12,
                        172.16.0.13,
                        172.16.0.14,
                        172.16.0.15,
                        172.16.0.16,
                        172.16.0.17,
                        172.16.0.18,
                        172.16.0.19,
                        172.16.0.20,
                        172.16.0.21,
                        172.16.0.22,
                        172.16.0.23,
                        172.16.0.24,
                        172.16.0.25  }"

jails="{                172.16.10.1,
                        172.16.10.2,
                        172.16.10.3,
                        172.16.10.4   }"


set loginterface $wan_if
set loginterface $lan_if

set optimization normal

##############################
# Normalizacja pakietow      #
##############################

scrub in all
scrub on $wan_if no-df

##############################
# AltQ - upload              #
##############################

altq on $wan_if cbq bandwidth 1Gb queue { std_out               \
                                          accesspoint_out       \
                                          airost_out            \
                                          airostmobile_out      \
                                          aszka_out             \
                                          aszkamobile_out       \
                                          aszkaipad_out         \
                                          PS4_out               \
                                          amazontv_out          \
                                          bluray_out            \
                                          jailwwwserver_out     \
                                          jailmailserver_out    \
                                          jailgameserver_out }
queue std_out                   bandwidth 30Mb cbq(default red)
queue accesspoint_out           bandwidth 15Mb cbq(red)
queue airost_out                bandwidth 1Mb  cbq(red)
queue airostmobile_out          bandwidth 1Mb  cbq(red)
queue aszka_out                 bandwidth 10Mb cbq(red)
queue aszkamobile_out           bandwidth 1Mb  cbq(red)
queue aszkaipad_out             bandwidth 1Mb  cbq(red)
queue PS4_out                   bandwidth 1Mb  cbq(red)
queue amazontv_out              bandwidth 1Mb  cbq(red)
queue bluray_out                bandwidth 1Mb  cbq(red)
queue jailwwwserver_out         bandwidth 10Mb cbq(red)
queue jailmailserver_out        bandwidth 10Mb cbq(red)
queue jailgameserver_out        bandwidth 10Mb cbq(red)

##############################
# AltQ - download            #
##############################

altq on $lan_if cbq bandwidth 1Gb queue { std_in                \
                                          accesspoint_in        \
                                          airost_in             \
                                          airostmobile_in       \
                                          aszka_in              \
                                          aszkamobile_in        \
                                          aszkaipad_in          \
                                          PS4_in                \
                                          amazontv_in           \
                                          bluray_in             \
                                          jailwwwserver_in      \
                                          jailmailserver_in     \
                                          jailgameserver_in }
queue std_in                    bandwidth 78Mb cbq(default red)
queue accesspoint_in            bandwidth 78Mb cbq(red)
queue airost_in                 bandwidth 30Mb cbq(red)
queue airostmobile_in           bandwidth 5Mb  cbq(red)
queue aszka_in                  bandwidth 20Mb cbq(red)
queue aszkamobile_in            bandwidth 5Mb  cbq(red)
queue aszkaipad_in              bandwidth 5Mb  cbq(red)
queue PS4_in                    bandwidth 10Mb cbq(red)
queue amazontv_in               bandwidth 10Mb cbq(red)
queue bluray_in                 bandwidth 10Mb cbq(red)
queue jailwwwserver_in          bandwidth 10Mb cbq(red)
queue jailmailserver_in         bandwidth 10Mb cbq(red)
queue jailgameserver_in         bandwidth 10Mb cbq(red)

##############################
# NAT -> LAN                 #
##############################

nat on $wan_if from $uzytkownicy to any -> ($wan_if)
nat on $wan_if from $lan_if to any -> ($wan_if)

nat on $wan_if from $jails to any -> ($wan_if)

##############################
# Redirect LAN -> WAN        #
##############################

#Serwer Steam [Jail]
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443, 27015, 27016, 7777 }  -> 172.16.10.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27005, 27020, 51840 }  -> 172.16.10.3
#rdr pass on $wan_if inet proto tcp to vlan1 port 21 -> 172.16.10.1
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 30033, 10011 } -> 172.16.10.3
#rdr pass on $wan_if proto { tcp, udp } from any to any port 9987 -> 172.16.10.3 port 9987
#rdr pass on $wan_if proto { tcp, udp } from any to any port 10011 -> 172.16.10.3 port 10011
#rdr pass on $wan_if proto { tcp, udp } from $jails to any port 30033 -> 172.16.10.3 port 30033

rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 10011, 30033 } -> 172.16.10.3


##### Dziala na hoscie
#rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 9987, 10011, 30033 } -> 212.159.22.253

##############################
# Firewall                   #
##############################

pass out all
pass in all

##############################
# AltQ - uzytkownicy         #
##############################

pass in on $lan_if inet proto tcp from any to $wan_if port 1723 flags S/SAFR queue (q_normal, q_ack)
pass in on $lan_if inet proto gre from any to $wan_if queue (q_normal, q_ack)

##############################
# Tagowanie pakietow LAN     #
##############################

pass in on $lan_if from 172.16.0.1 to any tag server            keep state
pass in on $lan_if from 172.16.0.2 to any tag accesspoint       keep state
pass in on $lan_if from 172.16.0.3 to any tag airost            keep state
pass in on $lan_if from 172.16.0.4 to any tag airostmobile      keep state
pass in on $lan_if from 172.16.0.5 to any tag aszka             keep state
pass in on $lan_if from 172.16.0.6 to any tag aszkamobile       keep state
pass in on $lan_if from 172.16.0.7 to any tag aszkaipad         keep state
pass in on $lan_if from 172.16.0.8 to any tag PS4               keep state
pass in on $lan_if from 172.16.0.9 to any tag amazontv          keep state
pass in on $lan_if from 172.16.0.10 to any tag bluray           keep state
pass in on $lan_if from 172.16.10.1 to any tag jailwwwserver    keep state
pass in on $lan_if from 172.16.10.2 to any tag jailmailserver   keep state
pass in on $lan_if from 172.16.10.3 to any tag jailgameserver   keep state

##############################
# AltQ - Upload              #
##############################

pass out on $wan_if all tagged server                   keep state queue server_out
pass out on $wan_if all tagged accesspoint              keep state queue accesspoint_out
pass out on $wan_if all tagged airost                   keep state queue airost_out
pass out on $wan_if all tagged airostmobile             keep state queue airostmobile_out
pass out on $wan_if all tagged aszka                    keep state queue aszka_out
pass out on $wan_if all tagged aszkamobile              keep state queue aszkamobile_out
pass out on $wan_if all tagged aszkaipad                keep state queue aszkaipad_out
pass out on $wan_if all tagged PS4                      keep state queue PS4_out
pass out on $wan_if all tagged amazontv                 keep state queue amazontv_out
pass out on $wan_if all tagged bluray                   keep state queue bluray_out
pass out on $wan_if all tagged jailwwwserver            keep state queue jailwwwserver_out
pass out on $wan_if all tagged jailmailserver           keep state queue jailmailserver_out
pass out on $wan_if all tagged jailgameserver           keep state queue jailgameserver_out

##############################
# AltQ - Download            #
##############################

pass in on $lan_if all tagged server                    keep state queue server_in
pass in on $lan_if all tagged accesspoint               keep state queue accesspoint_in
pass in on $lan_if all tagged airost                    keep state queue airost_in
pass in on $lan_if all tagged airostmobile              keep state queue airostmobile_in
pass in on $lan_if all tagged aszka                     keep state queue aszka_in
pass in on $lan_if all tagged aszkamobile               keep state queue aszkamobile_in
pass in on $lan_if all tagged aszkaipad                 keep state queue aszkaipad_in
pass in on $lan_if all tagged PS4                       keep state queue PS4_in
pass in on $lan_if all tagged amazontv                  keep state queue amazontv_in
pass in on $lan_if all tagged bluray                    keep state queue bluray_in
pass in on $lan_if all tagged jailwwwserver             keep state queue jailwwwserver_in
pass in on $lan_if all tagged jailmailserver            keep state queue jailmailserver_in
pass in on $lan_if all tagged jailgameserver            keep state queue jailgameserver_in

##############################
# Blokada portow             #
##############################

block in log quick on wan_if proto tcp from any to any port = 135
block in log quick on wan_if proto tcp from any to any port = 136
block in log quick on wan_if proto tcp from any to any port = 137
block in log quick on wan_if proto tcp from any to any port = 138
block in log quick on wan_if proto tcp from any to any port = 139
block in log quick on wan_if proto tcp from any to any port = 445
block in log quick on wan_if proto tcp from any to any port = 593
block in log quick on wan_if proto tcp from any to any port = 1024
block in log quick on wan_if proto tcp from any to any port = 1025
block in log quick on wan_if proto tcp from any to any port = 1026
block in log quick on wan_if proto tcp from any to any port = 1027
block in log quick on wan_if proto tcp from any to any port = 1028
block in log quick on wan_if proto tcp from any to any port = 1029
block in log quick on wan_if proto tcp from any to any port = 1030

block in log quick on lan_if proto tcp from any to any port = 135
block in log quick on lan_if proto tcp from any to any port = 136
block in log quick on lan_if proto tcp from any to any port = 137
block in log quick on lan_if proto tcp from any to any port = 138
block in log quick on lan_if proto tcp from any to any port = 139
block in log quick on lan_if proto tcp from any to any port = 445
block in log quick on lan_if proto tcp from any to any port = 593
block in log quick on lan_if proto tcp from any to any port = 1024
block in log quick on lan_if proto tcp from any to any port = 1025
block in log quick on lan_if proto tcp from any to any port = 1026
block in log quick on lan_if proto tcp from any to any port = 1027
block in log quick on lan_if proto tcp from any to any port = 1028
block in log quick on lan_if proto tcp from any to any port = 1029
block in log quick on lan_if proto tcp from any to any port = 1030

ifconfig from host:
Code:
bce0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:25
        inet 192.168.2.11 netmask 0xffffff00 broadcast 192.168.2.255
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
bce1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c01bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
        syncok: 1
        groups: pfsync
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.1.0.0 netmask 0xffff0000
        inet 127.1.0.1 netmask 0xffffffff
        inet 127.1.0.2 netmask 0xffffffff
        inet 127.1.0.3 netmask 0xffffffff
        inet6 fe80::1%lo1 prefixlen 64 scopeid 0x6
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 212.159.22.253 --> 195.166.130.254 netmask 0xffffffff
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 696
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 172.16.10.1 netmask 0xffffffff broadcast 172.16.10.1
        groups: vlan
        vlan: 1 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 172.16.10.2 netmask 0xffffffff broadcast 172.16.10.2
        groups: vlan
        vlan: 2 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80103<RXCSUM,TXCSUM,TSO4,LINKSTATE>
        ether 00:19:b9:f0:22:23
        inet 172.16.10.3 netmask 0xffffffff broadcast 172.16.10.3
        groups: vlan
        vlan: 3 vlanproto: 802.1q vlanpcp: 0 parent interface: bce1
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

ezjail for gameserver conf file:

Code:
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_gameserver_hostname="gameserver"
export jail_gameserver_ip="vlan3|172.16.10.3,lo1|127.1.0.3"
export jail_gameserver_rootdir="/usr/jails/gameserver"
export jail_gameserver_exec_start="/bin/sh /etc/rc"
export jail_gameserver_exec_stop=""
export jail_gameserver_mount_enable="YES"
export jail_gameserver_devfs_enable="YES"
export jail_gameserver_devfs_ruleset="devfsrules_jail"
export jail_gameserver_procfs_enable="YES"
export jail_gameserver_fdescfs_enable="YES"
export jail_gameserver_image=""
export jail_gameserver_imagetype=""
export jail_gameserver_attachparams=""
export jail_gameserver_attachblocking=""
export jail_gameserver_forceblocking=""
export jail_gameserver_zfs_datasets=""
export jail_gameserver_cpuset=""
export jail_gameserver_fib=""
export jail_gameserver_parentzfs=""
export jail_gameserver_parameters="allow.raw_sockets=1 allow.sysvipc allow.mount.nullfs enforce_statfs=1 allow.mount.linprocfs allow.mount.linsysfs allow.mount.tmpfs allow.socket_af linux=i
export jail_gameserver_post_start_script=""
export jail_gameserver_retention_policy=""

and rc.conf on host:

Code:
sendmail_enable="NONE"
hostname="ldrive"
keymap="pl.kbd"
sshd_enable="YES"
moused_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
################
#Network interfaces
ifconfig_bce0="inet 192.168.2.11 netmask 255.255.255.0"
ifconfig_bce1="inet 172.16.0.1 netmask 255.255.0.0"
ifconfig_lo1="inet 127.1.0.0/16"
#PPPoE connection
ppp_enable="YES"
ppp_mode="ddial"
ppp_nat="NO"
ppp_profile="plusnet"
#Firewall
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
#Internet forwarding
gateway_enable="YES"
#DHCP server
dhcpd_enable="YES"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bce1"
#Linux emulator
linux_enable="YES"
#Ez_jails
#jail_enable="YES"
ezjail_enable="YES"
cloned_interfaces="lo1"
cloned_interface="vlan1"
ifconfig_vlan1="inet 172.16.10.1 netmask 255.255.0.0 vlan 1 vlandev bce1"
cloned_interface="vlan2"
ifconfig_vlan2="inet 172.16.10.2 netmask 255.255.0.0 vlan 2 vlandev bce1"
cloned_interface="vlan3"
ifconfig_vlan3="inet 172.16.10.3 netmask 255.255.0.0 vlan 3 vlandev bce1"

from host I can ping my jail but not from my laptop. From what I figured out it's probably routing issue:

netstat -rn

Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            195.166.130.254    US         tun0
127.0.0.1          link#3             UHS         lo0
127.1.0.0          link#6             UH          lo1
127.1.0.1          link#6             UH          lo1
127.1.0.2          link#6             UH          lo1
127.1.0.3          link#6             UH          lo1
172.16.0.0/16      link#2             U          bce1
172.16.0.1         link#2             UHS         lo0
172.16.10.1        link#8             UH          lo0
172.16.10.2        link#9             UH          lo0
172.16.10.3        link#10            UH          lo0
192.168.2.0/24     link#1             U          bce0
192.168.2.11       link#1             UHS         lo0
195.166.130.254    link#7             UHS        tun0
212.159.22.253     link#7             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#3                        UHS         lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
fe80::%lo1/64                     link#6                        U           lo1
fe80::1%lo1                       link#6                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0

netstat -rn from jail:

Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
127.1.0.3          link#6             UH          lo1
172.16.10.3        link#10            UH          lo0

Ports are not being redirect from host to jail. Tried all combinations and didn't work.

from my laptop ping:
Code:
ping 172.16.10.3 -t

Pinging 172.16.10.3 with 32 bytes of data:
Reply from 172.16.0.3: Destination host unreachable.
Reply from 172.16.0.3: Destination host unreachable.
 
FreeBSD ldrive 13.1-RC3
Not related to the issue but you should update, 13.1 has been released now, you still have an old release candidate here.

I am using ezjail to manage all jails (find it easier)
Ezjail was very good but the developer stopped working on it a long time ago and it's starting to get stale. A good alternative is sysutils/bastille. Now, ezjail isn't the problem here though, so just take this as advice for your next install.

Code:
cloned_interfaces="lo1"
cloned_interface="vlan1"
ifconfig_vlan1="inet 172.16.10.1 netmask 255.255.0.0 vlan 1 vlandev bce1"
cloned_interface="vlan2"
ifconfig_vlan2="inet 172.16.10.2 netmask 255.255.0.0 vlan 2 vlandev bce1"
cloned_interface="vlan3"
ifconfig_vlan3="inet 172.16.10.3 netmask 255.255.0.0 vlan 3 vlandev bce1"
The way you defined cloned_interface here doesn't work the way you think it does. That last cloned_interface is the only one that actually gets applied. rc.conf is basically a shell script that only has variables. Case in point:
Code:
#!/bin/sh

foo="bar"
foo="bar2"

echo $foo
This will print bar2 because the second assignment overwrites the first. The same thing will happen to all those cloned_interface you've set. Also note that it's cloned_interfaces, not cloned_interface.

To add more interfaces to cloned_interfaces you define a list, separated by spaces:
Code:
cloned_interfaces="lo1 vlan1 vlan2 vlan3"

VLANs can be defined in a 'better' way in rc.conf. As for the VLAN IDs themselves, watch out for VLAN ID 1, that's typically the default VLAN, it has a special meaning.
Code:
vlans_bce1="1 2 3"
ifconfig_bce1_1="...."
ifconfig_bce1_2="....."
ifconfig_bce1_3="...."

According to your rc.conf, all your VLAN interfaces are on the same subnet (172.16.0.0/16). Multiple interfaces in the same subnet is a bad idea. Don't do this. Judging by this odd use of VLANs I'm suspecting you don't really know what a VLAN is or how a VLAN is supposed to be used.

Now, onto the firewall rules.
Code:
nat on $wan_if from $jails to any -> ($wan_if)
This rule sets up NAT for the outgoing traffic from your jails. That's good.

Code:
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 80, 443, 27015, 27016, 7777 }  -> 172.16.10.3
rdr pass on $wan_if inet proto {tcp, udp} from any to any port { 27005, 27020, 51840 }  -> 172.16.10.3
Watch out for rdr pass. The pass will cause this traffic to be allowed and no other rules will be evaluated. Which means you cannot block it anymore with additional rules (to block abusers for example). Split this up into separate rdr and pass rules, that will give you much better control.

Ports 80 and 443 are for HTTP(S) traffic, that's TCP only, don't pass and allow UDP here. The ports for the game server will depend on the game, some use UDP, some TCP and some both, check the game's documentation for this.

Code:
pass in on $lan_if from 172.16.10.1 to any tag jailwwwserver    keep state
pass in on $lan_if from 172.16.10.2 to any tag jailmailserver   keep state
pass in on $lan_if from 172.16.10.3 to any tag jailgameserver   keep state
You don't have to add the keep state, it's implied. Rules aren't going to work though because your jails aren't bound to $lan_if (bce1) but to vlan3.

Code:
##############################
# Blokada portow             #
##############################
Those are all wrong. The variables are missing a $. And it's fairly useless in any case. Just start with a block in on $wan_if and selectively pass in on $wan_if the traffic you want/need.
 
:beer: Sir_Dice thanks for your reply. I have changed everything you recommended including bastille - it looks like it's also easy to manage jails with it. Took me a little while to delete old jails and setup bastille. The only issue I have now ping is not working both ways - I cannot ping from jail so I am not sure if there is internet access and still cannot ping from my laptop to jail. The only thing I didn't follow from your recommendation is subnet in jail. Is there a subnet you would recommend?

Last thing when I was setting up my linux jail to run steamcmd and teamspeak server on it I noticed when run command
Code:
dpkg --force-depends -i /var/cache/apt/archives/*.deb
I have an output:
Code:
/var/lib/dpkg/info/apt.postinst: 85: /var/lib/dpkg/info/apt.postinst: cannot create /dev/null: Operation not supported
/var/lib/dpkg/info/apt.postinst: 91: /var/lib/dpkg/info/apt.postinst: cannot create /dev/null: Operation not supported
/var/lib/dpkg/info/apt.postinst: 102: /var/lib/dpkg/info/apt.postinst: cannot create /dev/null: Operation not supported
/var/lib/dpkg/info/apt.postinst: 108: /var/lib/dpkg/info/apt.postinst: cannot create /dev/null: Operation not supported
Setting up cron (3.0pl1-128.1ubuntu1) ...
/var/lib/dpkg/info/cron.postinst: 46: /var/lib/dpkg/info/cron.postinst: cannot create /dev/null: Operation not supported
addgroup: The group `crontab' already exists as a system group. Exiting.
/var/lib/dpkg/info/cron.postinst: 49: /var/lib/dpkg/info/cron.postinst: cannot create /dev/null: Operation not supported
dpkg-statoverride: error: an override for '/usr/bin/crontab' already exists; aborting
dpkg: error processing package cron (--install):
 installed cron package post-installation script subprocess returned error exit status 2
Setting up dbus (1.12.2-1ubuntu1) ...
/var/lib/dpkg/info/dbus.postinst: 34: /var/lib/dpkg/info/dbus.postinst: cannot create /dev/null: Operation not supported
dpkg-statoverride: error: an override for '/usr/lib/dbus-1.0/dbus-daemon-launch-helper' already exists; aborting
dpkg: error processing package dbus (--install):
 installed dbus package post-installation script subprocess returned error exit status 2
Setting up init (1.51) ...
dpkg: initramfs-tools-core: dependency problems, but configuring anyway as you requested:
 initramfs-tools-core depends on kmod | module-init-tools; however:
  Package kmod is not configured yet.
  Package module-init-tools is not installed.
 initramfs-tools-core depends on udev; however:
  Package udev is not configured yet.

Setting up initramfs-tools-core (0.130ubuntu3) ...
Setting up initramfs-tools (0.130ubuntu3) ...
/usr/sbin/update-initramfs: 27: /usr/sbin/update-initramfs: cannot create /dev/null: Operation not supported
dpkg: libnss-systemd:amd64: dependency problems, but configuring anyway as you requested:
 libnss-systemd:amd64 depends on systemd (= 237-3ubuntu10); however:
  Package systemd is not configured yet.

Setting up libnss-systemd:amd64 (237-3ubuntu10) ...
First installation detected...
Checking NSS setup...
Can't open /dev/null: No such file or directory
dpkg: error processing package libnss-systemd:amd64 (--install):
 installed libnss-systemd:amd64 package post-installation script subprocess returned error exit status 2
dpkg: libpam-systemd:amd64: dependency problems, but configuring anyway as you requested:
 libpam-systemd:amd64 depends on systemd (= 237-3ubuntu10); however:
  Package systemd is not configured yet.
 libpam-systemd:amd64 depends on dbus; however:
  Package dbus is not configured yet.

Setting up libpam-systemd:amd64 (237-3ubuntu10) ...
sh: 1: cannot create /dev/null: Operation not supported
sh: 1: cannot create /dev/null: Operation not supported
dpkg: logrotate: dependency problems, but configuring anyway as you requested:
 logrotate depends on cron | anacron | cron-daemon; however:
  Package cron is not configured yet.
  Package anacron is not installed.
  Package cron-daemon is not installed.
  Package cron which provides cron-daemon is not configured yet.

Setting up logrotate (3.11.0-0.1ubuntu1) ...
dpkg: netplan.io: dependency problems, but configuring anyway as you requested:
 netplan.io depends on systemd (>= 235-3ubuntu3); however:
  Package systemd is not configured yet.

Setting up netplan.io (0.36.1) ...
Setting up nplan (0.36.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
Processing triggers for ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Errors were encountered while processing:
 /var/cache/apt/archives/rsyslog_8.32.0-1ubuntu4_amd64.deb
 kmod
 procps
 login
 passwd
 console-setup-linux
 systemd
 udev
 cron
 dbus
 libnss-systemd:amd64

when I try to run in jail:
Code:
apt update && apt upgrade
I have output as follows:
Code:
Get:1 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
0% [1 InRelease gpgv 242 kB]gpgv: Signature made Fri Apr 27 00:38:40 2018 BST
gpgv:                using RSA key 3B4FE6ACC0B21F32
gpgv: key 3B4FE6ACC0B21F32 was created 552 days in the future (time warp or clock problem)
gpgv: key 3B4FE6ACC0B21F32 was created 552 days in the future (time warp or clock problem)
gpgv: key 3B4FE6ACC0B21F32 was created 552 days in the future (time warp or clock problem)
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>"
Reading package lists... Done
E: Release file for http://archive.ubuntu.com/ubuntu/dists/bionic/InRelease is not valid yet (invalid for another 2728d 23h 44min 44s). Updates for this repository will not be applied.

for ping:
Code:
 ping 8.8.8.8
ping: socket: Protocol not supported
 
Little update, linux compatibility is working now in jail. There was a problem with date and time, sorted. Only ping I need to get working and I need to have properly configured ports opened so my services will run.
 
Back
Top