Hello everyone,
I have a FreeBSD host with 3 Jails using VNET and EPAIR, where each jail has got its own subnet, and than PF nats the traffic.
The issue came up when I introduced the block in policy, effectively restricting all Inbound traffic to the host.
What I need is to allow icmp, tcp, udp on 80 and 443 from LAN to the Jails. I have been trying countless of syntaxes, mostly random examples at this point, hoping that one would work. I read the man page, but still can't understand what I need and how to write it.
FreeBSD's host: 10.16.0.101 vtnet0
Jails:
node1: 192.168.69.254 epair0
node2: 192.168.68.254 epair1
fwlb: 192.168.0.254 epair2
Thanks
I have a FreeBSD host with 3 Jails using VNET and EPAIR, where each jail has got its own subnet, and than PF nats the traffic.
The issue came up when I introduced the block in policy, effectively restricting all Inbound traffic to the host.
What I need is to allow icmp, tcp, udp on 80 and 443 from LAN to the Jails. I have been trying countless of syntaxes, mostly random examples at this point, hoping that one would work. I read the man page, but still can't understand what I need and how to write it.
FreeBSD's host: 10.16.0.101 vtnet0
Jails:
node1: 192.168.69.254 epair0
node2: 192.168.68.254 epair1
fwlb: 192.168.0.254 epair2
/etc/pf.conf
Code:
ext_if="vtnet0"
NET_JAIL="{ 192.168.69.0/24 192.168.68.0/24 192.168.0.0/24 }"
jails_if="{ epair0a epair1a epair2a }"
scrub in all
# Won't filter traffic on loopback
set skip on lo0
# nat all jail traffic
nat on $ext_if inet from any to any -> ($ext_if)
# Protects against activity from spoofed or forged IPs
antispoof for $ext_if inet
# Exposing JAIL ports to the HOST
#rdr pass on $ext_if inet proto tcp to port {80, 443} -> $NET_JAIL
# Allow SSH/d
pass in quick on $ext_if proto tcp from any to any port ssh
# Allow traceroute
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
# Allow ICMP ping
pass inet proto icmp from any to any
# Allow all OUT, block all IN on $ext_if
block in on $ext_if
pass out
Thanks