Solved Set up PF.CONF to allow to redirect port 1965 (gemini) over the jail

[freezr]

Hi there,

I am trying to make my "Gemini Capsule" working again, however my former documentation is not "working" and even following the official documentation is working out.

freebsd-version
13.2-RELEASE-p1

Basically I can't get the Bastille jail communicating with the public network, I followed the basic procedure available here: https://bastillebsd.org/getting-started/

This is the procedure to clone the loopback interface:

sysrc cloned_interfaces+=lo1
sysrc ifconfig_lo1_name="bastille0"
service netif cloneup

This is the pf.conf setup:

ext_if="vtnet0"

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/3600, overload <bruteforce> flush global)

Any help is really appreciated, thanks! ?

 

[freezr]

Using W3M inside the jail, confirmed the opposite: the jail can reach internet... I am even more confused!!! ?‍?

 

[SirDice]

static_routes="linklocal" 
route_linklocal="-net 169.254.0.0/16 -interface vtnet0"

Why are you adding this? 169.254/16 are link-local addresses.

Link-local addresses are not guaranteed to be unique beyond their network segment. Therefore, routers do not forward packets with link-local source or destination addresses.

however now it looks like I can't reach the jail from my gemini client

You haven't forwarded any ports to the jail. How is the service in the jail supposed to be reached from the outside world?

 

[freezr]

SirDice

Thanks for clarifying where is the issue, another friend of mine told me the same, I am not redirecting any call to the right port in my case port 1965. Basically I didn't update properly my documentation and across the time completely forgotten this detail... ?‍

Regarding your question about link-local this is a setting that is provided by the Vultr image, the former image had this setup:

hostname="old-vultr" 
sshd_enable="YES" 
ntpd_enable="YES" 
static_routes="linklocal" 
devmatch_blacklist="virtio_random.ko" 
sendmail_enable="NONE" 
ifconfig_vtnet0="DHCP -rxcsum -tso" 

# cloned_interface="lo1"
ifconfig_lo1_name="bastille0" 
bastille_enable="YES"

# PF
pf_enable="YES"

FreeBSD Vultr images aren't the best, for instance they come without a swap partition.

 

[freezr]

Eventually I found out what I used to shape the PF rules...

My Latest Self Hosted Hugo Workflow

Check out my self-hosted workflow for Hugo. You learn more about FreeBSD jails, Make, Restic, Caddy and more!

www.jaredwolff.com

 

[freezr]

So the issue was the pf.conf this is the new one:

ext_if="vtnet0"

# ! IMPORTANT: this needs to be set before you can start using it!
ext_addr=<YOUR IP>

# gmid related
gmid_addr=10.10.2.20

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> $ext_addr

# container routes
rdr pass inet proto tcp from any to port 1965 -> $gmid_addr port 1965

# Enable dynamic rdr (see below)
rdr-anchor "rdr/*"

block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/3600, overload <bruteforce> flush global)