IPFW Setting a common IP for both the Public IP and Jail IP

minshew

New Member


Messages: 7

Hello All,

We are having trouble with finding ways to redirect the public IP address to the jail IP address. We have looked into the rc.conf and jail.conf files but are now sure how we should edit any of these files to achieve this.

We have previously been unsuccessful in editing pf values and have been looking into using the ipfw settings.

Would anyone have a better idea of what we might need to do correctly do this for our system?


BELOW ARE MY FILES:

ipfw.rules file:

Code:
#!/bin/sh
set -e
# [URL]https://www.digitalocean.com/community/tutorials/how-to-install-buildbot-freebsd[/URL]
# Add basic rules as defined by firewall_type, firewall_myservices, etc.
. /etc/rc.firewall
IP_PUB = “ip_address”
WEB_PORTS = "{ 80, 443, 8000 }"
server_www_addr = "192.168.2.14"
int_net = "192.168.2.0/24"
# [URL]https://nileshgr.com/2014/12/07/freebsd-ipfw-nat-jails[/URL]
ipfw nat 123 config ip $IP_PUB

ipfw add 100 nat 123 from any to a.b.c.d in
ipfw add 101 check-state

index=300
for port in $tcp_service_ports; do
        ipfw add $index allow tcp from any to me $port in
        ipfw add $index allow tcp from me $port to any out
        index=$((index+1))
done

index=400
for port in $udp_service_ports; do
        ipfw add $index allow udp from any to me $port in
        ipfw add $index allow udp from me $port to any out
        index=$((index+1))
done

ipfw add 800 nat 123 ip4 from $int_net to any out

index=500
for port in $out_tcp_ports; do
        ipfw add $index skipto 800 tcp from $int_net to any $port out setup keep-state
        ipfw add $index allow tcp from me to any $port out setup keep-state
        index=$((index+1))
done

index=600
for port in $out_udp_ports; do
        ipfw add $index skipto 800 udp from $int_net to any $port out keep-state
        ipfw add $index allow udp from me to any $port out keep-state
        index=$((index+1))
done
and my ifconfig:
Code:
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
    ether b8:27:eb:6c:52:52
    inet 192.168.2.14 netmask 0xffffffff broadcast 192.168.2.14
    inet 192.168.2.13 netmask 0xffffff00 broadcast 192.168.2.3
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,114
Messages: 33,671

Show your jail.conf please. Turn off the firewall for now. Get things working first. Then add the firewall.
 

rf10

Member

Reaction score: 6
Messages: 29

You are asking about ipfw, I am using pf. If you are not set on the tool, you can see one of my answers here on how it is accomplished using pf.
 
OP
M

minshew

New Member


Messages: 7

jail.conf:

# Generated by rc.d/jail at 2019-08-31 01:13:37

# https://therub.org/2014/08/11/convert-freebsd-jails-from-rc.conf-to-jail.conf/

Code:
allow.raw_sockets = 0;
exec.clean;
exec.start += "/bin/sh /etc/rc";
exec.stop = "";
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.fstab = "/etc/fstab.${name}";
mount.devfs;
mount.fdescfs;
mount.procfs;
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 0;
enforce_statfs = "2";
path = "/usr/jails/${name}";

homage_www {
        host.hostname = "server_www"
        ip4.addr += "192.168.2.14/32";
        exec.system_user = "root";
     exec.jail_user = "dude";
}
 
OP
M

minshew

New Member


Messages: 7

We also tried using the pf way but were unsuccessful. Here is our pf.config

pf.config:
Code:
ext_if = "ue0"
# ext_addr = $ext_if:0
# int_if = "lo1"
# jail_net = $int_if:network

IP_PUB = “ip_address”
WEB_PORTS = "{ 80, 443, 8000}"

server_www_addr = "192.168.2.14”
int_net = "192.168.2.0/24"

# set skip on lo0
# set block-policy drop

# nat on $ext_if from $jail_net to any -> $ext_addr port 1024:65535 static-port


# nat pass on $ext_if proto tcp from $server_www_addr to any -> $IP_PUB
# The following line works
# rdr pass on $ext_if proto tcp from any to $IP_PUB port $WEB_PORTS -> $server_www_addr

# nat on $ext_if from $int_net to any -> $ext_if
rdr on $ext_if proto tcp from any to $IP_PUB port $WEB_PORTS -> $server_www_addr

# rdr pass on $ext_if inet proto tcp to port $WEB_PORTS -> $server_www_addr
 

rf10

Member

Reaction score: 6
Messages: 29

pf.config:

...
# nat on $ext_if from $int_net to any -> $ext_if
rdr on $ext_if proto tcp from any to $IP_PUB port $WEB_PORTS -> $server_www_addr
...
should probably be
Code:
rdr pass on $ext_if proto tcp from any to ($ext_if) port $WEB_PORTS -> $server_www_addr
The NAT lines are commented out - this is probably ok if you don't need jails to be able to go outside of their network.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,114
Messages: 33,671

minshew add a interface = ue0 to your jail config. The jail will then get bound to the external interface. You can remove all the NAT and redirects. There's no need for the lo1 constructs because you're not limited to a single IP address on the external interface.
 

rf10

Member

Reaction score: 6
Messages: 29

minshew add a interface = ue0 to your jail config. The jail will then get bound to the external interface. You can remove all the NAT and redirects. There's no need for the lo1 constructs because you're not limited to a single IP address on the external interface.
This won't work if you have multiple jails binding to the same port (i.e. 3 web servers all running on port 80).

For a simple setup, great advice, though.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 9,114
Messages: 33,671

This won't work if you have multiple jails binding to the same port
Each jail will have it's own IP address so there's no overlap. The OP isn't limited to a single IP on the external interface.

If there's indeed only one IP address available you would need additional tricks in any case because you cannot redirect the same port to multiple jails. You would need to use something like net/haproxy and redirect based on the HTTP host header.
 
OP
M

minshew

New Member


Messages: 7

ezjails
Each jail will have it's own IP address so there's no overlap. The OP isn't limited to a single IP on the external interface.

If there's indeed only one IP address available you would need additional tricks in any case because you cannot redirect the same port to multiple jails. You would need to use something like net/haproxy and redirect based on the HTTP host header.

I noticed that ezjails isn't picking up /etc/jail.conf. How would I get it to recognize this?
 
OP
M

minshew

New Member


Messages: 7

should probably be
Code:
rdr pass on $ext_if proto tcp from any to ($ext_if) port $WEB_PORTS -> $server_www_addr
The NAT lines are commented out - this is probably ok if you don't need jails to be able to go outside of their network.

This pf change didn't work for me either.
 
OP
M

minshew

New Member


Messages: 7

I should mention:
- My group is just trying to get our site to be viewable to the public. We wanted to see if we could set our site upon this server with jails but it has been difficult for us to get our head wrapped around how to configure this properly.

- I poked around at this again this weekend, but am not sure if there is something else I am missing. I changed the pf.conf file and the jail.conf file like was suggested but to no avail.

If all of this is correct is there something I need to make sure I have configured on my router that I could check?

You guys are really great for taking the time to help me on this and I really appreciate you all being patient with me.
 
Top