PF Trouble configuring Bastille jails with PF NAT/rdr for mail and web services

C

Creep

hello everyone,


I'm currently working on setting up a FreeBSD server hosting multiple Bastille jails for a webmail/mail server project.

I come from an IT engineering background but have been in management /bullshit for about 15 years, and I'm now diving back into hands-on system administration.


Setup Overview:


  • Host machine: FreeBSD 14.3-RELEASE with public IP
  • Using BastilleBSD to manage jails (created with plain bastille create command, so no VNET, just alias on lo1)
  • Three jails:
    1. Mail jail — Postfix + Dovecot for SMTP/IMAP
    2. Webmail jail — Roundcube for webmail UI
    3. Database jail — MariaDB server for mail/webmail data storage

Each jail has a dedicated IP on an internal subnet 10.0.0.0/24 alias on lo1 interface of the host.
Example IPs:


  • Mail jail: 10.0.0.2
  • Webmail jail: 10.0.0.3
  • DB jail: 10.0.0.4


Problem:

From the mail jail itself, I cannot connect to external services (for example, telnet on port 25 to external SMTP servers fails).
From the host outgoing connectivity works fine, and incoming traffic on ports (25, 587, 80, 443, etc.) is correctly redirected to the jails.
Also, I cannot ping external IPs from inside the mail jail.

Connecting to the SMTP server (Postfix) via telnet is working from the mail jail and from the host.
From internet I see the connection in the maillog but the smtp banner never arrived on the telnet client

  • My knowledge of PF and networking is limited (probably 2nd grade level 😅), so I believe the issue lies in my PF firewall / NAT configuration on the host.
  • Possibly related to NAT, routing, or blocking rules for packets going out from the jail or returning inbound traffic.


Details about Bastille and jails and the host:

host Rc.conf

Code: 
##############################
#                    rc.conf                              #
#                      Rémi                               #
#                    25/08/08                          #
##############################

# configuration systeme et réseau
hostname="ovh.assailly.com"
ifconfig_DEFAULT="DHCP inet6 accept_rtadv"
# activation de l' extention du FS
growfs_enable="YES

# services essentiels
sshd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"

# message du jour
update_motd="NO"
dynamic_motd="YES"

# sécurité
fail2ban_enable="YES"

# interface résaux
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0"

#jails
bastille_enable="YES"
bastille_listen="YES"
bastille_autostart="YES"
My jail.conf snippet for mail jail:

Code: 
mail {
  enforce_statfs = 2;
  devfs_ruleset = 4;
  exec.clean;
  exec.consolelog = /var/log/bastille/mail_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = mail;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/mail/fstab;
  path = /usr/local/bastille/jails/mail/root;
  securelevel = 0;
  osrelease = 14.3-RELEASE;
  allow.raw_sockets = 1;
  ip4.addr = lo1|10.0.0.2;
  ip6 = disable;
}

pf.conf on host:
Code: 
# /etc/pf.conf
# PF config for FreeBSD Bastille jails setup
# Author: Rémi
# Date: 2025-08-09

## Variables
ext_if = "igb0"           # Interface publique (modifier si besoin)
jail_net = "10.0.0.0/24"  # Réseau utilisé par les jails
mail_jail = "10.0.0.2"    # IP du jail mail
web_jail  = "10.0.0.3"    # IP du jail webmail
admin_ip = x.x.x.x

## Skips
set skip on lo0
set skip on lo1

## Tables
table <fail2ban> persist
table <jails> persist

## NAT - permettre aux jails de sortir via l'interface externe
nat on $ext_if from $jail_net to any -> ($ext_if)

## Redirections entrantes (rdr) vers les jails - doivent être avant le block
# Mail (SMTP, submission, IMAPS, POP/IMAP)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 25  -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 587 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 993 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 110 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 143 -> $mail_jail

# Webmail / HTTP(S)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 80  -> $web_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 443 -> $web_jail

## Filtering rules - fail2ban quick block
block in quick from <fail2ban> to any

## Administration allowance (IMPORTANT) for debug
# pass in quick on $ext_if proto tcp from $admin_ip to ($ext_if) port {Mysshport} keep state



## Autorisations pour les jails (réponses et sorties nécessaires)
# DNS (UDP + TCP) pour jails
pass out on $ext_if proto { udp tcp } from $jail_net to any port 53 keep state

# HTTP/HTTPS sortant (si besoin depuis jails)
pass out on $ext_if proto tcp from $jail_net to any port { 80 443 } keep state

# SMTP sortant : autoriser seulement le jail mail à sortir sur port 25
pass out on $ext_if proto tcp from $mail_jail to any port 25 keep state

# Optionnel : submission (587) sortant si tu relies à un relais auth
pass out on $ext_if proto tcp from $mail_jail to any port 587 keep state

# ICMP (ping) sortant des jails
pass out on $ext_if inet proto icmp from $jail_net to any keep state

## Autoriser les arrivées pour les services redirigés (stateful replies autorisées)
pass in on $ext_if proto tcp to ($ext_if) port { 25, 80, 443, 110, 143, 587, 993 } keep state

## Sécurité finale : bloquer le reste
block all

Questions / Requests:


  • Is there a known limitation or special configuration needed for NAT and routing with Bastille jails without VNET?
  • Should I consider migrating to VNET jails for proper external connectivity?
  • Any suggestions on debugging or missing PF rules?
  • Anything specific to Bastille BSD or jail networking that I may have overlooked?

Thank you in advance for your help!
 
Last edited by a moderator:
Hi,


I just restarted my pf.conf from scratch and regained connectivity in my jail.


SMTP is working from the internet.
I’m just having trouble with ping, but I read that this is normal behavior for jails.


Here is my pf.conf.


I based it on the configuration suggested on the BastilleBSD website:
https://bastillebsd.org/getting-started/



Code: 
 # PF config for FreeBSD Bastille jails setup
# Author: Rémi
# Date: 2025-08-11

# Variables
ext_if = "igb0"
jail_net = "10.0.0.0/24"
mail_jail = "10.0.0.2"    # IP du jail mail
web_jail  = "10.0.0.3"    # IP du jail webmail
admin_ip = "X.X.X.X"
ssh_port = my_ssh_custom_port

# Nettoyage des paquets
scrub in on $ext_if all fragment reassemble

# Ignorer le loopback
set skip on lo0
set skip on lo1

# Tables (facultatif ici)
table <fail2ban> persist
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

## Redirections entrantes (rdr) vers les jails - doivent être avant le block
# Mail (SMTP, submission, IMAPS, POP/IMAP)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 25  -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 587 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 993 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 110 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 143 -> $mail_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 465 -> $mail_jail

# Webmail / HTTP(S)
rdr pass on $ext_if proto tcp from any to ($ext_if) port 80  -> $web_jail
rdr pass on $ext_if proto tcp from any to ($ext_if) port 443 -> $web_jail

## Filtering rules - fail2ban quick block

# Autoriser SSH admin en premier (avant blocage)
pass in quick on $ext_if proto tcp from $admin_ip to any port $ssh_port keep state

block in quick from <fail2ban> to any




block in all
pass out quick keep state
antispoof for $ext_if inet
And here my jail.conf for the mail jail

Code: 
mail {
  enforce_statfs = 2;
  devfs_ruleset = 4;
  exec.clean;
  exec.consolelog = /var/log/bastille/mail_console.log;
  exec.start = '/bin/sh /etc/rc';
  exec.stop = '/bin/sh /etc/rc.shutdown';
  host.hostname = mail;
  mount.devfs;
  mount.fstab = /usr/local/bastille/jails/mail/fstab;
  path = /usr/local/bastille/jails/mail/root;
  securelevel = 0;
  osrelease = 14.3-RELEASE;
  allow.raw_sockets = 1;
 allow.sysvipc = 1;

ip4.addr = lo1|10.0.0.2;
 ip6 = disable;

}
I guess the lesson here is to stop over-tweaking my config files, they just end up as a messy stew.
KISS: Keep It Simple, Stupid!
 
You must log in or register to reply here.
Back
Top