Unable to resolve FQDN jails

IPFW, PF, IPF (but not limited) related discussion

Unable to resolve FQDN jails

Postby thegolum35 » 09 Nov 2012, 09:49

Hello, I'm trying to get my jails working but I have a problem. Indeed, only ICMP connections work, I can't stat the problem.

Here is my [FILE]pf.conf[/FILE]
Code: Select all
#Macro

int_if = "fxp0"

# Tables

table <flood> persist
table <*beep**beep**beep**beep*er> persist

# Rules

set skip on lo0
set skip on lo1

scrub in all

nat on $int_if from lo1 to any -> ($int_if)

antispoof for fxp0 inet
block log all # Drop all

pass quick log on $int_if proto { icmp icmp6 } # Allow ping
pass out log on $int_if all

pass in quick on $int_if proto tcp from 192.168.1.29 to 192.168.1.40 port ssh
#pass in log on $int_if inet proto tcp from any to 192.168.1.40 port 30000 synproxy state (max-src-conn-rate 3/20, overload <flood> flush global)

#pass in quick log on $int_if proto tcp from 192.168.1.0/24 to 192.168.1.40 port 9050
#pass in log on $int_if proto tcp from {!192.168.1.0/24, 10.0.0.0/24} to 192.168.1.40 port 9001

pass in quick log on $int_if from 192.168.50.2 to any

#block quick on $int_if from <flood>
#block quick on $int_if from <*beep**beep**beep**beep*er>


Commented lines are useless for fixing the problem. 192.168.50.2 is the ip of my jail; 192.168.1.0/24 is my network.

Thank you.
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 09:53

What exactly is the problem? You can't resolve your jail hostnames or you can't resolve anything inside a jail?
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 10:01

Sorry, I can ping everything but resolving google.fr for example times out.
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 10:06

Ah, so it's resolving inside the jail that's the issue. Is [file]/etc/resolv.conf[/file] set up properly in the jail?

There are also no rules allowing TCP/UDP port 53 out for DNS.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 10:21

Code: Select all
cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4


And I can see the DNS query pass and the answer too but that one isn't forwarded to the jail.

There are also no rules allowing TCP/UDP port 53 out for DNS.

I think that rule does so, am I wrong ?
Code: Select all
pass out log on $int_if all


Beeblebrox:

I told that ICMP connections worked, and I had to allow raw sockets for debugging :)
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 10:29

thegolum35 wrote:I think that rule does so, am I wrong ?
Code: Select all
pass out log on $int_if all

It depends, that allows queries back into your network. But you are using Google's DNS servers, so they are external. Somewhere on your network they need a way out.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 10:37

I only have one interface on my server.
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 10:39

Have a look with [man=1]tcpdump[/man]. Pay close attention to the source addresses of the queries (the NAT might not work properly).

[cmd=#]tcpdump -nvvi fxp0 port 53[/cmd]
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 10:45

Code: Select all
tcpdump -nvvi fxp0 port 53

192.168.1.40.55512 > 8.8.8.8.53: [udp sum ok] 23567+ A? apple.com. (27)
11:44:25.362315 IP (tos 0x0, ttl 45, id 14424, offset 0, flags [none], proto UDP (17), length 87)
8.8.8.8.53 > 192.168.1.40.55512: [udp sum ok] 23567 q: A? apple.com. 2/0/0 apple.com. A 17.149.160.49, apple.com. A 17.172.224.47 (59)
11:44:26.287199 IP (tos 0x0, ttl 64, id 5568, offset 0, flags [none], proto UDP (17), length 55)


It seems to work ...

So the problem is that the server doesn't forward the query to jail. How may I fix this ?
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 11:13

Is the jail bound to [file]lo1[/file]? And what IP address does it have?
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 11:33

No, she is not. I was looking for this, how do I do so ?
Its ip is 192.168.1.52(/24)
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 12:26

If the jail has 192.168.1.52 then why are the DNS queries coming from 192.168.1.40?
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 12:34

Because of the nat rule. I know it's not compulsory but I'd like doing that way.
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 12:37

And it's probably what's causing the issues. Remove it. As you don't have anything bound to [file]lo1[/file] anyway it's rather useless.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby thegolum35 » 09 Nov 2012, 13:24

But it might work with nat, no ?
thegolum35
Junior Member
 
Posts: 71
Joined: 19 Sep 2010, 09:16

Postby SirDice » 09 Nov 2012, 13:37

You don't need NAT.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16185
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby matoatlantis » 09 Nov 2012, 17:59

Please can you share the exact network range for [FILE]fpx0[/FILE] [FILE]lo1[/FILE] ? As I understood it your jail [FILE]IP[/FILE] is behind [FILE]lo1[/FILE] interface.
Also share the output from:

[CMD="#"]netstat -nrfinet[/CMD]

This is just my opinion, but it's better to call your external interface [FILE]"ext_if"[/FILE] rather than [FILE]"int_if"[/FILE] (short for external/internal). Also if you start to use macros use them throughout the whole configuration (e.g. line 10 vs line 11 /not counting spaces/).

There's more way to do it, but as you started creating custom interfaces you must pay attention to what is visible and what not to external network. One way is to put all [FILE]IPs[/FILE] to [FILE]fxp0[/FILE] and setup the jail. You don't need NAT for that.

Or you can setup the custom interface with private range and [FILE]NAT[/FILE] it through [FILE]IP[/FILE] on [FILE]fxp0[/FILE].
[color="Gray"]..when you do things right, people won't be sure you've done anything at all..[/color]
User avatar
matoatlantis
Member
 
Posts: 510
Joined: 26 Mar 2009, 21:07
Location: bratislava, slovakia


Return to Firewalls

Who is online

Users browsing this forum: No registered users and 0 guests