On 12/07/16 09:10, Beeblebrox via freebsd-pf wrote:
> Hello,
>
> I have a PF problem with TAG evaluation and am completely stumped. It should
> be very straight forward, but it's not working. Here's what I'm trying to do:
> * I have several jails on cloned lo2
> * Allow only specified port traffic to and from each jail
> * Block all out-going traffic at egress interface (wan0) unless allowed (use
> tags here)
>
> I've tested with a very simplified PF ruleset, with consistent failure:
>
> nat on wan0 from !(wan0) -> wan0
> ## Filters
> block drop log on wan0 all
> # tested with both combinations below
> block drop log on lo2 all \ # set skip on lo0
> set skip on lo0 \ # block drop log on lo2 all
>
> ## Jail for Unbound + dns-crypt
> pass in quick on lo2 proto udp from any to <jail-ip> port 53 tag TD
> pass out quick on lo2 proto udp from <jail-ip> to any (or wan0) port
> {53,443,2053} tag TD
> ## PASSING TAGGED PACKETS ##
> pass out quick on $ExtIf keep state tagged TD
You can add a log parameter to tag rules and watch your pflog0 for
evidence of a match. You might find that the packets aren't actually
received by the lo2 interface at all.
> PF blocks outgoing traffic nevertheless. Rule 0 is "block drop log on wan0
> all"
> 15:47:35.270564 rule 0..16777216/0(match): block out on wan0:
> 192.168.1.10.51977 > 212.47.228.136.443: UDP, length 768
> 15:47:35.671076 rule 0..16777216/0(match): block out on wan0:
> 192.168.1.10.56347 > 178.216.201.222.2053: UDP, length 576
>
> I tested a different jail with TCP packets, got same:
> 16:45:46.411698 rule 0..16777216/0(match): block out on wan0:
> 192.168.1.10.58367 > 192.168.1.1.80: Flags [S], seq 1720787324, win 65535,
> options [mss 1460,nop,wscale 6,sackOK,TS[|tcp]>
>
> The only thing I can think of is that packets are not being tagged, so the
> "pass out" rule is not evaluated (pfctl -s state confirms no state for those
> packets). Is there an issue that packets traversing a cloned lo0 interface
> cannot be tagged?
>
> Unfortunately tcpdump or such tools as I understand, cannot display the TAG
> header so I'm unable to proceed with debugging.
> Any ideas?
>
--
Cape Augusta Digital Properties, LLC a Cape Augusta Company
*Breach of confidentiality & accidental breach of confidentiality *
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
_______________________________________________
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
