Re: usage of rdr and pass validation

[kaycee gb]

Le Wed, 26 Feb 2020 07:39:27 -0800,
Chris  a écrit :

> On Wed, 26 Feb 2020 10:31:59 + kaycee gb
> kisscoolandthegangb...@hotmail.fr said
> 
> > Le Tue, 25 Feb 2020 13:43:50 -0800,
> > Chris  a écrit :
> > 
> > > On Tue, 25 Feb 2020 19:50:11 + kaycee gb
> > > kisscoolandthegangb...@hotmail.fr said
> > >   
> > > > Hi,
> > > > 
> > > > First, sorry english is not my native language. I will try to be as
> > > precise
> > > > as
> > > > possible. 
> > > > 
> > > > And also I am not sure it is only pf related. Let me know in this case
> > > > please.
> > > > Maybe it would be for net an jail too. 
> > > > 
> > > > So, I have two cases maybe related. 
> > > > 
> > > > First one is for using rdr translation rule. 
> > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > > > one service from the outside. Using one rdr rule like this one, all
> > > > seems
> > > to
> > > > work fine. I have acces to the service.
> > > >   
> > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443
> > > > > -> $j_one port 443   
> > > > 
> > > > But in case I want to apply some options to this, I have to split it in
> > > > 3. This
> > > > is the relevant part of my config that makes it work 
> > > >   
> > > > > # Emulate skip on lo0
> > > > > passquick   on lo0  from 127.0.0.1  to
> > > > > 127.0.0.1
> > > > > # jail internal  comms
> > > > > passquick   on lo0  from $j_one to
> > > $j_one
> > > > > 
> > >> ># other traffic ( do not know yet why it is necessary and why no
> > >interface
> > >> >specified in mandatory )
> > > > > passin  quick   proto tcp from any to $j_one port 443
> > > > >
> > > > > # block all on lo0
> > > > > block   log quick   on lo0
> > > > >
> > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443  ->
> > > > > $j_one port 443
> > > > > passin  quick   on $ext_if proto tcp from any to $j_one port
> > > > > 443 
> > > 
> > > > 
> > > > See the two lines at the end which are the first two parts. The third
> > > > part is
> > > > the line after the "other traffic comment". After a lot of error and
> > > retry,
> > > > this line have to be wrote like that. I can not add "on lo0" on this
> > > > line
> > > or
> > > > the
> > > > service is not reachable. 
> > > > 
> > > > I'm using jails since some time now and remember having jail traffic
> > > > bound to
> > > > lo0 before even in my configuration jails have another interface defined
> > > (a
> > > > bridge generally). 
> > > > 
> > > > So I would like to know why isn't it possible to limit more this rule ?
> > > > I tried all other interfaces present in my system, and that do not work
> > > > either.
> > > > Using tcpdump, I can't see the traffic related to this service on any
> > > > interface except the external one. It's a little bit strange for me. 
> > > > 
> > > > Finally, I will write another mail for the other case.  
> > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> > > when I attempt these sort of things. As it seems to simplify things in my
> > > head.
> > > For example, rc.conf
> > > cloned_interfaces="lo1 lo2"
> > > ifconfig_lo1="inet 127.0.0.2"
> > > ifconfig_lo2="inet 127.0.0.3"  
> > 
> > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
> > that helps with jail configuration file. Jail traffic is in reality going
> > through lo0. 
> > When I started using jails, I was using lo1 lo2 ... too but after trying one
> > time or two with bridge interfaces, I decided to stay with bridges, it was
> > more
> > in my head more like a switch for jails, and that worked in the same way.
> > Just
> > a matter of preference.
> Sure. Understood. :) The server I excerpt these from has a *much*
> larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
> chose things as they are, because somehow they made it easier in my head
> at the time. :)

50 million, it start to be something :)
> > > 
> > > This allows me to treat them as any other NIC. I route as necessary to my
> > > NIC to the outside world; pf.conf(5):
> > > EXT_ADDR="ou.ts.ide.ip"
> > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> > > table  persist file "/etc/TRUSTED"
> > > 
> > > 
> > > set skip on { lo0, lo1, lo2 }  
> > 
> > You could just write set skip on lo0, that would have the same effect. I
> > emulate this for host traffic because I filter inter jails communications.
> *Actually* it is enough to simply use lo, and in fact I still do. But there
> were some changes to pf(4), (some I think should not have been made) that
> currently prevent me from using that. I had to roll back one of our 12.x
> servers because of the changes.

Yeap, changes sometimes make us do that. :x
12.X seems to have introduced a certain amount of changes. I have some sort of
inernal process for installing my systems. Tried to install a 12.0 some weeks
ago that way and it failed. 

Re: Updating our translation functionality

[Kristof Provost]

On 27 Feb 2020, at 10:08, J.R. Oldroyd wrote:
I read back and found the thread last August "Update to PF from 
OpenBSD

6.5".

I was going to ask the same thing but, given the complexities 
discussed
in the responses there, perhaps the question should be asked a 
different

way round.

How much work would it be to add in OpenBSD's latest translation
functionality to our implementation?

OpenBSD's pf has new translation functionality, specifically nat64
support using the "af-to" syntax.  At the same time, existing
translation syntax was changed with the nat, binat and rdr rule
syntax changing to "pass ... nat-to ..." etc.

I think it is good that we are still called "pf" here and that we do 
try
to maintain compatibility with other pf implementations.  So, we 
should
consider adding the new translation functionality to our 
implementation.

Understood that this means requiring changes to existing pf.conf
configurations but these can be documented with examples and announced
in advance.

How big of a project would this be?


I don’t know.
I’ve not specifically investigated the nat64 bits, and they’re (to 
me) the least interesting bits as well.


It’s possible that they can be imported without too much trouble, but 
someone would have to sit down and spend the time on it.
Right now this isn’t even on my todo list and I’m not planning to 
add it either.


Given that this change would break compatibility with existing 
configurations (unless significant extra work is done to cope with this) 
I’m not keen on it. I’d need to see very good arguments for 
introducing an intermediate painful step between the current situation 
and a state where we have the same syntax as OpenBSD.


If you’re looking for nat64, IPFW has an implementation.

Best regards,
Kristof
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Updating our translation functionality

[J.R. Oldroyd]

Hi,

I read back and found the thread last August "Update to PF from OpenBSD
6.5".

I was going to ask the same thing but, given the complexities discussed
in the responses there, perhaps the question should be asked a different
way round.

How much work would it be to add in OpenBSD's latest translation
functionality to our implementation?

OpenBSD's pf has new translation functionality, specifically nat64
support using the "af-to" syntax.  At the same time, existing
translation syntax was changed with the nat, binat and rdr rule
syntax changing to "pass ... nat-to ..." etc.

I think it is good that we are still called "pf" here and that we do try
to maintain compatibility with other pf implementations.  So, we should
consider adding the new translation functionality to our implementation.
Understood that this means requiring changes to existing pf.conf
configurations but these can be documented with examples and announced
in advance.

How big of a project would this be?

-jr
___
freebsd-pf@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"