Le Wed, 26 Feb 2020 07:39:27 -0800,
Chris a écrit :
> On Wed, 26 Feb 2020 10:31:59 + kaycee gb
> kisscoolandthegangb...@hotmail.fr said
>
> > Le Tue, 25 Feb 2020 13:43:50 -0800,
> > Chris a écrit :
> >
> > > On Tue, 25 Feb 2020 19:50:11 + kaycee gb
> > > kisscoolandthegangb...@hotmail.fr said
> > >
> > > > Hi,
> > > >
> > > > First, sorry english is not my native language. I will try to be as
> > > precise
> > > > as
> > > > possible.
> > > >
> > > > And also I am not sure it is only pf related. Let me know in this case
> > > > please.
> > > > Maybe it would be for net an jail too.
> > > >
> > > > So, I have two cases maybe related.
> > > >
> > > > First one is for using rdr translation rule.
> > > > I have a host with FreeBSD 11.3 amd64 hosting some jails. I want to join
> > > > one service from the outside. Using one rdr rule like this one, all
> > > > seems
> > > to
> > > > work fine. I have acces to the service.
> > > >
> > > > > rdr pass on $ext_if inet proto tcp from any to $ext_if port 443
> > > > > -> $j_one port 443
> > > >
> > > > But in case I want to apply some options to this, I have to split it in
> > > > 3. This
> > > > is the relevant part of my config that makes it work
> > > >
> > > > > # Emulate skip on lo0
> > > > > passquick on lo0 from 127.0.0.1 to
> > > > > 127.0.0.1
> > > > > # jail internal comms
> > > > > passquick on lo0 from $j_one to
> > > $j_one
> > > > >
> > >> ># other traffic ( do not know yet why it is necessary and why no
> > >interface
> > >> >specified in mandatory )
> > > > > passin quick proto tcp from any to $j_one port 443
> > > > >
> > > > > # block all on lo0
> > > > > block log quick on lo0
> > > > >
> > > > > rdr on $ext_if inet proto tcp from any to $ext_if port 443 ->
> > > > > $j_one port 443
> > > > > passin quick on $ext_if proto tcp from any to $j_one port
> > > > > 443
> > >
> > > >
> > > > See the two lines at the end which are the first two parts. The third
> > > > part is
> > > > the line after the "other traffic comment". After a lot of error and
> > > retry,
> > > > this line have to be wrote like that. I can not add "on lo0" on this
> > > > line
> > > or
> > > > the
> > > > service is not reachable.
> > > >
> > > > I'm using jails since some time now and remember having jail traffic
> > > > bound to
> > > > lo0 before even in my configuration jails have another interface defined
> > > (a
> > > > bridge generally).
> > > >
> > > > So I would like to know why isn't it possible to limit more this rule ?
> > > > I tried all other interfaces present in my system, and that do not work
> > > > either.
> > > > Using tcpdump, I can't see the traffic related to this service on any
> > > > interface except the external one. It's a little bit strange for me.
> > > >
> > > > Finally, I will write another mail for the other case.
> > > FWIW I simply add additional lo interfaces (lo0, lo1, lo2, ...)
> > > when I attempt these sort of things. As it seems to simplify things in my
> > > head.
> > > For example, rc.conf
> > > cloned_interfaces="lo1 lo2"
> > > ifconfig_lo1="inet 127.0.0.2"
> > > ifconfig_lo2="inet 127.0.0.3"
> >
> > IIRC, lo1 lo2 ... like bridges bridge0 bridge1 are just "virtual interfaces"
> > that helps with jail configuration file. Jail traffic is in reality going
> > through lo0.
> > When I started using jails, I was using lo1 lo2 ... too but after trying one
> > time or two with bridge interfaces, I decided to stay with bridges, it was
> > more
> > in my head more like a switch for jails, and that worked in the same way.
> > Just
> > a matter of preference.
> Sure. Understood. :) The server I excerpt these from has a *much*
> larger pf.conf(1), and manages (filters mostly) ~50 million IPs. I
> chose things as they are, because somehow they made it easier in my head
> at the time. :)
50 million, it start to be something :)
> > >
> > > This allows me to treat them as any other NIC. I route as necessary to my
> > > NIC to the outside world; pf.conf(5):
> > > EXT_ADDR="ou.ts.ide.ip"
> > > # contains 127.0.0.0/24 and other trusted IPs. Sometimes helpful.
> > > table persist file "/etc/TRUSTED"
> > >
> > >
> > > set skip on { lo0, lo1, lo2 }
> >
> > You could just write set skip on lo0, that would have the same effect. I
> > emulate this for host traffic because I filter inter jails communications.
> *Actually* it is enough to simply use lo, and in fact I still do. But there
> were some changes to pf(4), (some I think should not have been made) that
> currently prevent me from using that. I had to roll back one of our 12.x
> servers because of the changes.
Yeap, changes sometimes make us do that. :x
12.X seems to have introduced a certain amount of changes. I have some sort of
inernal process for installing my systems. Tried to install a 12.0 some weeks
ago that way and it failed.