pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all, May be this question is better to post on -pf or -jail but I really don't know where the problem is. So post here first. I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway using pf (with ftp-proxy enabled) in my home network configured as follow: LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN) WAN: IP obtained from ISP. gateway: 10.7.13.254 When I played with jail, I found that fp didn't block the traffic that it should. For example, I have the following line in pf.conf: block quick proto tcp from any to any port 21 Then in the host(gateway): [host] ~ ftp ftp.mozilla.org ftp: connect: Operation not permitted In the jail: [jail1] ~ ftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. ...(welcome message) Other client on the LAN(Windows): C:\Users\test-userftp ftp.mozilla.org Connected to dm-ftp01.mozilla.org. Connection closed by remote host. The ftp-proxy log when windows client is connecting: #5 accepted connection from 10.7.13.1 #5 proxy cannot connect to server 63.245.208.138: Operation not permitted #5 ending session My jail's IP 10.7.13.99 which is within the subnet of LAN. Do anyone know where the problem is? It seems that the traffic from jail bypasses the pf filtering rules? The following is part of my pf.conf: === ext_if=wan0 int_if={ lan0 } self=10.7.13.254 internal_net={ 10.7.13.0/24, 10.7.14.0/24 } scrub in nat pass on $ext_if from $internal_net to any - ($ext_if) static-port # handling FTP nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* no rdr on $int_if proto tcp from $internal_net to $self port 21 rdr pass on $int_if proto tcp from $internal_net to any port 21 - \ 127.0.0.1 port 8021 anchor ftp-proxy/* block quick proto tcp from any to any port 21 Thanks, C.C. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org