pf + jail question.
Hi all,
May be this question is better to post on -pf or -jail but I really
don't know where the problem is. So post here first.
I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway
using pf (with ftp-proxy enabled) in my home network configured as follow:
LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN)
WAN: IP obtained from ISP.
gateway: 10.7.13.254
When I played with jail, I found that fp didn't block the traffic that
it should.
For example,
I have the following line in pf.conf:
block quick proto tcp from any to any port 21
Then in the host(gateway):
[host] ~ ftp ftp.mozilla.org
ftp: connect: Operation not permitted
In the jail:
[jail1] ~ ftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
...(welcome message)
Other client on the LAN(Windows):
C:\Users\test-userftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
Connection closed by remote host.
The ftp-proxy log when windows client is connecting:
#5 accepted connection from 10.7.13.1
#5 proxy cannot connect to server 63.245.208.138: Operation not permitted
#5 ending session
My jail's IP 10.7.13.99 which is within the subnet of LAN.
Do anyone know where the problem is?
It seems that the traffic from jail bypasses the pf filtering rules?
The following is part of my pf.conf:
===
ext_if=wan0
int_if={ lan0 }
self=10.7.13.254
internal_net={ 10.7.13.0/24, 10.7.14.0/24 }
scrub in
nat pass on $ext_if from $internal_net to any - ($ext_if) static-port
# handling FTP
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
no rdr on $int_if proto tcp from $internal_net to $self port 21
rdr pass on $int_if proto tcp from $internal_net to any port 21 - \
127.0.0.1 port 8021
anchor ftp-proxy/*
block quick proto tcp from any to any port 21
Thanks,
C.C.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
pf + jail question.
Hi all,
May be this question is better to post on -pf or -jail but I really
don't know where the problem is. So post here first.
I have a FreeBSD-8.0-RELEASE-p2 box with two NICs acting as gateway
using pf (with ftp-proxy enabled) in my home network configured as follow:
LAN: 10.7.13.0/24 ( + tap0 10.7.14.0/24 for VPN)
WAN: IP obtained from ISP.
gateway: 10.7.13.254
When I played with jail, I found that fp didn't block the traffic that
it should.
For example,
I have the following line in pf.conf:
block quick proto tcp from any to any port 21
Then in the host(gateway):
[host] ~ ftp ftp.mozilla.org
ftp: connect: Operation not permitted
In the jail:
[jail1] ~ ftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
...(welcome message)
Other client on the LAN(Windows):
C:\Users\test-userftp ftp.mozilla.org
Connected to dm-ftp01.mozilla.org.
Connection closed by remote host.
The ftp-proxy log when windows client is connecting:
#5 accepted connection from 10.7.13.1
#5 proxy cannot connect to server 63.245.208.138: Operation not permitted
#5 ending session
My jail's IP 10.7.13.99 which is within the subnet of LAN.
Do anyone know where the problem is?
It seems that the traffic from jail bypasses the pf filtering rules?
The following is part of my pf.conf:
===
ext_if=wan0
int_if={ lan0 }
self=10.7.13.254
internal_net={ 10.7.13.0/24, 10.7.14.0/24 }
scrub in
nat pass on $ext_if from $internal_net to any - ($ext_if) static-port
# handling FTP
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
no rdr on $int_if proto tcp from $internal_net to $self port 21
rdr pass on $int_if proto tcp from $internal_net to any port 21 - \
127.0.0.1 port 8021
anchor ftp-proxy/*
block quick proto tcp from any to any port 21
Thanks,
C.C.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
