Freebsd jail block out in lo1 while connecting back on ext_if

michael at familie-keil.de michael at familie-keil.de
Sat Apr 4 18:46:57 UTC 2015 

 

Hi, 

based on following scenario im running in a block out on lo1 and don't
understand why. 

Scenario 

Freebd 10.1 $ext_if with public und ipv4. a.b.c.d 

2 jails configured, mailjail & webjail which are working flawlessly...
Both are serving, common mail and web services.
Honestly, I send this mail using theese jails. 

rc.conf 

cloned_interfaces="${cloned_interfaces} lo1"
ifconfig_lo1="inet 10.100.0.1/24"
ifconfig_lo1_alias0="inet 10.100.0.2/24"
jail_sysvipc_allow="YES"
jail_webjail_parameters="allow.raw_sockets=1 allow.sysvipc=1"
jail_mailjail_parameters="allow.raw_sockets=1 allow.sysvipc=1" 

pf.conf: (I know it's a bit too open for now. That's because I want to
track down a issue.
ext_if = "re0"
ext_tcp_out = "{ http, https, ftp, ssh, domain }"
ext_udp_out = "{ domain, ntp }" 

jail_if = "lo1" 

jail_net = "10.100.0.0/24"
jail_web_adr = "10.100.0.1"
jail_web_ports = "{ http, https }"
jail_mail_adr = "10.100.0.2"
jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps,
submission } " 

icmp_types = "echoreq" 

table <bruteforce> persist
table <fail2ban> persist 

set skip on lo0
set block-policy drop 

scrub in all 

nat log on $ext_if from $jail_net to any -> ($ext_if)
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr 

antispoof for $ext_if 

block log all
block in quick log from <fail2ban>
block in quick log from <bruteforce>
block in quick log from urpf-failed
block in quick log on $ext_if from no-route 

# desperate times call for desperate meassures .....
# begin
pass quick on $jail_if
pass out quick on $ext_if
# end 

pass on $jail_web_adr proto tcp from any to any port $jail_web_ports
pass on $jail_mail_adr proto tcp from any to any port $jail_mail_ports
pass on $jail_if from $jail_web_adr to $jail_mail_adr
pass on $jail_if from $jail_mail_adr to $jail_web_adr
pass out on $ext_if proto tcp from any to any port $ext_tcp_out
pass out on $ext_if proto udp from any to any port $ext_udp_out
pass in on $ext_if inet proto tcp from any port 67:68 to any port 67:68 

pass in on $ext_if inet proto udp from any port 67:68 to any port 67:68
pass in on $ext_if proto udp from any to $ext_if port 33433 >< 33626
pass in on $ext_if proto tcp from any to any port ssh 

pass on $ext_if inet proto icmp all icmp-type $icmp_types keep state
pass on $ext_if inet6 proto icmp6 all icmp6-type echoreq
pass on $ext_if inet6 proto icmp6 all icmp6-type {neighbradv,
neighbrsol}
pass on $ext_if inet6 proto icmp6 all icmp6-type routersol 

So what's is wrong for me? 

If I try to connect from 10.100.0.1 (which actually is my webserver) to
the external IP of my webserver, it's blocked 

rule 3..16777216/0(match): block out on lo1: a.b.c.d.80 >
10.100.0.1.58248: Flags [R.], seq 0, ack 2602401153, win 0, length 0

a.b.c.d is my public ip 

I guess I might miss some rdr rules on lo1, too. 
But I totally don't understand why there is a block in lo1. 

Frankly, after reading hours and hours of documentation I understand
nothing at all. Sorry, I don't want to bother any of you, but I'd really
apprechiate a hint.

My question is: Why is there a block out on lo1, when there's a pass on
lo1 rule? 

Thanks! 

Cheers Michael

More information about the freebsd-pf mailing list