binat problem with loopback jail addresses

xorquewasp at googlemail.com xorquewasp at googlemail.com
Thu Feb 21 20:03:35 UTC 2008 

Hi.

I'm trying to set up a jail running on a loopback IP connected to the
outside world with pf and binat.

My interfaces are configured like this:

  ifconfig lo1 inet 127.1.0.1 netmask 0xff000000 up
  ifconfig lo1 alias 127.1.0.2 netmask 0xff000000
  ifconfig lo1 alias 127.1.0.3 netmask 0xff000000

  ifconfig fxp0 inet 192.168.2.5 netmask 0xffffff00 up
  ifconfig fxp0 alias 192.168.2.9 netmask 0xffffff00

$ jls
   JID  IP Address      Hostname                      Path
     5  127.1.0.3       wwwproxy                      /usr/jail/wwwproxy

The idea is to have wwwproxy running on 127.1.0.3, with an externally
visible IP of 192.168.2.9 using pf binat.

Now, I have a pf ruleset like this:

#----------------------------------------------------------------------#

nic0 = "fxp0"
lo0 = "lo0"
lo1 = "lo1"

dns = "192.168.3.10"
me = "192.168.2.5"

wwwproxy = "127.1.0.3"
wwwproxy_e = "192.168.2.9"

table <net_priv> { 192.168.2.0/24 }
table <net_dmz> { 192.168.3.0/24 }
table <proxy_users> { $me, $wwwproxy_e }

#----------------------------------------------------------------------#

binat on $nic0 from $wwwproxy to any -> $wwwproxy_e

#----------------------------------------------------------------------#

block in log all
block out log all

# allow loopback
pass log quick on $lo0 from 127.0.0.1 to 127.0.0.1 modulate state

# allow wwwproxy to connect out and allow some connections in
pass out log quick proto udp from $wwwproxy_e to $dns port 53 keep state
pass out log quick proto tcp from $wwwproxy_e to any modulate state
pass in log quick proto tcp from <proxy_users> to $wwwproxy_e port 8080 modulate state

# allow me to connect out
pass out log quick on $nic0 proto udp from $me to any keep state
pass out log quick on $nic0 proto tcp from $me to any modulate state

#----------------------------------------------------------------------#

I have an HTTP proxy running inside the jail:

$ netstat -f inet -na
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  127.1.0.3.8080         *.*                    LISTEN

Inside the jail, I can connect to external sites:

wwwproxy% nc -z -v www.google.com 80
Connection to www.google.com 80 port [tcp/http] succeeded!

000000 rule 8/0(match): pass out on fxp0: 192.168.2.9.62735 > 192.168.3.10.53: UDP, length 32
001253 rule 8/0(match): pass out on fxp0: 192.168.2.9.61723 > 192.168.3.10.53: UDP, length 32
000955 rule 9/0(match): pass out on fxp0: 192.168.2.9.64134 > 66.249.91.104.80: tcp 0

Outside the jail (on the host machine), however, I cannot connect to the HTTP
proxy, despite pflog showing the connection being allowed:

$ nc -z -v 192.168.2.9 8080
nc: connect to 192.168.2.9 port 8080 (tcp) failed: Connection refused

3. 680214 rule 9/0(match): pass out on lo0: 192.168.2.9.60606 > 192.168.2.9.8080: tcp 0
000060 rule 10/0(match): pass in on lo0: 192.168.2.9.60606 > 192.168.2.9.8080: tcp 0

It appears that binat isn't actually doing what I think it should (a connection
to 192.168.2.9:8080 should connect to 127.1.0.3:8080).

What am I doing wrong?

XW

(ps: please CC, I'm not subscribed)

More information about the freebsd-questions mailing list