question re: PF and forwarding

Littlefield, Tyler tyler at tysdomain.com
Wed Mar 30 02:57:00 UTC 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A bit more info:
A bit more info:
I've tried a bunch of different configurations and still can't get
this to forward through. when I use tcpdump to debug, I get client->syn
server->syn
client->ack
*hang*
- From there nothing actually happens.
If anyone has any other info I'd really appreciate it. I'm not sure
where to go from here/how to troubleshoot farther.
Thanks,
On 3/29/2016 4:59 AM, krad wrote:
> what network topology are the jails nics on? I presume its not vnet
> as that doesnt play well with PF. Your rules hint at the jails
> being on loopback. If so can you put them on a separate ip on your
> subnet as pf can still filter them fine there, and you will find
> the ruleset a bit easier to manage. If those 192 addresses arent on
> loopback and are on the same subnet as the hosts ip on igb0, why
> are you natting them, this will probably cause issues?
> 
> 
> 
> On 28 March 2016 at 21:23, Littlefield, Tyler <tyler at tysdomain.com>
> wrote:
> 
> All, sorry for the multiple emails recently. I'm working to get my
> server set up here so I can begin doing some dev on BHyve once that
> is all finalized. I am jailing my services like minidlna samba and
> unbound and am using PF to forward those. For whatever reason I do
> not see the ports I specify as open ports, but the individual
> addresses show them when I connect from within my server. For
> example, I can telnet 192.168.0.2 445 and that works fine in terms
> of establishing a connection. I was hoping that someone might see
> any connection here. Here is my pf.conf. *** if="igb0" 
> addr="10.21.96.128" samba_addr="192.168.0.2" 
> dlna_addr="192.168.0.3" unbound_addr="192.168.0.4" 
> tcp_services="{ssh 53 netbios-ns netbios-dgm netbios-ssn
> microsoft-ds}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn
> microsoft-ds}"
> 
> set skip on lo set loginterface $if scrub in all
> 
> #allow jails through nat on $if inet from $samba_addr to any tag
> jail_samba -> $addr nat on $if inet from $dlna_addr to any tag
> jail_dlna -> $addr nat on $if inet from $unbound_addr to any tag
> jail_unbound -> $addr #portforward to jails. #unbound rdr pass on
> $if proto tcp from any to $addr port 53 -> $unbound_addr port 53 
> rdr pass on $if proto udp from any to $addr port 53 ->
> $unbound_addr port 53 #samba rdr pass on $if proto tcp from any to
> $addr port 137 -> $samba_addr port 137 rdr pass on $if proto tcp
> from any to $addr port 138 -> $samba_addr port 138 rdr pass on $if
> proto tcp from any to $addr port 139 -> $samba_addr port 139 rdr
> pass on $if proto tcp from any to $addr port 445 -> $samba_addr 
> port 445 rdr pass on $if proto udp from any to $addr port 137 ->
> $samba_addr port 137 rdr pass on $if proto udp from any to $addr
> port 138 -> $samba_addr port 138 rdr pass on $if proto udp from any
> to $addr port 139 -> $samba_addr port 139 rdr pass on $if proto udp
> from any to $addr port 445 -> $samba_addr port 445
> 
> #rules pass quick on lo1 pass from igb0:network to any keep state
> 
> #default policy: deny antispoof quick for { $if lo } block in all 
> #accept TCP ports. pass in on $if proto tcp from any to any port
> $tcp_services pass in on $if proto udp from any to any port
> $udp_services ***
>> _______________________________________________ 
>> freebsd-questions at freebsd.org mailing list 
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
>> unsubscribe, send any mail to " 
>> freebsd-questions-unsubscribe at freebsd.org"
>> 
> _______________________________________________ 
> freebsd-questions at freebsd.org mailing list 
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions To
> unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
> 

- -- 
Take care,
Ty
Twitter: @sorressean
Web: https://tysdomain.com
Pubkey: https://tysdomain.com/files/pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJW+0B2AAoJEAdP60+BYxejJ0YH/0YTGHQD4UVaAausYfXxNXRQ
cIjsNKqxco/v+EhmbfS51xKIe27yFouyuuREsZvztkks9QnAJ2X3/kYBLsNGfRsy
tGe0I23Pe56DYOQqnB2+AmonpyL9Nay0DOACpvZR2eWSEn78NKENtffA7o8E+Swo
J/NF4/yiU/mVw6+h9qqekT9mMz1aqykdKJtPWGHvR2QYRBPdrQymaNg6rlFACtl8
XPrOIJD0PCyZXgCBg2S5hLCDGPaqDcHUbA1Bw8noIAQvIYrH8eBwPZ2hihKfD8On
1eouqzD2jpneCUVQUKAm3nfax25b54Itn6VSlrOyOXPtaZsny+DnuzSgbJw52ck=
=mXEX
-----END PGP SIGNATURE-----

More information about the freebsd-questions mailing list