Jails: pf blocks access to localhost of host system

Mon Aug 16 21:31:13 UTC 2021

Dear Experts in pf and jails.

I was recent refugee from to pf from ipfw which I was happily using for 
decade (why is different story). I seem to be able to configure all I 
need from pf, except one thing, which is jail access to localhost of 
host system.

I configure jails "by the book" (i.e FreeBSD handbook), I do not use any 
scripts facilitating simple enough for me process. My jail configuration 
is like the following:

# cat /etc/jail.conf

jailname {
     host.hostname = "hostname.domainname";
     ip4.addr = X.Y.Z.W; # address on public address space
     devfs_ruleset=7;  // integer number of devfsrules_jail_bpf ruleset
                       // in /etc/devfs.rules
     persist;        // Required because there are no processes
     exec.start = "/etc/rc.d/cron start; /etc/rc.d/syslogd start; 
/usr/local/etc/rc.d/apache24 start";
     exec.stop = "/usr/local/etc/rc.d/apache24 stop; /etc/rc.d/syslogd 
stop; /etc/rc.d/cron stop";
}

As you see, there is no lo0 configured in jail. (I do have lo0 
configured in jails on some machines, but I do not feel it necessary in 
this case). Now if script from apache in that jail connects port 25 on 
localhost to send email, the connection goes ho postfix I run on host 
system.

While I was using ipfw having the rule allowing all traffic on lo0 to 
pass (I figure) at the top of rules did the trick. I can not achieve the 
same with pf. Searching on we web didn't help either.

Here if my simplified to necessary minimum for debugging pf.conf:

# cat /etc/pf.conf
##################### BEGIN
# macro name(s) for external interface(s).
ext_if = "bce0"
int_if = "bce1"

services = "{ 80 443 3306 5432 9102 }"

icmp_types = "{ echoreq unreach }"

# set a default deny everything policy.
block all

# Allow all traffic on trusted interfaces
pass quick from { lo0 $int_if } to any keep state

# keep state on any outbound tcp, udp or icmp traffic.
# modulate the isn of
# outgoing packets. (initial sequence number) broken operating systems
# sometimes don’t randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any \
     modulate state

# set a rule that allows inbound ssh traffic
pass in on $ext_if proto tcp to port { 22 } \
     keep state

# On workstation we will pass all outgoing traffic
pass out all keep state

#  We pass what comes to our services (but DHCP taken care os above)
pass in on $ext_if proto { tcp udp } to port $services

# and icmp types we want
pass inet proto icmp icmp-type $icmp_types

##################### END

If I am inside jail the command

telnet localhost 25

successfully connects to postfix run on host system. When I enable pf 
with rules as above, similar connection from inside jail just hangs.

I was assuming the rule:

pass quick from { lo0 $int_if } to any keep state

will do the trick, but no, the connection from inside jail to host 
system localhost port 25 is blocked by pf.

Can someone give me any pointers for this particular case?

Thanks a lot in advance for your pointers!

Valeri

PS I know, I can do the following and it will work: configure lo0 in 
jail (splitting part of 127.0.0.0/8 away from host to guest/jail) and 
run postfix is jail. But being able to tell pf what I want it to [not] 
do will be preferable.

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++