# Jail and Firewall



## Sisler_Ohan (Oct 19, 2011)

Hello,

I am using IPF and PF on my system.
I have 2 jails. 1 is my mysql-server, the other is my web-server. (ezjail)
I need to know how i can setup firewall rules for this 2 jails.
Is it only edit the firewall.rules on the host-system or every jail need his own firewall?


----------



## SirDice (Oct 19, 2011)

Sisler_Ohan said:
			
		

> I am using IPF and PF on my system.


Use one or the other, not both.



> I need to know how i can setup firewall rules for this 2 jails.
> Is it only edit the firewall.rules on the host-system or every jail need his own firewall?


You need to edit the host's firewall. You can't do inside the jail itself with a 'standard' jail. It's should be possible to do this by using *VIMAGE* but it's relatively new and barely documented so I don't recommend it for new users (which you appear to be).


----------



## Sisler_Ohan (Oct 19, 2011)

Hey,

So if i open some ports in the firewall.rules they are open too for the jails?
Same for the closed/blocked ports?


----------



## geodni (Oct 19, 2011)

Hi,

Try something like this with /etc/pf.conf and fill the ext_if and ext_addr variables with the interface name and IP address you use as external and fill int_net, www_addr and mysql_addr with the IP of your jailed subnet and jails IP adresses

```
ext_if=""
ext_addr=""

int_net=""
www_addr=""
mysql_addr=""

nat on $ext_if from $int_net to any -> $ext_if:0

# WWW
rdr on $ext_if proto tcp from any to $ext_addr/32 port 80 -> $www_addr port 80
rdr on $ext_if proto tcp from any to $ext_addr/32 port 443 -> $www_addr port 443

## MYSQL
rdr on $ext_if proto tcp from any to $ext_addr/32 port 3306 -> $mysql_addr port 3306

# do not block rest of traffic or replace with real filtering rules
pass in all
pass out all
```


----------



## Sisler_Ohan (Oct 19, 2011)

Hey

If i type pfctl -vnf to check the conf i get this:


```
# pfctl -vnf /etc/pf.conf
ext_if = "em0"
ext_addr = "xxx.xxx.xxx.xxx"
int_net = "255.255.255.255"
mysql_addr = "xxx.xxx.xxx.xxx"
nat on em0 inet from 255.255.255.255 to any -> xxx.xxx.xxx.xxx
pass in all flags S/SA keep state
pass out all flags S/SA keep state
```

I just filled the config with my subnet and ip of jails.

Why i can't see the # WWW commands with rdr on $ext_if

Btw, how i can block ports with pf on the host system and on the jails?


----------



## SirDice (Oct 20, 2011)

Why don't you start off with a *block all* and only allow the traffic you want/need?


----------



## Sisler_Ohan (Oct 20, 2011)

SirDice said:
			
		

> Why don't you start off with a *block all* and only allow the traffic you want/need?



Exactly this I want to. Can you give me a little pf.conf for this? Would be nice, because I'm not very good with this.


----------



## ecazamir (Oct 21, 2011)

Basic rules

```
block in log all
block out log all
pass in on $ext_if inet proto tcp from any to $www port 80 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $mysql port 3306 flags S/SA keep state
```
enable and start pflog:

```
echo 'pflog_enable="YES"' >> /etc/rc.conf
/etc/rc.d/pflog start
```
Check what is blocked by the rules containing 'log':

```
tcpdump -n -e -ttt -i pflog0
```


----------



## Sisler_Ohan (Oct 22, 2011)

geodni said:
			
		

> Hi,
> 
> Try something like this with /etc/pf.conf and fill the ext_if and ext_addr variables with the interface name and IP address you use as external and fill int_net, www_addr and mysql_addr with the IP of your jailed subnet and jails IP adresses
> 
> ...



Well, if i use this rules (modified) the host system redirect me to a jail.
If i connect to the host ip:22 so, to ssh it redirects me to the ssh of the jail
My rules are like this now


```
ext_if="em0"
ext_addr="myiphere"

int_net="255.255.255.255"
jailmysql="jailmysqlip"

nat on $ext_if from $int_net to any -> $ext_if:0

# JAIL

rdr on $ext_if proto tcp from any to $ext_addr/32 port 22 -> $jail port 22
```

This means, how i can connect to the SSH from the jails?
I wont login via host system to the jails ssh


----------



## geodni (Oct 22, 2011)

Yes, that's the way it works.
Make your jails' ssh listening on other ports like 4122 for first jail, 4222 for second jail, etc... Use redirect for each jail :

host:4122 ==> jail1:22
host:4222 ==> jail2:22
Or just use jexec from host.
Using NAT is not mandatory if you have several external Ip adresses. Give one to each jail you want to directly connect to  using SSH, or something else. Don't forget to restrict ListenAdress xx.xx.xx.xx in host and jails SSH configuration /etc/ssh/sshd_config, as for all IP services running on host and jails.


----------



## Sisler_Ohan (Oct 22, 2011)

geodni said:
			
		

> Yes, that's the way it works.
> Make your jails' ssh listening on other ports like 4122 for first jail, 4222 for second jail, etc... Use redirect for each jail :
> 
> host:4122 ==> jail1:22
> ...



Hi,

That works, thank you very much.
Im not very good in port forwarding, thats my first time setting up new jails with pf.


----------



## Sisler_Ohan (Oct 22, 2011)

Hi,

If i connect directly to the ip of the jail how i can open the port for this?
e.g. 10.0.0.1 is the ip for the webserver
If i type 10.0.0.1 i want to connect to the webserver, but how open the ports for this without portforwarding?
Its of course a jail.

Something like this?

```
#-------
ext_if="em0"		        # Extern Interface
int_if="lo0"	                # Local Interface
external_addr="192.168.178.20"	# Extern IP
internal_net="255.255.255.255"	# Subnet
jail="192.168.178.85"           # Jail ip
#-------

nat on $ext_if from $internal_net to any -> ($ext_if)

# Forward port 10022 to $JAIL SSH
rdr on $ext_if proto tcp from any to $external_addr/32 port 10022 > $JAIL port 22
pass in on $ext_if proto tcp from any to $JAIL port 80
```

???


ed: all working fine now thx thread can closed!


----------



## geodni (Oct 22, 2011)

Sisler_Ohan said:
			
		

> Hi,
> 
> 
> ```
> ...


It's not a sunbnet, it's a netmask !!! Can you provide an output of ifconfig -a ? I think you make big mistakes and you mix things.

Personally I don't use ezjail, but nevermind. I have my external network interface located on one subnet (192.168.0.140/24) and I use the same physical card re0 with aliases (10.200.0.20/32, 10.200.0.21/32, ...) for each jail BUT on a different subnet, that's why I use redirect.
I didn't try using loopback interface to bring jails' IP adresses, it might work the same way.

If your jails are on the same subnet as your external interface, bring up the IP aliases on the same interface, then you won't have to use redirect, or I know nothing. Can someone confirm that or tell me how it should be ?


----------

