# This weird PF



## leon123456789 (Feb 15, 2018)

Hey Guys.

Following problem: Inside a jail I can ping my nameserver, i can ping someones ip adress but I cant ping a domain name. I cant install pkg or anything else inside a jail, because its not working.
I set up my jails with ezjail. I created a fresh jail but its not working.

I have set my freeBSD (11.1 p6) under one single IP adress listening on interface re0. I have created a local network inside my /etc/rc.conf (see below) called lo1. I try to rdr my traffic on specifc ports to the jails. I. e. port 80/443 to my jail1 with 192.168.0.4 ip adress.

                     my single ip adress                            lo1:192.168.0.4
-internet-----[freebsd with re0]-----port 80,443----------[jail1]

When im inside the jail this is how my ping looks like:

```
ping example.com
PING example.com (93.184.216.34): 56 data bytes
```
no response. but when i ping 93.184.216.34 i get a successful respond. How is this possible?
i also can ping my nameserver or the nameserver of google 8.8.8.8 and have these set in /etc/resolv.conf

/etc/pf.conf:

```
# Public IP address
IP_PUB="12.34.45.67"
ext_if = "re0"
int_if = "lo1"
localnet = $int_if:network
webport="{ 80, 443 }"
# Packet normalization
scrub in all
# Allow outbound connections from within the jails
nat on re0 from lo1:network to any -> (re0)
# test jail at 192.168.0.4
rdr on re0 proto { tcp, udp } from any to $IP_PUB port $webport -> 192.168.0.4
```

/etc/rc.conf:

```
clear_tmp_enable="YES"
hostname="bsdhost"
keymap="german.iso.acc.kbd"
ifconfig_re0="inet 212.12.45.130 netmask 255.255.255.252"
defaultrouter="212.12.45.129"
sshd_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
#firewall_enable="YES"
#firewall_script="/usr/local/etc/ipfw.rules"
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-9/29"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"
ipv6_gateway_enable="YES"
ezjail_enable="YES"
```

I hope you can help me!
Thank you very much!


----------



## DiscmanDaemon (Feb 16, 2018)

When you are referring to /etc/resolv.conf, are you referring to the host's /etc/resolv.conf or the /etc/resolv.conf inside the jail's file system? If you have not set a nameserver inside the jail, this could explain the behavior as the jail's processes have no way of seeing the host's /etc/resolv.conf due to the isolated filesystem.


----------



## SirDice (Feb 16, 2018)

leon123456789 said:


> ```
> rdr on re0 proto { tcp, udp } from any to $IP_PUB port $webport -> 192.168.0.4
> ```


HTTP(S) is always TCP, so there's no need to also allow UDP.


----------



## ShelLuser (Feb 16, 2018)

SirDice said:


> HTTP(S) is always TCP, so there's no need to also allow UDP.


/etc/services disagrees with you, and although not commonly used there are services which actually stream HTTP using UDP. To my knowledge (I can't produce quotes / resources right now) TLS which encapsulates HTTP can also use UDP through means of DTLS. However... I can't comment if and/or how often its used.

Even so: I don't think it's correct to state that it's always TCP. Although not often there can be situations when it's not.


----------



## leon123456789 (Feb 16, 2018)

DiscmanDaemon said:


> When you are referring to /etc/resolv.conf, are you referring to the host's /etc/resolv.conf or the /etc/resolv.conf inside the jail's file system? If you have not set a nameserver inside the jail, this could explain the behavior as the jail's processes have no way of seeing the host's /etc/resolv.conf due to the isolated filesystem.


I have a /etc/resolv.conf in my jail and in my host. The files content is identical because I copied the file from the host into the jail. In my host ist working fine.


----------



## leon123456789 (Feb 16, 2018)

ShelLuser said:


> /etc/services disagrees with you, and although not commonly used there are services which actually stream HTTP using UDP. To my knowledge (I can't produce quotes / resources right now) TLS which encapsulates HTTP can also use UDP through means of DTLS. However... I can't comment if and/or how often its used.
> 
> Even so: I don't think it's correct to state that it's always TCP. Although not often there can be situations when it's not.


So should I write the port numbers instead of the port name? But I think it will make no difference.
I mean the nameserver are working, because he finds an IP adress under the domain name but the ping does not return when I ping the domain name instead of the domains IP.

```
ping example.com
PING example.com (93.184.216.34): 56 data bytes
I get no answer
```


```
ping 93.184.216.34
PING (93.184.216.34): 56 data bytes
I get a successful answer
```


----------



## SirDice (Feb 16, 2018)

ShelLuser said:


> and although not commonly used there are services which actually stream HTTP using UDP


DLNA uses that. But DLNA works on different ports. Regular web traffic on 80 and 443 is always TCP.


----------



## leon123456789 (Feb 17, 2018)

So what should I do?


----------

