# Multiple domains inside of jails on a VPS



## larynx (Jan 21, 2015)

I'm new to FreeBSD. I have a VPS running FreeBSD 10.1 and I'm trying to setup a few small websites running Wordpress with nginx, each in their separate jail.

I followed this guide to setup internal IPs for each of the jails but I can't seem to access them from a browser. I can ping them inside the host when connected via SSH and when I look at the open ports via `sockstat -4l` I can see that port 80 is open on the jails but they are not reachable from outside of the VPS.

Thanks


----------



## junovitch@ (Jan 22, 2015)

At first glance I'm thinking this may be a firewall issue.  If so I'll go ahead and move this to the appropriate place for the widest audience.  Can you check and post the output of `pfctl -vs nat`?  That will show your nat and rdr rules with some detail. 

Here's an example.  Mainly I'm looking to sanity check that the rules do appear to be correct and are actually triggering some matches in the packets field and state creations.


```
nat on em3 inet from ! (em3) to any -> (em3:0)
  [ Evaluations: 204130    Packets: 1710368   Bytes: 1406851229  States: 281   ]
  [ Inserted: uid 0 pid 43218 State Creations: 24022 ]
rdr on em3 inet proto tcp from any to <firewall> port = 2222 tag SSH -> (em3:0) port 22
  [ Evaluations: 52268     Packets: 24        Bytes: 4522        States: 0     ]
  [ Inserted: uid 0 pid 43218 State Creations: 3     ]
```

It may be helpful to post your entire /etc/pf.conf as well.  The how to guide shown uses an example that is very bare, to the point where there are no rules to allow normal outbound or inbound traffic and also does not include the skip filtering on loop-back directive that is very typical.

It would likely be desirable to not filter on the loop-back to allow your jails to talk to each other and communication on the host between processes to not be effected.  The pf.conf() man page describes this.  You can just use the keyword lo in the rule for both loop-backs.


> set skip on <ifspec>
> List interfaces for which packets should not be filtered.  Packets
> passing in or out on such interfaces are passed as if pf was dis-
> abled, i.e. pf does not process them in any way.  This can be use-
> ...


----------



## larynx (Jan 22, 2015)

Thanks for replying.

Here is the output from running `pfctl -vs nat`


```
No ALTQ support in kernel
ALTQ related functions disabled
nat pass on vtnet0 inet from 192.168.1.0/24 to any -> 114.216.17.210
  [ Evaluations: 170184    Packets: 41011     Bytes: 40253544    States: 0     ]
  [ Inserted: uid 0 pid 383 State Creations: 209   ]
rdr pass on vtnet0 inet proto tcp from any to 114.216.17.210 port = http -> 192.168.1.1
  [ Evaluations: 194657    Packets: 105       Bytes: 4740        States: 0     ]
  [ Inserted: uid 0 pid 383 State Creations: 51    ]
```

And here is my /etc/pf.conf file


```
IP_PUB="114.216.17.210"
IP_JAIL="192.168.1.1"
NET_JAIL="192.168.1.0/24"
PORT_JAIL="{80}"
scrub in all
nat pass on vtnet0 from $NET_JAIL to any -> $IP_PUB
rdr pass on vtnet0 proto tcp from any to $IP_PUB port $PORT_JAIL -> $IP_JAIL

# for fail2ban
ext_if="vtnet0" # your interface !
table <fail2ban> persist
block quick proto tcp from <fail2ban> to $ext_if

# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $ext_if proto tcp to any port ntp

# Ipv6 Open outgoing port TCP 123 (NTP)
pass out on $ext_if inet6 proto tcp to any port ntp

# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $ext_if proto udp to any port ntp

# Ipv6 Open outgoing port UDP 123 (NTP)
pass out on $ext_if inet6 proto udp to any port ntp
```

It's a little messy because I wasn't sure about the format so that is what I collected from several different tutorials


----------



## junovitch@ (Jan 23, 2015)

Well the rules look fine.  They are making state entries on both which is good.  From outside your VPS, what does `nc -nvvz <VPS_IP_ADDR> 80` say?  Does it just hang there, say connection refused, or say succeeded?

After that, is there anything at all in the web server logs that show it received an incoming connection?

For the rules bit, see pf.conf(5) for all the details.  Little things like not using the inet and inet6 implying both and being able to combine things by using tags like proto { tcp, udp } help shorten things down a bit.


----------



## larynx (Jan 24, 2015)

It's working now. I put the wrong jail IP address by mistake in pf.conf.

Thanks for all your help.


----------

