# PF Ruleset Problem



## systrace (Apr 1, 2012)

Hello everyone. Since the "re"install of my home server, my pf.conf does not work as in the past.

My server is in a router DMZ, so the PF will only be protecting the server and their jails. Therefore the server has only one ethernet interface. When I load the following rules I can access my server (the host) but not the jails. I guess the NAT rules are incorrect. And even the host, when I ssh into it, it takes a couple of seconds to ask for the password.

Can you guys please point some help.


```
ext_if="msk0"

set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo0

nat on $ext_if inet from ($ext_if) to any -> ($ext_if)

rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> 192.168.0.15  port 80
rdr on $ext_if proto tcp from any to ($ext_if) port 443 -> 192.168.0.15  port 443

rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> 192.168.0.16  port 25
rdr on $ext_if proto tcp from any to ($ext_if) port 993 -> 192.168.0.16  port 993
rdr on $ext_if proto tcp from any to ($ext_if) port 995 -> 192.168.0.16  port 995

rdr on $ext_if proto tcp from any to ($ext_if) port 22 -> 192.168.0.17  port 22


block in log on $ext_if

pass on $ext_if proto tcp from any to any port { 22, 25, 80, 443, 993, 995, 1723, 4100 } flags S/SA

pass in quick on $ext_if proto 47  from any to 192.168.0.14
pass in quick on $ext_if proto 50  from any to 192.168.0.14
pass in quick on $ext_if proto 51  from any to 192.168.0.14

pass in on $ext_if proto udp from any to any port { 500, 4500 }

pass out on $ext_if proto { tcp, udp, 47, 50, 51 } all

pass in quick on $ext_if proto tcp from any to any port > 49151
```
My best regards.

Systrace


----------



## SirDice (Apr 2, 2012)

Can you post a bit more about your configuration? Where are the 192.168.0.0/24 addresses bound to?


----------



## systrace (Apr 2, 2012)

*IP Addr*

My Lan IP schema is 192.168.0.0/26.
In the server case the following IP's 192.168.0.14{5,6,7} are bound to the only ethernet device. The msk0.
The Host is 192.168.0.14.


----------



## SirDice (Apr 2, 2012)

You cannot 'bounce off' packets out the same interface as they came in on.


----------



## systrace (Apr 2, 2012)

*How come*

It always worked with only one ethernet Iface.
This server it's on a DMZ on my router.

The same interface is capable of handling inbound and outbound traffic.

Can you be more specific please. Does anything changed in PF that now it requires two interfaces ?

Best Regards.


----------



## SirDice (Apr 2, 2012)

systrace said:
			
		

> Does anything changed in PF that now it requires two interfaces ?


It's been like that since I first started using PF (which was around FreeBSD 4.0 I think).


----------



## systrace (Apr 2, 2012)

I understand your point. But its a rather normal thing to have a server on a DMZ with only one ethernet interface. And be always protected or reenforced by a Packet Filter. 
For years I've been running this kind of setup.
Something is wrong with my config on what concerns to NAT. The rest I suppose that is correct.
Can you or other one assure that these rules are ok for the new PF (4.5)

Best Regards.


----------



## SirDice (Apr 2, 2012)

If all addresses on msk0 are in the 192.168.0.0/24 range there's no need for any NAT or redirections. IP addresses can simply be allowed or blocked on the host. The NAT is done on the router that connects to the internet.


----------



## systrace (Apr 2, 2012)

The host only has msk0 and the following:

host: 192.168.0.14
jailone: 192.168.0.15
jailtwo: 192.168.0.16
jailthree: 192.168.0.17

All the IP's for the jails are "aliases" of msk0.

About the NAT I understand that I don*'*t need it anymore. But since the router DMZ has the IP: 192.168.0.14 don*'*t I need to redirect the traffic to the correct jail? For example: the inbound traffic that comes in t*h*rough (msk0 192.168.0.14) that is the DMZ IP; to 192.168.0.15:80 that is where my httpd is listening on?


----------



## SirDice (Apr 2, 2012)

The router needs to route all 192.168.0.0/24 traffic to the DMZ interface.

Since they all listen on the interface the jails will respond to their respective IP addresses. No need to forward anything on the FreeBSD host.


----------



## kisscool-fr (Apr 3, 2012)

systrace said:
			
		

> Hello everyone. Since the "re"install of my home server, my pf.conf does not work as in the past.
> 
> My server is in a router DMZ, so the PF will only be protecting the server and their jails. Therefore the server has only one ethernet interface. When I load the following rules I can access my server (the host) but not the jails. I guess the NAT rules are incorrect. And even the host, when I ssh into it, *it takes a couple of seconds to ask for the password.*
> 
> ...




Are you sure your nameservers are correct in /etc/resolv.conf?


----------



## ecazamir (Apr 7, 2012)

systrace said:
			
		

> ... I guess the NAT rules are incorrect.
> ... when I ssh into it, it takes a couple of seconds to ask for the password.



NAT/RDR is not needed on the FreeBSD host.



			
				SirDice said:
			
		

> The router needs to route all 192.168.0.0/24 traffic to the DMZ interface.
> 
> Since they all listen on the interface the jails will respond to their respective IP addresses. No need to forward anything on the FreeBSD host.



This solution may work if the FreeBSD server and jails are the only device connected to the LAN side of the router. Routing everything to the jail is almost equivalent to setting static ARP for the entire LAN, mapped to the FreeBSD jail.
The host still needs to know the target IP for each forwarded IP protocol, and this must be configured on the WAN router.

I prefer the following:
1. a Proper configuration on the FreeBSD machine:

```
[FILE]/etc/rc.conf[/FILE]
ifconfig_msk0="UP"
ipv4_addrs_msk0="192.168.0.14/24 192.168.0.15/32 192.168.0.16/32 192.168.0.17/32"
```

2. A port forwarding configuration on the router:
TCP/80 and TCP/443 forwarded to 192.168.0.15
TCP/25, TCP/993 and TCP/995 forwarded to 192.168.0.16
TCP/22 forwadded to 192.168.0.14 (or .17, if the access to the server is made through the jail configured with 192.168.0.17)

3. The delay encoutered by the SSH client may be caused by a non-working DNS server or by a firewall blocking UDP/53. Check /etc/resolv.conf for each jail and for the host. Using 
	
	



```
[FILE]/etc/ssh/sshd_config[/FILE]
UseDNS no
```
may eliminate this delay, but will prevent reverse DNS checking for clients.


----------



## systrace (Apr 10, 2012)

My current rc.conf on the host part is:


```
ifconfig_msk0=" inet 192.168.0.14 netmask 255.255.255.192"
ifconfig_msk0_alias0="inet 192.168.0.15 netmask 255.255.255.255"
ifconfig_msk0_alias1="inet 192.168.0.16 netmask 255.255.255.255"
ifconfig_msk0_alias2="inet 192.168.0.17 netmask 255.255.255.255"
```


```
################################
ext_if="msk0"
internal_net="192.168.0.0/26"
###############################

##############################
set optimization normal
set block-policy drop
set fingerprints "/etc/pf.os"
#############################

#### Normalization: reassemble fragments and resolve or reduce traffic ambiguities ####
scrub in all
#######################################################################################


#######################################################################################
#rdr on $ext_if proto tcp from any to ($ext_if) port 80  -> 192.168.0.15 port 80
#rdr on $ext_if proto tcp from any to ($ext_if) port 443 -> 192.168.0.15 port 443
#rdr on $ext_if proto tcp from any to ($ext_if) port 25  -> 192.168.0.16 port 25
#rdr on $ext_if proto tcp from any to ($ext_if) port 993 -> 192.168.0.16 port 993
#rdr on $ext_if proto tcp from any to ($ext_if) port 995 -> 192.168.0.16 port 995
#rdr on $ext_if proto tcp from any to ($ext_if) port 22  -> 192.168.0.17 port 22
#######################################################################################

#########################
block in log on $ext_if
#########################

########################################################################################################################
pass in quick on $ext_if proto tcp from any to any port { 22, 25, 80, 443, 993, 995, 4100, 1723 } flags S/SA keep state
pass in on $ext_if proto udp from any to any  port { 500, 4500 }  keep state

pass in quick proto icmp6 all
pass in quick on $ext_if proto icmp6 all
pass in quick on $ext_if proto icmp from $internal_net to $internal_net

pass out on $ext_if proto { tcp, udp, icmp, esp, ah, gre } all keep state
pass out on $ext_if inet6 all keep state
########################################################################################################################
```

I have removed the host "192.168.0.14" from the router DMZ and make all the rdr on the router. In this case what is the point of using PF since all the traffic is passing trough the router's firewall?

My best regards.


----------



## ecazamir (Apr 11, 2012)

systrace said:
			
		

> what is the point of using PF since all the traffic is passing trough the router's firewall?



You can block outbound traffic going out without your intention. I wouldn't use DMZ, only IP forwarding for the protocols I want, to the targets I want. Usually, what is called DMZ in routers is a full range port forward, exposing all ports of the DMZ host.


----------

