# Gateway / router PF rule set



## z662 (Jun 23, 2010)

Hello all,  

I am posting because I am having a problem with my rule set for my gateway.  I understand this is the FreeBSD forums of course but I must point out that this rule set is for an OpenBSD 4.6 server running the default version of PF.  I have bought the 'Book of PF' and still have issues with (what I believe to be) packet reflection/redirection.  Essentially my rule set works great for my internal network but when I try to access services from an outside network my fw blocks them (or never forwards them to be precise).  To debug and troubleshoot this issue I have watched tcpdump and it seems that when I try to access any internal services from within my apartment such as http, ssh, ftp etc etc everything works (packets go from my external NIC to the internal NIC then to the switch, ultimately to the server and then back)  However...when I am outside of my apartment and try to access any network services, the packets come in from the external interface (attached to the modem) and are dropped before reaching the internal interface.  For those that have the same book the approach I took to mitigate this issue is discussed on page 58.

I have posted my ruleset below, any help would be greatly appreciated!  In addition I have another question I would like to ask.  My webserver ($mercury in the ruleset) has a number of jails running, which each contain more services.  One for example is ftp, another is irc. My question is, since they are jails, do I need to have a ruleset on the webserver to redirect such traffic after it has been forwarded from the gateway/router?  Or is the logic in the below ruleset enough for it to pass the packets through, in which case the webserver will know which jail (virtual IP) to pass it off to?  

Thank you in advance, and if the ruleset for my webserver is needed to fix this issue I will gladly post it. 


```
intIF = "rl1"
extIF = "rl0"
localNet = $intIF:network
mercury = "192.168.0.101"
ftpJail = "192.168.0.102"
ircJail = "192.168.0.103"
icmpTypes = "{echoreq, unreach}"
match in on $intIF scrub (no-df random-id)
match in on $extIF scrub (reassemble tcp)
pass inet proto icmp all icmp-type $icmpTypes keep state
antispoof for $extIF
antispoof for $intIF

nat on $extIF from $localNet to any -> ($extIF)

rdr on $intIF proto tcp from $localNet to $extIF port 80 -> $mercury
rdr on $intIF proto tcp from $localNet to $extIF port 2222 -> $mercury
rdr on $intIF proto tcp from $localNet to $extIF port 6665 -> $mercury
no nat on $intIF proto tcp from $intIF to $localNet
nat on $intIF proto tcp from $localNet to $mercury port 80 -> $intIF
nat on $intIF proto tcp from $localNet to $mercury port 2222 -> $intIF
nat on $intIF proto tcp from $localNet to $mercury port 6665 -> $intIF
```

I know that $ftpJail and $ircJail are not being used in this ruleset, however I wanted to get everything work before I implemented those, and as mentioned in my 2nd question I was not sure if for services being run on $mercury's jails needed to be explicitly mentioned, or if passing them to $mercury was enough (and then having the ruleset on $mercury pass them to the jail)  I have tried every possible combination I could think of...all to no avail.  Please help :r


----------



## SirDice (Jun 23, 2010)

There are no redirects on $extIF to redirect traffic coming in from the outside. Hence, nothing gets through.

If you use the same internal IP addresses on your jails as the rest of your network you don't need additional rules on the host. You can just forward the traffic to the correct IP address.


----------



## z662 (Jun 23, 2010)

Thank you!  That has solved my problem, for those experiencing the same issue the pertinent line would be:

```
rdr on $extIF proto tcp from any to $extIF port 8- -> $mercury
```

I guess I didnt really quite understand the logic of pf, still seems weird that I would be redirecting traffic from the ext IF to the ext IF to get it to send the traffic to my internal IF.  Ah well it works, I am happy.

SirDice,  I also didnt know that you didnt need to put a jail on its IP.  ALl of the implementations that I have seen always have done that, so I followed suit.  Are there any advantages/disadvantages to having them on their own IP?


----------



## SirDice (Jun 23, 2010)

On FreeBSD jails have always needed an IP. However recent changes made it possible to give a jail no ip addresses or more then one. AFAIK the IP addresses do need to be aliases on the host. I don't think you would be able to attach a jail to the same IP address as the host.


----------



## z662 (Jun 23, 2010)

Ok, that being said I will just leave them as is, for simplicity and the fact that I know they work.


----------

