# curious about cloned loopback and routing



## wonslung (Nov 19, 2009)

Since freebsd 7.2 I've been using a cloned loopback device lo1 with a subnet of 10.0.0.0/24 for jails. I use that device for a second ip for some machines, and for others with just one public ip, i use a nat rule with pf.

Now heres what i'm finding odd.....Why am i able to ssh into 10.0.0.1 from a LAN address (192.168.1.10)  when the ip 10.0.0.1 is on my gateway but on the lo1 device.  Shouldn't this device be invisible to the network at large?



Also, i have another machine on the network which ALSO uses this subnet on a lo1 device setup in the same way more or less, but it's not the gateway...i'm sure it has SOMETHING to do with the fact it's a gateway...or perhaps it's something to do with the NAT rules i had to set up to make the jails able to download ports....either way, i'm just currious.


heres my current firewall rules, go easy on me, i know they are prolly messed up..I plan to keep working on it, i know SOME is redundant and some is just plain WRONG.



```
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "em1"
int_if  = "em0"
wifi_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
rtor = "192.168.1.18"
scp_j = "192.168.1.53"
Xbox360 = "192.168.1.22"
#ports
Xlive_tcp = "{ http, https, 3074 }"
Xlive_udp = "{ 88, 3074 }"
rtor_ports = "{http, https }"
#nets
lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set skip on lo1
set optimization conservative
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub out all random-id

#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
#nat on egress from $Xbox360       to any tag EGRESS -> ($ext_if:0) static-port
nat on egress from (self)         to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
nat on $ext_if from 10.0.0.0/24 to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to ($ext_if) port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to ($ext_if) port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to ($ext_if) port $rtor_ports -> $rtor
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
no nat on $int_if proto tcp from $int_if to $lan_net
nat on $int_if proto tcp from $lan_net to $rtor port $rtor_ports -> $int_if 
no nat on $wifi_if proto tcp from $wifi_if to $lan_net
nat on $wifi_if proto tcp from $lan_net to $rtor port $rtor_ports -> $wifi_if
rdr on $int_if inet proto tcp from any to any port www -> 10.0.0.1 port 3128
rdr on $int_if inet proto tcp from any to any port 8080 -> 10.0.0.2 port www
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
block drop quick log on $ext_if from $priv_nets to any
anchor "ftp-proxy/*"
# anti spoofing
antispoof for { $int_if, $wifi_if, $ext_if }

pass log proto tcp from any to $rtor port $rtor_ports synproxy state
pass log proto tcp from any to $scp_j port ssh synproxy state
pass log proto tcp from any to $rtor port 10000:10040 synproxy state
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state


pass quick on $int_if keep state
pass quick on $wifi_if keep state

pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state

pass in on $int_if inet proto tcp from any to 10.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state


pass out from any to any keep state
```


----------



## DutchDaemon (Nov 19, 2009)

You said it, it's on the gateway. The box at 192.168.1.10 has no clue as to where 10.0.0.1 might be, so it sends traffic to the default gateway, which has a) forwarding turned on and b) a local 10.0.0.0/24 network to forward to. Turn forwarding off or put the 10.0.0.0/24 network on a non-gateway, and the magic disappears.


----------



## wonslung (Nov 19, 2009)

ahh, ok, so my box at 192.168.1.10 doesn't know where 10.0.0.1 is, so it sends it to the gateway, which is 192.168.1.1 and from there it's about the same as if i tried to connect FROM the gateway.  I get it i think.

Ok, i was just currious.
Thaks


----------

