# pf redirect for jail



## falkman (May 18, 2012)

I'm simply trying to redirect all incoming traffic on port 23 to port 23 on one of my jails.

I have my current IP of my host 192.168.1.64, and the IP of my jail 192.168.1.65. I have SSH running on the host on port 22, and SSH on the jail running on port 23. My goal is to make it possible to connect to the jail's SSH via 192.168.1.64.

Here's my attempt:

rc.conf

```
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"
```

pf.conf

```
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23
```

How far off am I? I belong in the kernel, this networking stuff feels like a rats-nest (hopefully I learn soon).

Solution: Connect remotely, not locally. pf does not modify local connections, it must enter through the interface.

-Brandon


----------



## val (May 18, 2012)

You need separate pass rule or pass directive in rdr rule.


----------



## falkman (May 18, 2012)

I tried


```
rdr pass on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23
```

With no luck. Perhaps I'm not using pass properly?

-Brandon


----------



## bbzz (May 18, 2012)

First time was right. But you still need translation the other way.


----------



## falkman (May 18, 2012)

Ohhh, so I need it both ways... that makes sense.

Something like?


```
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23
rdr on wlan0 inet proto { tcp, udp } from 192.168.1.65 port 23 to any \
        -> 192.168.1.64 port 23
```

I'm so confused. Man I feel stupid. One of these days I will understand networking.

-Brandon


----------



## bbzz (May 18, 2012)

Actually, you shouldn't need since its same interface/subnet. 

And source IP translation is done with *nat* command in *pf*.

What exactly in not working? Are you permitting packets to specific IP? Address translation is one thing, and filtering is another.


----------



## falkman (May 18, 2012)

What should I do then? The issue is that I have port 23 open on my router, but only for 192.168.1.64. I also do not have access to my router, so I need it make it pass through. Does that make sense?

-Brandon


----------



## bbzz (May 18, 2012)

Ah, I see. Try adding this then:

First, make sure you are permitting traffic explicitly to 192.168.1.64 AND 192.168.1.65 for *ssh* (*pass*). Then if that doesn't do it add this:


```
nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)
```


----------



## falkman (May 18, 2012)

I tried that with no luck :\. I'm able to ssh into my jail with [cmd=]ssh 192.168.1.65 -p 23[/cmd] however I get 'connection refused' with [cmd=]ssh 192.168.1.64 -p 23[/cmd]

-Brandon


----------



## bbzz (May 18, 2012)

And you have rule that permits traffic explicitly to 192.168.1.64 port 23?


----------



## falkman (May 18, 2012)

I don't have any sort of firewall, and it's all open on my router if that's what you're saying.

-Brandon


----------



## bbzz (May 18, 2012)

Ok, you lost me now. You said you have router sitting before your computer which port-forwards 192.168.1.64 port 23 in. How did you connect then using IP 192.168.1.65? Where are you connecting from?

Moreover, what does you last post mean, you don't have firewall and it's all open on your router? 

Communication breakdown 

Anyway, can you post your /etc/pf.conf.


----------



## falkman (May 18, 2012)

I connected on the box itself, from the host to the jail (nothing went through the router).


```
# cat /etc/pf.conf
rdr on wlan0 inet proto { tcp, udp } from any to 192.168.1.64 port 23 \
        -> 192.168.1.65 port 23

nat on wlan0 from 192.168.1.65 to any -> (wlan0:0)

# cat /etc/rc.conf
hostname="localhost"
sshd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
wlans_ath0="wlan0"
ifconfig_wlan0="inet 192.168.1.64 netmask 255.255.255.0 ssid xxx wepmode on weptxkey 1 wepkey xxx"
defaultrouter="192.168.1.1"
dbus_enable="YES"
hald_enable="YES"
linux_enable="YES"

jail_enable="YES"
jail_list="ryan"

jail_ryan_interface="wlan0"
jail_ryan_rootdir="/jails/ryan"
jail_ryan_hostname="ryan"
jail_ryan_ip="192.168.1.65"
jail_ryan_devfs_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""

pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

gateway_enable="YES"
```

This is just my personal computer, so there's really nothing sophisticated on this setup.


----------



## bbzz (May 18, 2012)

Redirection and filtering only works as packets enter an interface. Locally initiated connections are not subject to these rules.


----------



## falkman (May 18, 2012)

Well that's embarrassing, connected remotely and it works.


----------



## bbzz (May 18, 2012)

Hehe, as long as it works.


----------

