# pf as a NAT for jails - please, check my configuration



## przg (Sep 25, 2014)

Hello,

It will be great if somebody could take a look at my /etc/pf.conf (first try):

```
# MACROS

ext_if="em0"
int_if="lo1"

SSH_CUSTOM = xxxx

scrub in on $ext_if all fragment reassemble
set skip on lo0

antispoof for $ext_if

# TCP/UDP/ICMP IN

pass in quick on $ext_if inet proto tcp from any to $ext_if port $SSH_CUSTOM

pass in quick on $ext_if inet proto tcp from any to $ext_if port http
pass in quick on $ext_if inet proto tcp from any to $ext_if port https

pass in quick on $ext_if inet proto tcp from any to $ext_if port znc

pass in quick on $ext_if inet proto tcp from any to $ext_if port smtp
pass in quick on $ext_if inet proto udp from any to $ext_if port smtp
pass in quick on $ext_if inet proto tcp from any to $ext_if port pop3
pass in quick on $ext_if inet proto tcp from any to $ext_if port pop3s
pass in quick on $ext_if inet proto tcp from any to $ext_if port imap
pass in quick on $ext_if inet proto tcp from any to $ext_if port imaps

pass in quick on $ext_if inet proto tcp from any to $ext_if port pdns

pass in quick on $ext_if inet proto icmp from any to $ext_if icmp-type $icmp_types

#TCP/UDP/ICMP OUT

pass out quick on $ext_if inet proto tcp from $ext_if to any port $SSH_CUSTOM
pass out quick on $ext_if inet proto tcp from $ext_if to any port whois

pass out quick on $ext_if inet proto tcp from $ext_if to any port http
pass out quick on $ext_if inet proto tcp from $ext_if to any port https

pass out quick on $ext_if inet proto tcp from $ext_if to any port znc

pass out quick on $ext_if inet proto tcp from any to $ext_if port smtp
pass out quick on $ext_if inet proto udp from any to $ext_if port smtp
pass out quick on $ext_if inet proto tcp from any to $ext_if port pop3
pass out quick on $ext_if inet proto tcp from any to $ext_if port pop3s
pass out quick on $ext_if inet proto tcp from any to $ext_if port imap
pass out quick on $ext_if inet proto tcp from any to $ext_if port imaps

pass out quick on $ext_if inet proto tcp from any to $ext_if port pdns

pass out quick on $ext_if inet proto udp from $ext_if to any port ntp
pass out quick on $ext_if inet proto icmp from $ext_if to any

# JAIL PORTS REDIRECT

nat on em0 from lo1:network to any -> ($ext_if)

rdr on em0 proto tcp from any to ext._ip port http -> 10.0.0.1 port http
rdr on em0 proto tcp from any to ext._ip port https -> 10.0.0.1 port https

rdr on em0 proto tcp from any to ext._ip port znc -> 10.0.0.3 port znc

rdr on em0 proto tcp from any to ext._ip port pop3 -> 10.0.0.4 port pop3
rdr on em0 proto tcp from any to ext._ip port pop3s -> 10.0.0.4 port pop3s
rdr on em0 proto tcp from any to ext._ip port imap -> 10.0.0.4 port imap
rdr on em0 proto tcp from any to ext._ip port imaps -> 10.0.0.4 port imaps

rdr on em0 proto tcp from any to ext._ip port pdns -> 10.0.0.5 port pdns

# POLICY

block log all
```

(the appropriate port numbers, i. e. for znc, has been typed into /etc/services)

I've got only one external IP adress (AA.AAA.AAA.AAA), so I've decided to create a new local interface and forward the appropriate ports with pf as a NAT. ifconfig looks like this:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
	ether 00:22:4d:ae:1d:8c
	inet AA.AAA.AAA.AAA netmask 0xffffff00 broadcast AA.AAA.AAA.255 
	inet6 fe80::222:4dff:feae:1d8c%em0 prefixlen 64 scopeid 0x1 
	inet6 YYYY:YYYY:Y:YYYY::Y prefixlen 128 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 10.0.0.254 netmask 0xffffff00 
	inet 10.0.0.1 netmask 0xffffff00 
	inet 10.0.0.2 netmask 0xffffff00 
	inet 10.0.0.3 netmask 0xffffff00
	inet 10.0.0.4 netmask 0xffffff00 
	inet 10.0.0.5 netmask 0xffffff00
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

Yes, it's Kimsufi  But everyone has to start somewhere!

*Here's what I've tried to achieve:*
- Apache + PHP (1), MySQL-server (2), ZNC (3), postfix + dovecot + Roundcube (4), PowerDNS (5) on separate jails,
- jails no. 1, 3, 4 and 5 must be must be capable of contact with the rest of the world,
- jails no. 1 and 2 must be able to local communication between them; the same applies to 1 and 4; 2 and 5,
- SSH accessible to the host system on custom port,
- any other traffic blocked (excluding system services, like updating ports, ntp, etc.).

So, what do you think? Is it "acceptable" enough? 

Greetings!


----------



## SirDice (Sep 29, 2014)

The order is wrong and is going to generate errors. The order in pf.conf should be:

```
settings
nat rules
rdr rules
pass/block rules
```


----------

