Solved BastilleBSD Jail can not run package update or install with pf configured on host

[marschro]

Hi all,
DiscIaimer: I only partially understand what I am doing.
I set up a FreeBSD 13.0 Host with. BastilleBSD.
Everything working fine but I struggle with the configuration of the pf packet filter, which is new to me (only used ipfw since).

My goal is to be as restrictive as possible without limiting basic functionalities of the jails
This is my simple /etc/pf.conf

# my ext interface
ext_if = "vtnet0"

# basic settings
set block-policy return
scrub in on $ext_if all fragment reassemble

# I dont want pf on internal traffic on the loopback interface.
# Bastille creates additional ips on the bastille0 loopback interface when creating a new jail
# Is using lo possible? It is the loopback group - found nothing in the docs, that groups are allowed but gave it a try
set skip on lo

# This is from the bastille documentation for nat and "runtime" redirect rools
# So how I understand it, if a rdr tcp 80 80 is set, this traffic will never be handled by consectuive rules?
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"

block all
# I added this ipv6-imcp, otherwise calling pkg update or install on the host would not work anymore... it hangs..
pass proto ipv6-icmp all
pass out quick keep state
antispoof for $ext_if inet
antispoof for $ext_if inet6

# prevent loggin me out
pass in inet proto tcp from any to any port { 22 } flags S/SA modulate state

The jails (for example a web server on port 80 and 443) works fine and is available to the world.
But calling pkg update in a jail does not work... Traffic somehow comes not out or back?
curl google.com in a jail works also fine...

Maybe I should mention, that this does not happen when I add the following rule to the conf:

pass in inet proto tcp from any to any port { 22, 80, 443 } flags S/SA modulate state

so basically, additionally to only ssh allow also traffic on port 80 and 443 - which makes no sense for me, why pkg update is working then...

Any hints or experience appreciated
Martin

 

[SirDice]

Is the jail IPv6 enabled? I mean does it have an IPv6 address? If yes, then you'll need to allow outgoing IPv6 too (the pass out quick keep state does IPv4 only). You can also force pkg(8) to use IPv4 by adding a -4 switch.

 

[marschro]

Is the jail IPv6 enabled? I mean does it have an IPv6 address? If yes, then you'll need to allow outgoing IPv6 too (the pass out quick keep state does IPv4 only). You can also force pkg(8) to use IPv4 by adding a -4 switch.

Hi SirDice thank you for your Reply.
No, the jails only do IPv4.
Is there a rule like pass out quick keep state for matching also ipv6 ? - so I would first try to enable ipv6 on jails and then if I won't succeed would use the fallback to force pkg using IPv4 only.

 

[marschro]

Hi SirDice thank you for your Reply.
No, the jails only do IPv4.
Is there a rule like pass out quick keep state for matching also ipv6 ? - so I would first try to enable ipv6 on jails and then if I won't succeed would use the fallback to force pkg using IPv4 only.

Okay. setting up jails with IPv6 seems to be like much more complicated. I messed up my jail. So I re-rcreated it and now it works completely fine with the old pf.conf.
So I think there was some hiccup in the Jail with the firewall. I think one should always relaunch a jail after changing pf conf and having restarted pf.

 

[SirDice]

No, the jails only do IPv4.

That's fine. It could have been a reason why it wasn't working.

Is there a rule like pass out quick keep state for matching also ipv6 ?

For completeness sake; pass out inet6 ... (keep state isn't required, it's always implied).