IPFW jail with IPFW connection on private IP not working with /etc/rc.firewall workstation

[HL1234]

Because in between things have changed and I got no answer from the Forum, I like to try a new post. What do I have?
-FreeBSD 13.0
-A jail with a running webserver
-I'm using the firewall IPFW with NAT settings to connect to the jail from outside the host and from inside to outside. Now this works without any other firewall rules.

The solution, to reach the web server in the jail with ipfw NAT, is:
First delete all ipfw firwall settings
ipfw -q -f flush
ipfw nat show config
ipfw nat 1 delete
Then restart the NAT ipfw rules
/etc/rc.d/ipfw restart
"restart" will restart a ipfw script with these rules (I abstract the IP-numbers for security reasons):

# /etc/ipfw.rules
#
#-----------------------------------------------------------------------
# NAT for Jails (IPFW)
cmd="ipfw -q add"
nwinterface="<my host network interface>"

#sh /etc/rc.firewall workstation

ipfw nat 1 config if $nwinterface redirect_port tcp Jail.IP.IP.IP:443 443 redirect_port tcp Jail.IP.IP.IP:80 80
${cmd} 410 nat 1 ip from Jail.IP.0.0/27 to any out via $nwinterface
${cmd} 420 nat 1 ip from any to HOST.IP.IP.IP

That is all what it needs. But there is no more a firewall. That make no sense: to have a jail for more security and not using the firewall

Normally without the jail I use /etc/rc.firewall.
But when I activate this, then the connection to the the jail get losing. I tested this with:
curl -v -m 5 www.myvirtdomain.tld and
curl -v -m 8 -k https://www.433domain.tld

When I activate in rc.conf the firewall rules with firewall_type="workstation" I can see the list of rules with:
ipfw list | less
I found out, with deleting rules by rules, that there are some rules in the "workstation" firewall set, that block the connection to the jail:

0100 allow ip from any to any via lo0
1200 allow tcp from me to any established
1300 allow tcp from me to any setup keep-state :default

Q1)I do not understand this rules exactly and why these rules are blocking the jail connection? How could I fixed this?
I have try to call the firewall_type="workstation" after ipfw NAT rules. That has first worked, but then there was a very strange error with bind:

rndc stop
error: rndc: connect failed: 127.0.0.1#953: permission denied

host <mydomain.com>
error: net.c:538: probing sendmsg() with IP_TOS=b8 failed: Permission denied

Calling the ipfw firewall regular in rc.conf these errors are gone but again also the connection to the jail.
So this is no solution. What to do without touching the standard FreeBSD firewall script for ipfw?

Q2) Also, I found a usefull ipfw rule in the manual

ipfw add deny ip from any to any not antispoof in

But without the workstation firewall rules - just this one rule in addition, the connection to the jail is also losing.
How can I use the antispoof rule with the NAT rules for the jail?

 

[smithi]

I won't quote most of the above because it doesn't provide a clear picture, to me, of what you have and what you're doing. i know too little about jails to comment on that aspect. However...

I found out, with deleting rules by rules, that there are some rules in the "workstation" firewall set, that block the connection to the jail:
Q1) I do not understand this rules exactly and why these rules are blocking the jail connection? How could I fixed this?

Try tracing the path through the ruleset with each packet, both on the in- and outbound passes through ipfw(8) and please always refer to the manual first, rc.firewall next and handbook later.

I have try to call the firewall_type="workstation" after ipfw NAT rules. That has first worked, but then there was a very strange error with bind:

rndc stop
error: rndc: connect failed:
127.0.0.1#953: permission denied {...}

If you want to try adding NAT functionality to the 'workstation' ruleset, you'll need a much clearer understanding of how that works. You'll notice that 'workstation' doesn't use NAT, so isn't an useful base for what you're trying to do.

Calling the ipfw firewall regular in rc.conf these errors are gone but again also the connection to the jail.
So this is no solution. What to do without touching the standard FreeBSD firewall script for ipfw?

Unless suitable as-is (fairly rare) you should copy /etc/rc.firewall to (say) /etc/rc.myfirewall, set firewall_script="/etc/rc.myfirewall" in rc.conf, and work on it from there.

Q2) Also, I found a usefull ipfw rule in the manual

Worry about that later; Q1 is enough confusion for now

 

[HL1234]

smithi Thanks for your reply, but is does'n help me in any way.
I wonder that are so less answers are here like in other parts of these forum. Using jail with connected about NAT, but without a firewall on the host makes no sense for me. So I cannot use jails. All tutorials I found shows how to build a jail, even if you get just one real internet IP.
But the tutorials do not shown how they are get embedded with standard firewall concepts.

The main point of my question is how to fix / change the rules, I give above, so that they can work all together without disturb themself each other.

 

[smithi]

smithi Thanks for your reply, but is does'n help me in any way.

I had a feeling that might be the case, having noticed that noone else had tried working with what you had provided, but thought I'd give it a go anyway. Silly me, eh?

 

[VladiBG]

Try this config if you put your jails on lo0


Host
interface = em0
ip4.addr = 203.0.113.1
ssh port = 22

jail
ip4.addr = 127.0.0.10
interface = lo0
ssh port = 2222

In rc.conf for firewall settings put your custom script

firewall_enable="yes"
firewall_nat_enable="yes"
firewall_script="/etc/ipfw.rules"
firewall_logif="yes"

/etc/ipfw.rules

#!/bin/sh
# Flush out the list before we begin
ipfw -q -f flush

# output interface
oif="em0"
oif_ip="203.0.113.1"

# Nat config
PAT="redirect_port tcp 127.0.0.10:22 2222
     redirect_port tcp 127.0.0.10:80 80
     redirect_port tcp 127.0.0.10:443 443"

ipfw nat 1 config if $oif log deny_in $PAT

# firewall command prefix
fwcmd="ipfw -q add"

# fail2ban table
#cat /usr/local/etc/ipfw.table1 | xargs -n1 ipfw table 1 add

# Loopback address
$fwcmd 100 allow ip from any to any via lo0
$fwcmd 200 deny ip from any to 127.0.0.0/8

# do not block Jails that are on 127.0.0.0/8
#$fwcmd 300 deny ip from 127.0.0.0/8 to any

$fwcmd 400 deny ip from any to ::1
$fwcmd 500 deny ip from ::1 to any

# Deny table 1 list of ip addresses for fail2ban
#$fwcmd 550 deny tcp from 'table(1)' to any

# ipv6 ND DAD
$fwcmd 600 allow ipv6-icmp from :: to ff02::/16

# ipv6 RS, RA, NS, NA, redirect
$fwcmd 700 allow ipv6-icmp from fe80::/10 to fe80::/10
$fwcmd 800 allow ipv6-icmp from fe80::/10 to ff02::/16

# Allow ICMPv6 destination unreachable
$fwcmd 900 allow ipv6-icmp from any to any ip6 icmp6types 1

# Allow NS/NA/toobig (don't filter it out)
$fwcmd 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136

# Allow packets for which a state has been build
$fwcmd 1100 check-state

# For services permitted below
$fwcmd 1200 allow tcp from $oif_ip to any established

# Allow any connection out, adding state for each
$fwcmd 1300 allow tcp from $oif_ip to any setup keep-state
$fwcmd 1400 allow udp from $oif_ip to any keep-state
$fwcmd 1500 allow icmp from $oif_ip to any keep-state
$fwcmd 1600 allow ipv6-icmp from $oif_ip to any keep-state

# Allow DHCP
$fwcmd 1700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$fwcmd 1800 allow udp from any 67 to $oif_ip dst-port 68 in
$fwcmd 1900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$fwcmd 2000 allow udp from fe80::/10 to $oif_ip dst-port 546 in

# ICMP echo8,DestUnreacable3,SourcheQuench4,TimeExceeded11
$fwcmd 2100 allow icmp from any to any icmptypes 8
$fwcmd 2200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$fwcmd 2300 allow icmp from any to any icmptypes 3,4,11
$fwcmd 2400 allow ipv6-icmp from any to any ip6 icmp6types 3

# MyServices local
$fwcmd 2500 allow tcp from any to $oif_ip dst-port 22 setup keep-state

# NAT
$fwcmd 50000 nat 1 ip from any to any via $oif

# Accounting
$fwcmd 65000 count ip from any to any

# Drop Packets to ports where we don't want logging
#$fwcmd 65100 deny { tcp or udp } from any to any dst-port 23,135-139,445 in
#$fwcmd 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
#$fwcmd 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in

# Broadcasts and multicasts
#$fwcmd 65400 deny ip from any to 255.255.255.255
#$fwcmd 65510 deny ip from any to 224.0.0.0/24 in

# Noise from routers
#$fwcmd 65520 deny udp from any to any dst-port 520 in

# Noise from webbrowsing
#$fwcmd 65530 deny tcp from any 80,443 to any dst-port 1024-65535 in

# Log and drop all other ports
#$fwcmd 65534 deny log logamount 500 ip from any to any

# Default rule DROP, this is set by default in rc.conf
#$fwcmd 65535 deny ip from any to any