IPFW NAT failing with nginx+ssl

hsw

hsw

I set up a digital Ocean droplet with 10.3-zfs, installed iocage and copied in an working 10.3 jail that has nginx already setup. The jails IP is assigned to tap0 and I am trying to use IPFW+NAT to create a stateful firewall to allow the jail limited external access. With SSL off there is no problem, but as soon as I turn it on the connection drops causeing errors:

curl: Unknown SSL protocol error in connection
nginx: peer closed connection in SSL handshake (13: Permission denied)

Looks as if the firewall startd blocking the connection after part of the SSL handshake has take place.

Here is the IPFW configuration

Code: 
00020 allow ip from any to any via lo0
00021 allow ip from any to any via tap0
00900 nat 100 ip from any to me in
01000 check-state
01010 skipto 20000 tcp from any to me dst-port 7443 via vtnet0 in setup keep-state
01020 skipto 20000 tcp from any to any via vtnet0 out setup keep-state
01021 skipto 20000 udp from any to any via vtnet0 out keep-state
01050 allow tcp from any to any established
01100 allow udp from any to any established
02000 allow ip from any to any out keep-state
02050 allow ip6 from any to any out keep-state
02100 allow ipv6-icmp from any to any keep-state
02150 allow icmp from any to any keep-state
10000 allow tcp from any to any dst-port 22 in keep-state
19999 deny log ip from any to any
20000 nat 100 ip from any to any via vtnet0 out
29999 allow ip from any to any
64000 deny log ip from any to any
65535 deny ip from any to any

ipfw nat 100 config if vtnet0 unreg_only reset redirect_port tcp 172.20.76.201:7443 7443

Code: 
# /etc/sysctl.conf
net.inet.ip.fw.one_pass=0

Can anyone see what is wrong/missing in the above rule set?
Or point me to some example of using the ipfw nat command as there seems to be very little information about using this method; most examples I found use natd.

It is only nginx+ssl that has the problem, the openssl s_server works in the jail without problems.

For the present I just switched to using pf which does not appear to have this problem.
 
I can't help much with IPFW (I don't use it). But most of the time rules either work or not. So if the initial connection works (SSL handshake) it's unlikely the firewall is causing the connection to drop. The firewall itself is not aware of SSL (or anything else above layer 3/4). So if you get a connection the firewall works and does what it should.
 
Thanks for the reply.
I think only part of the handshake makes it before the connection is dropped. I did try a few minor changes/rearrangements
and also tried increasing the syn timer using sysctl (that I found in another post). I have stopped trying for the present
and reconfigured to use pf which just works. (Previously I used pf on other systems, and had no problems.)
 
You must log in or register to reply here.
Back
Top