Solved Trying to modify a PF.CONF

freezr

freezr

Hi pals,

I am trying to modify a pf.conf that I copied from someone else but my changes don't work.
I copied this configuration to let my Bastille Capsule be expose over the outside, unfortunately, since my cheap VPS is very small, Bastille has become a burden and I would like to move GMID, my Gemini server, directly on the host. I tested GMID and it is working fine, what I believe is creating issue is bad PF setup.

This was my original pf.conf:
Code: 
ext_if="vtnet0"

# ! IMPORTANT: this needs to be set before you can start using it!
ext_addr=216.155.156.157

# gmid related
gmid_addr=10.10.2.20

set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo

table <jails> persist
nat on $ext_if from <jails> to any -> $ext_addr

# container routes
rdr pass inet proto tcp from any to port 1965 -> $gmid_addr port 1965

# Enable dynamic rdr (see below)
rdr-anchor "rdr/*"

block in all
pass out quick modulate state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/3600, overload <bruteforce> flush global)

And this what I invented:

Code: 
vtnet0="vtnet0"

set block-policy return
scrub in on $vtnet0 all fragment reassemble
set skip on lo

pass inet proto tcp from any to port 1965

block in all
pass out quick modulate state
antispoof for $vtnet0 inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/3600, overload <bruteforce> flush global)

But of course isn't working. ?
I knew the error is in this line pass inet proto tcp from any to port 1965 but I can't figure out how to resolve it!

Any help, recommendation and suggestion is very appreciated! ?
Thanks in advance! ?
 

pf.conf(5)

man.freebsd.org man.freebsd.org

The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet.

So isn't that block in all going to "win" and block the incoming packet? What if you move the pass 1965 line below the block in all?
 
richardtoohey2 said:
Do you mean you get an error message? In that case, what is the error message?

Or do you mean there is an error in your logic, and that line doesn't do what you expect?
Click to expand...

Gemini servers are listening on port 1965, I do believe this port is not open properly in PF otherwise my capsule should work:


However GMID is listening on port 1965:

Code: 
sockstat -l | grep gmid
_gmid    gmid         863 8   tcp4   *:1965                *:*
_gmid    gmid         863 9   tcp6   *:1965                *:*
_gmid    gmid         862 8   tcp4   *:1965                *:*
_gmid    gmid         862 9   tcp6   *:1965                *:*
_gmid    gmid         861 8   tcp4   *:1965                *:*
_gmid    gmid         861 9   tcp6   *:1965                *:*
[/gmid]
 
richardtoohey2 said:

pf.conf(5)

man.freebsd.org man.freebsd.org

The last matching rule decides what action is taken. If no rule matches the packet, the default action is to pass the packet.

So isn't that block in all going to "win" and block the incoming packet? What if you move the pass 1965 line below the block in all?
Click to expand...

Actually it worked!!! ?
 
So you moved the pass line for port 1965 BELOW the block in all?

That way the last matching rule is the pass and it lets incoming port 1965 traffic pass.
 
richardtoohey2

Correct:

Code: 
vtnet0="vtnet0"

set block-policy return
scrub in on $vtnet0 all fragment reassemble
set skip on lo

block in all
pass inet proto tcp from any to port 1965
pass out quick modulate state
antispoof for $vtnet0 inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 20/3600, overload <bruteforce> flush global)

I hope these rules make sense to protect my capsule... ?
 
You must log in or register to reply here.
Back
Top