Jaily a jedna IP [delsi mail]

Miroslav Prýmek m.prymek at gmail.com
Thu Jan 28 21:37:06 CET 2010


On 28.1.2010, at 19:40, Miroslav Lachman wrote:

> Miroslav Prýmek wrote:
> 
> [...]
> 
>> Jenom pripominam, ze jsem mluvil o spojeni. ktere pochazi Z JAILU, takze
>> by melo prvne projit tap0 a potom fxp0 (kde se natuje).
> 
> V zaslanych pravidlech se neNATuje.

Omlovam se, vypadl mi tam jeden radek:

nat on $ext_if from !($ext_if) -> ($ext_if:0)

Kazdopadne teda po trose laborovani: 
[test:~]# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
block drop log all
pass in on fxp0 proto udp from any to any port = bootps keep state
pass in on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state
pass out log on fxp0 all flags S/SA keep state
block drop log on lo1 all    <------- abych si byl uplne jistej... je to zbytecny, vim

[test:~]# pfctl -sInterfaces -v
No ALTQ support in kernel
ALTQ related functions disabled
all
fxp0
fxp1
lo
lo0
lo1
pflog
pflog0

[test:~]# uname -a
FreeBSD test.dom 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May  1 08:49:13 UTC 2009     root na walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

Uz jsem z toho uplne blazen :)

********************* V JAILU:
[www-master:~]# ifconfig 
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
	ether XXXXXXXX
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo1: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> metric 0 mtu 16384
	inet 10.0.1.2 netmask 0xffffffff 

[www-master:~]# telnet 74.125.87.99 80
Trying 74.125.87.99...
Connected to hb-in-f99.1e100.net.       <-------------- pripojeno, prestoze lo1 je blokovany!
[www-master:~]# nc -kl 10.0.1.2 5555    <-------------- vyzkousim spojeni opacnym smerem...

********************* a potom z "HLAVNI ZONY" (ne-jailu):
[test:~]# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
	ether X
	inet 192.168.2.13 netmask 0xffffff00 broadcast 192.168.2.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet 10.0.1.254 netmask 0xffffffff 
	inet 10.0.1.1 netmask 0xffffffff 
	inet 10.0.1.2 netmask 0xffffffff 
	inet 10.0.1.3 netmask 0xffffffff 

[test:~]# telnet 10.0.1.2 5555      <-------------- zkusim se pripojit na ten poslouchajici netcat...
Trying 10.0.1.2...
telnet: connect to address 10.0.1.2: Operation not permitted
telnet: Unable to connect to remote host

To je v poradku, protoze vsechno na lo1 je blokovany, v logu se spravne objevi:
000884 rule 4/0(match): block out on lo1: 10.0.1.2.54472 > 10.0.1.2.5555:  tcp 40 [bad hdr length 0 - too short, < 20]

Jenze z jailu jsem ven mohl! A kdyz dam (mimo jail):
[test:~]# tcpdump -i lo1 

...a v jailu:
[www-master:~]# telnet 74.125.87.99 80
Trying 74.125.87.99...
Connected to hb-in-f99.1e100.net.

...tak tcpdump nezobrazi VUBEC NIC. Znamena to teda, je jail PRICHOZI spojeni jdou skutecne pres lo1, ale ODCHOZI pres fxp0
- teda stejne jako mimo-jail?! (takze nejde odlisit - pokud natuju - jestli ODCHOZI spojeni pochazi z jailu nebo z ne-jailu?!) 

Takze fakt asi tomu fungovani network stacku nerozumim a proste je to takhle...
Sorry za dlouhej mail, fakt me to dostalo :)
Kazdopadne diky za pripadne jakykoli reakce a potvrzeni tohodle chovani z vasi strany,
zajimalo by me, proc to funguje takhle divne!

mejte se

Mirek


P.S. jeste posledni doplneni - kdyz vypnu natovani, tak tcpdump odchyti na fxp0 spravne IP adresu jailu:
22:28:13.781048 IP 10.0.1.2.59316 > hb-in-f99.1e100.net.http: S 863008844:863008844(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 5534975 0>
a na lo1 porad nic :)


More information about the Users-l mailing list