Hi!
Thanks for your reply.
On 26.12.2016 15:32, Corl3ss wrote:
diffusae:
Hello!
Hi Diffusae
Does anybody know how to convert this to pf rules in FreeBSD:
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
I' running a Tor client in a jail on a different IP and want to route only the .onion traffic through.
The DNS stuff is working fine, but I can't find a solution for the above iptables rule, which is working. I like transparently do DNS and Routing for .onion traffic on the network.
I looked into the wiki and also find some pf rules, which are routing all the traffic though Tor, but this only works locally.
The machine is on FreeBSD 11.0-STABLE. Tor is running in a jail with cloned loopback interface (lo1) and has also a private IP address on the main NIC.
I am running a Tor node in a Freebsd jail with the following pf rules :
scrub in all nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL -> $IP_JAIL_TOR port $PORT_TOR_JAIL
That looks good.
There is no "pass out quick" or "pass out on" statement?
It passes the exit traffic to th public IP. The incoming traffic is passed to the different jail IPs according to the port.
Is the outgoing traffic routed, too?
Be careful with the cloned interface and the /etc/hosts configurations for your BSD and jails. Misconfiguration also often leads to network problems.
Yes, that's it. I've tested the known rules for Transparent Proxy on a FreeBSD11 (amd64) VM.
https://github.com/lattera/transtor/blob/master/pf.conf
It was no problem to configure it with a cloned interface. It works on the fly, but there was no jail.
I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with and without a jail and it only works locally and also dropped all other network connections. I am not sure, if something is missing in RPI ISO-Images Snapshots, but the main problem should be cloned interface. It was hard to discover, but on the end, I have had a "connection timeout".
Do you use any "special" configuration inside the jail? Like "defaultrouter=" or "gateway_enable=" on the host, etc? Only because of the NAT rule.
So, thanks again
Best regards,