diffusae:
>>
>> I am running a Tor node in a Freebsd jail with the following pf rules :
>>
>> scrub in all
>> nat pass on $ext_if from $NET_JAIL to any -> $IP_PUB
>> rdr pass on $ext_if proto tcp from any to $IP_PUB port $PORT_TOR_JAIL ->
>> $IP_JAIL_TOR port $PORT_TOR_JAIL
>
> That looks good.
>
> There is no "pass out quick" or "pass out on" statement?
Sure, there is.
pass out on $ext_if proto { tcp udp icmp } all modulate state
Be sure to flush and reload the rules before testing, but you certainly did.
>> It passes the exit traffic to th public IP. The incoming traffic is
>> passed to the different jail IPs according to the port.
>
> Is the outgoing traffic routed, too?
>
>> Be careful with the cloned interface and the /etc/hosts configurations
>> for your BSD and jails. Misconfiguration also often leads to network
>> problems.
>
> Yes, that's it. I've tested the known rules for Transparent Proxy on a
> FreeBSD11 (amd64) VM.
>
> https://github.com/lattera/transtor/blob/master/pf.conf
>
> It was no problem to configure it with a cloned interface. It works on
> the fly, but there was no jail.
>
> I've tried the same configuration with FreeBSD11 for armv6 (RPI-B), with
> and without a jail and it only works locally and also dropped all other
> network connections. I am not sure, if something is missing in RPI
> ISO-Images Snapshots,
Would be surprising as not much is needed to make it work.
but the main problem should be cloned interface.
> It was hard to discover, but on the end, I have had a "connection timeout".
> Do you use any "special" configuration inside the jail?
Nothing more than a operational resolv.conf and an adapted /etc/hosts
> Like "defaultrouter=" or "gateway_enable=" on the host, etc?
Yes both are configured/activated in /etc/rc.conf (like pf and pflog)
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays