Hello,
I'm trying to isolate an app running on OpenBSD on network level and thus I
have started
the app in a specific rdomain.
I can successfully make traffic from the rdomain to reach Internet:
pass out quick on rdomain 1 to any nat-to (egress) rtable 0
But I cannot figure out how to make the app in this rdomain 1 to communicate
which daemons in default rdomain (0).
With above rule I would see something like this on lo0 (rdomain0):
Jan 31 16:04:22.285915 199.195.x.x.60666 > 199.195.x.x.53: 14874+ NS? .(17)
Tested with route -T 1 exec dig @199.195.x.x www.openbsd.org.
It seems it does not know how to send back replies ?
Without 'nat-to (egress)' the replies would be just send via default gw in
rdomain 0:
mx1# tcpdump -i vio0 -n -e -ttt icmp
tcpdump: listening on vio0, link-type EN10MB
Jan 31 16:08:27.053592 00:16:a1:5d:50:b6 00:12:f2:f2:1a:00 0800 98:
199.195.x.x > 172.16.1.2: icmp: echo reply
(172.16.1.2 was the IP in rdomain 1)
Any idea what would be PF rule to make this working - ie. make an app in
rdomain X talk to daemons in rdomain 0.
I also tried to use pair interfaces but I failed too.
Jiri
No comments:
Post a Comment