From owner-freebsd-questions@FreeBSD.ORG Sat Jul 17 11:51:36 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98986106566B for ; Sat, 17 Jul 2010 11:51:36 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4848D8FC08 for ; Sat, 17 Jul 2010 11:51:36 +0000 (UTC) Received: from beta.local (business-088-079-092-162.static.arcor-ip.net [88.79.92.162]) by mail.locolomo.org (Postfix) with ESMTPSA id 8185C1C0871; Sat, 17 Jul 2010 13:51:34 +0200 (CEST) Message-ID: <4C419944.8030702@locolomo.org> Date: Sat, 17 Jul 2010 13:51:32 +0200 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.4) Gecko/20100608 Lightning/1.0b2 Thunderbird/3.1 MIME-Version: 1.0 To: google@alexus.org References: <4C3F91CF.5090206@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: alexus , freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Jul 2010 11:51:36 -0000 On 16/07/10 02.56, alexus wrote: >>>> su-3.2# cat /etc/ipnat.rules >>>> map fxp0 lama -> 0/32 >>>> rdr fxp0 64.52.58.58 port ssh -> lama port ssh tcp >> >> What's that first rule supposed to do? > > provides a NAT within jail Just guessing, try to put the rdr rule first. Another thing, the firewall/nat may be loaded before starting the jail and thus unaware of interfaces etc assigned to the jail. >>>> su-3.2# ifconfig >>>> vr0: flags=8943 metric >>>> 0 mtu 1500 >>>> inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16 >>>> fxp0: flags=8843 metric 0 mtu >>>> 1500 >>>> inet 64.52.58.58 netmask 0xffffffe0 broadcast 64.52.58.63 >> >> Where is this? this "su-3.2" is a bit confusing, would be useful to set your >> hostname to "jail" within the jail... > > su-3.2 is a host environment where jail is hosted And from within the jail, what do you see? From what I understand 172.16.172.16 is the jail IP? >> I think it is typical for jails to clone the loopback interface for this >> setup. > > not sure what you mean by this... > if you referring this statement as if you though this is jail itself > then > this is not jail this is host environment (where jail is hosted) >> Use tcpdump, you should see if your rdr/map rules work as expected. Also, >> pfctl -ss and similar. > > su-3.2# pfctl -ss > pfctl: /dev/pf: No such file or directory > su-3.2# Ah, you use ipfilter? > i don't know how to use tcpdump, can you provide exact syntax so i can run it? The man-page is excelent. >> anyone? >> >> If nobody replies, maybe try to rephrase your question, investigate further >> and provide additional information rather than just repost. > > i was under impression that i pretty much covered all basis, or at > least i thought i so ... apparently not... Honestly, I don't have a clear picture of what works and what doesn't or where. You haven't posted your jail config from rc.conf and you could help by making it clear when running any command that this is in the jail, jail# this is on the hosting system hostname# and this is the client client# etc... BR, Erik