From owner-freebsd-questions@FreeBSD.ORG Mon Jul 19 16:38:28 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DDBE5106567C for ; Mon, 19 Jul 2010 16:38:28 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 8D0738FC2F for ; Mon, 19 Jul 2010 16:38:28 +0000 (UTC) Received: from beta.local (business-088-079-092-162.static.arcor-ip.net [88.79.92.162]) by mail.locolomo.org (Postfix) with ESMTPSA id 80ED61C0871; Mon, 19 Jul 2010 18:38:26 +0200 (CEST) Message-ID: <4C447F7F.6020308@locolomo.org> Date: Mon, 19 Jul 2010 18:38:23 +0200 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.4) Gecko/20100608 Lightning/1.0b2 Thunderbird/3.1 MIME-Version: 1.0 To: google@alexus.org References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: alexus , freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 16:38:28 -0000 On 19/07/10 16.46, alexus wrote: >>>> Use tcpdump, you should see if your rdr/map rules work as expected. Also, >>>> pfctl -ss and similar. >>> i don't know how to use tcpdump, can you provide exact syntax so i can run >>> it? >> >> The man-page is excelent. > > tried that, unfortunately not really sure what am i doing.. still Can't help you more, really, you need to investigate where packets are dropped, tcpdump is a great tool and the man-page is excelent, can't explain it better, if you don't like tcpdump then use any other packet sniffing tool at hand, snort for example. Do packets can get dropped because of your firewall default policy? For stealth it may be set to simply drop packets which result in a connection time-out rather than send a TCP-RST. Do packets get dropped because of nat on the way in? or on the way out? What if you just disable ipnat? What if you flush the firewall rules? (disconnect from the Internet first) Do you have any logs in the jail that indicate that the first packet is actually received? Do your firewall log connections? If not, see how you can enable logs on all rules to get more information. Can you connect out from the jail, to external servers? only to the jail hosting server? Did the jail's ssh log tell anything? You wrote you can connect with ssh from the hosting server to the jail, but it took a long time, did you investigate this? Is there some DNS issue that times out and causes the connection to fail? Can you ping your jail? Can you ping out? Default route is configured? There are tons of tests you can do to figure out what's failing. BR, Erik