Date: Wed, 9 Jul 2014 16:24:27 +1000 (EST) From: Peter Ross <Peter.Ross@alumni.tu-berlin.de> To: Peter Ross <Peter.Ross@alumni.tu-berlin.de> Cc: freebsd-jail@freebsd.org Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? Message-ID: <alpine.DEB.2.02.1407091622060.32174@PetersBigBox> In-Reply-To: <alpine.DEB.2.02.1407091517130.32174@PetersBigBox> References: <alpine.DEB.2.02.1407091517130.32174@PetersBigBox>
next in thread | previous in thread | raw e-mail | index | archive | help
P.S. I also have the following rules near the top: 01000 check-state 01100 allow tcp from any to any established 01200 allow ip from any to any frag Peter On Wed, 9 Jul 2014, Peter Ross wrote: > Hi all, > > I am setting up a host with vnet jails without a public IP. > > E.g. a vnet jail with a DNS server (bind) running inside. > > The setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->epair1a > ->epair1b(10.0.10.1 in bind vnet jail) > > Inside the jail I have a simple open ipfw firewall > (ipfw allow ip4 from any to any) > > Here the rules relevant to let UDP port 53 connect from the outside world > (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") > > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > This does not allow DNS requests from the outside, they only get returned by > adding > > 03300 allow udp from me 53 to any > > I am pretty confident that the rules above work with "real interfaces". I > have similar routers with ipfw/natd, there things are even more limited by > interface rules (recv/xmit). > > Does this mean, "keep-state" are not working properly in the mentioned vnet > setup? > > Regards > Peter >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.02.1407091622060.32174>