From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 10:41:34 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B808106566C for ; Mon, 12 Jul 2010 10:41:34 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BAC2C8FC0C for ; Mon, 12 Jul 2010 10:41:33 +0000 (UTC) Received: by bwz12 with SMTP id 12so2738129bwz.13 for ; Mon, 12 Jul 2010 03:41:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=8FlgvwUWRnTPuvq8T7GujJBaAWr0qdW1/ltSA2dpZzk=; b=YSQqRflXHihuQrY443d2xx/kvqmCtJ/M9e6LiJpqRMUnT+WjqhMwRCynb9FLTXgkIu TBSUx96OLgqIyzxNhBmFZUlCokXNZTPiOT4tELdDI3PFBZylMMCfkrxYBxkmlv0zhF/o f2Qz315opv6Zd+Lkd0vpS3CF7UCCk08hpWUlI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=iylDyh3emTwJ6ZGZP4fOGq9GKP1Te1efhR8WWHPbf0qAhe8zqF9NUJbNL8y6ws7K71 NnVaPoE/filVBn+2Zqld98hLs2mAQGvAgcZPIWCLQuHAaYBAO+S60GR8Sm/Vppr8ejR0 VBNqkEPzrl0EceRI/vgef9ikEmjNbvhH5PgYM= Received: by 10.204.115.200 with SMTP id j8mr10489069bkq.60.1278929485946; Mon, 12 Jul 2010 03:11:25 -0700 (PDT) Received: from prime.local (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id a11sm14495750bkc.12.2010.07.12.03.11.25 (version=SSLv3 cipher=RC4-MD5); Mon, 12 Jul 2010 03:11:25 -0700 (PDT) Message-ID: <4C3AEA4E.50005@gmail.com> Date: Mon, 12 Jul 2010 11:11:26 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.10) Gecko/20100628 Thunderbird/3.0.5 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: please help with NATing my jails X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 10:41:34 -0000 Hello. Does anybody has a working configuration with ipfw nated jails on loopback interface? It simply doesn't work on my system. I can not get any connections to outside world from within a jail. FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 192.168.1.111 address obtained with DHCP. Jail with IP 127.127.127.1 aliased on lo0. Host system configuration: /etc/rc.conf ifconfig_wlan0="WPA DHCP" ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255" gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" firewall_nat_enable="YES" firewall_nat_interface="wlan0" /etc/resolve.conf nameserver 208.67.222.222 nameserver 208.67.220.220 /etc/ipfw.conf ipfw -q -f flush ipfw add 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0 ipfw add 20 check-state ipfw add 30 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state ipfw nat 100 config ip 192.168.1.111 log ipfw add 40 allow all from any to any Jailed system configuration: /etc/rc.conf network_interfaces="" /etc/resolve.conf nameserver 208.67.222.222 nameserver 208.67.220.220 Now I'm doing ssh into a jailed system (127.127.127.1). Then on the jail system I'm trying to do for example: host freebsd.org ;; connection timed out; no servers could be reached After that on the host system I can get some more information: ipfw -d show 00010 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00020 0 0 check-state 00030 4 204 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state 00040 204 26764 allow ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules (2): 00030 1 51 (5s) STATE udp 127.127.127.1 19333 <-> 208.67.220.220 53 00030 1 51 (4s) STATE udp 127.127.127.1 37497 <-> 208.67.222.222 53 ipfw nat show nat 100: icmp=0, udp=4, tcp=0, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=4 So no packets got blocked but still it doesn't work properly. I'm struggling with this for couple weeks now and I'm afraid I just run out of ideas so any help would be very appreciated. The same jail works fine with pf so I believe it's a problem with my ipfw rules. Michael