From owner-freebsd-jail@FreeBSD.ORG Mon Jul 26 11:07:04 2010 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8F6B1065678 for ; Mon, 26 Jul 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CE07A8FC0A for ; Mon, 26 Jul 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6QB74PM080718 for ; Mon, 26 Jul 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6QB74K7080716 for freebsd-jail@FreeBSD.org; Mon, 26 Jul 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Jul 2010 11:07:04 GMT Message-Id: <201007261107.o6QB74K7080716@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147162 jail [jail] [panic] Page Fault / Kernel panic when jail sta s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 7 problems total. From owner-freebsd-jail@FreeBSD.ORG Thu Jul 29 03:03:14 2010 Return-Path: Delivered-To: freebsd-jail@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50535106564A; Thu, 29 Jul 2010 03:03:14 +0000 (UTC) (envelope-from mdodd@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 25E4B8FC0C; Thu, 29 Jul 2010 03:03:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6T33EDX019180; Thu, 29 Jul 2010 03:03:14 GMT (envelope-from mdodd@freefall.freebsd.org) Received: (from mdodd@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6T33ESw019176; Thu, 29 Jul 2010 03:03:14 GMT (envelope-from mdodd) Date: Thu, 29 Jul 2010 03:03:14 GMT Message-Id: <201007290303.o6T33ESw019176@freefall.freebsd.org> To: mdodd@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: mdodd@FreeBSD.org Cc: Subject: Re: conf/149050: rcorder ``nojail'' too coarse for Jail+VNET X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 03:03:14 -0000 Synopsis: rcorder ``nojail'' too coarse for Jail+VNET Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: mdodd Responsible-Changed-When: Thu Jul 29 03:01:17 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=149050 From owner-freebsd-jail@FreeBSD.ORG Thu Jul 29 17:27:18 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A3F31065675; Thu, 29 Jul 2010 17:27:18 +0000 (UTC) (envelope-from luizgustavo@luizgustavo.pro.br) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id DEE028FC1A; Thu, 29 Jul 2010 17:27:17 +0000 (UTC) Received: by wwc33 with SMTP id 33so348598wwc.31 for ; Thu, 29 Jul 2010 10:27:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.134.210 with SMTP id k18mr412136wbt.160.1280422556740; Thu, 29 Jul 2010 09:55:56 -0700 (PDT) Sender: luizgustavo@luizgustavo.pro.br Received: by 10.216.230.221 with HTTP; Thu, 29 Jul 2010 09:55:56 -0700 (PDT) Date: Thu, 29 Jul 2010 16:55:56 +0000 X-Google-Sender-Auth: 5a_Jrxo_kDMBk_nv87TWmVrA_1Y Message-ID: From: "Luiz Gustavo S. Costa" To: freebsd-current@freebsd.org, freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Subject: Playing with Vnet in Jail on FreeBSD X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 17:27:18 -0000 I just published in my recent blog (this is the first post) about the use of Vnet Jail in FreeBSD. See and know what you think. http://world-unix.com/blog/2010/07/29/playing-with-vnet-in-jail-on-freebsd/ Thank you. -- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: contato@mundounix.com.br Tel: 55 (41) 9844-3701 Blog: http://www.luizgustavo.pro.br From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 12:32:31 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F160C1065675 for ; Sat, 31 Jul 2010 12:32:31 +0000 (UTC) (envelope-from rickvanderzwet@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 86EE78FC17 for ; Sat, 31 Jul 2010 12:32:31 +0000 (UTC) Received: by fxm13 with SMTP id 13so1339637fxm.13 for ; Sat, 31 Jul 2010 05:32:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=hXBIrBE8c9oHaq6UAc3i3wEXvr6et2B/agT0pryPjnE=; b=XHzMghKy9ocaLwX7V9EPqXrf03tttfk1vioUvT133Iuhkw3FqHgXOReG1x23O8Zs+J 5T2Ay3G64uutbjGnksJcA4isoackN09BTckYV7bsHG+nJvddA0VUW5aAkL9OZUkgghLs jC+KB46uEQxajkm2+8sbCPHDKvk3WzeJEBVqQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=N6ssQefJ7MRBeZYRs5q3rlW/wccvfA0K0U1mzTIn1YFLrPNPPwMKIBHEXvk/A9jQdB OV/6FGsBlbidk11TqKBtuDN2eEdHgbrn95paon9XQ0ZWNNB6+4tap9Z4n6UG5gT23/ms NdLd7+kPl8cNOjKRSPz4p714mM0bFn/unzP14= MIME-Version: 1.0 Received: by 10.223.119.210 with SMTP id a18mr3337623far.52.1280577766068; Sat, 31 Jul 2010 05:02:46 -0700 (PDT) Sender: rickvanderzwet@gmail.com Received: by 10.223.26.27 with HTTP; Sat, 31 Jul 2010 05:02:46 -0700 (PDT) Date: Sat, 31 Jul 2010 14:02:46 +0200 X-Google-Sender-Auth: CbqPIYCVgL0DO3v6Li9HBLA9t_Y Message-ID: From: Rick van der Zwet To: freebsd-jail@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 12:32:32 -0000 I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] and the Jails should be enabled for access to the outside world using NAT as I have only external IP address, The jails are connected to ip's configured on the lo1 interfaces. ICMP packets seems to flow out and in looking at my tcpdump, but the new got received by my Jail anymore. A natd setup does not work either. if I use the pf firewall how-ever it works like a charm. Is this setup not supported by IPFW+NAT or am I doing something wrong? /Rick I test my connection using: # ping -c 1 8.8.8.8 >/dev/null ; echo $? 0 # jls | grep 13 13 10.0.0.2 wleiden.vanderzwet.net /usr/jail/wleiden # jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $? 0 # jexec 13 ping 8.8.8.8 ^C --- 8.8.8.8 ping statistics --- 15 packets transmitted, 0 packets received, 100.0% packet loss Tcpdump when looking at the last ping: # tcpdump -i re0 ip proto 1 11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id 43582, seq 313, length 64 11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id 43582, seq 313, length 64 11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id 43582, seq 314, length 64 11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id 43582, seq 314, length 64 = /etc/rc.conf relevant snippets = firewall_enable="YES" firewall_nat_enable="YES" firewall_script="/etc/rc.firewall.local" cloned_interfaces="lo1" ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0" ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0" gateway_enable="YES" jail_enable="YES" jail_wleiden_rootdir="/usr/jail/wleiden" jail_wleiden_hostname="wleiden.vanderzwet.net" jail_wleiden_ip="10.0.0.2" jail_wleiden_devfs_enable="YES" jail_wleiden_devfs_ruleset="devfsrules_jail" = relevant sysctl entries = net.inet.ip.forwarding: 1 security.jail.allow_raw_sockets: 1 net.inet.ip.fw.enable: 1 = /etc/sysctl.conf = security.jail.allow_raw_sockets=1 = Loaded modules = %kldstat Id Refs Address Size Name 1 17 0xffffffff80100000 d188c0 kernel 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko 4 1 0xffffffff8102d000 7f2 accf_http.ko 5 1 0xffffffff8102e000 1ea accf_data.ko 6 1 0xffffffff8102f000 1f3e nullfs.ko 8 3 0xffffffff81022000 a1d1 ipfw.ko 9 1 0xffffffff81031000 14d5 ipfw_nat.ko 10 1 0xffffffff81033000 b39a libalias.ko 11 1 0xffffffff8103f000 163f ipdivert.ko = /etc/rc.firewall.local = #!/bin/sh - fwcmd="/sbin/ipfw" ############ # Flush out the list before we begin. ${fwcmd} -f flush ${fwcmd} add 100 pass all from any to any via lo0 # Also tested using the lines below # natd -interface re0 -verbose | tee -i /tmp/natd.log & # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 ${fwcmd} nat 200 config if re0 ${fwcmd} add 65001 allow all from any to any == pf setup == = Loaded modules = %kldstat Id Refs Address Size Name 1 11 0xffffffff80100000 d188c0 kernel 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko 4 1 0xffffffff8102d000 7f2 accf_http.ko 5 1 0xffffffff8102e000 1ea accf_data.ko 6 1 0xffffffff8102f000 1f3e nullfs.ko 11 1 0xffffffff81031000 2bbc1 pf.ko = /etc/pf.conf = nat on re0 from lo1:network to any -> (re0) ## FILTER RULES pass in log all keep state pass out log all keep state = /etc/rc.conf = pf_enable="YES" ... [snip: interface/route setup same as above] ... [snip: jail setup same as above] = Output test = jexec 13 ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=6.490 ms 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=6.836 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=6.252 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 6.252/6.526/6.836/0.240 ms -- http://rickvanderzwet.nl From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 14:30:34 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10CD51065673 for ; Sat, 31 Jul 2010 14:30:34 +0000 (UTC) (envelope-from askjuise@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id B46088FC14 for ; Sat, 31 Jul 2010 14:30:33 +0000 (UTC) Received: by qwk3 with SMTP id 3so793157qwk.13 for ; Sat, 31 Jul 2010 07:30:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=ARgqS0DfrVdyiZGXrWBdMN7QXZgJkWC5Kx+RzDJkbus=; b=UMLQeCwvCe+c8k2EnQP/D0TI7cV5jWnWck0VFBapr0SjxO5NTKIrWjtsFzcdQSqGhT iztSJgaeFnus94gE7w9zcbQfj86N0jxgIJj6NMNCz74hF+/ZreJOLSpRhS8IchFldT5Q ZgAAAsPaLGmwLdHBSPsuOqpqYH0VHOR3MoETs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=UKQ7Q3QFp2qANuOTcDiOrfwka3IWSmOwbt2sUmaJZCdVKR++rVP++VagFnpKRAa8AV C7cRykitOFvO7QuVp6zjq8A1+wloz/xPFLu+NpLhM9OEeZ+5QbH/yU5iiy3dX52kXT1V JkUh4NA0qyDvYrOb0vz80FxND5luq1MPLVl2s= MIME-Version: 1.0 Received: by 10.220.128.198 with SMTP id l6mr2215987vcs.79.1280585208902; Sat, 31 Jul 2010 07:06:48 -0700 (PDT) Received: by 10.220.190.5 with HTTP; Sat, 31 Jul 2010 07:06:48 -0700 (PDT) In-Reply-To: References: Date: Sat, 31 Jul 2010 22:06:48 +0800 Message-ID: From: Alexander Petrovsky To: Rick van der Zwet Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 14:30:34 -0000 Show ifconfig plz! Show netstat -arn! 2010/7/31 Rick van der Zwet > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] > and the Jails should be enabled for access to the outside world using > NAT as I have only external IP address, The jails are connected to > ip's configured on the lo1 interfaces. > > ICMP packets seems to flow out and in looking at my tcpdump, but the > new got received by my Jail anymore. A natd setup does not work > either. if I use the pf firewall how-ever it works like a charm. > > Is this setup not supported by IPFW+NAT or am I doing something wrong? > > /Rick > > I test my connection using: > # ping -c 1 8.8.8.8 >/dev/null ; echo $? > 0 > # jls | grep 13 > 13 10.0.0.2 wleiden.vanderzwet.net /usr/jail/wleiden > # jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $? > 0 > # jexec 13 ping 8.8.8.8 > ^C > --- 8.8.8.8 ping statistics --- > 15 packets transmitted, 0 packets received, 100.0% packet loss > > Tcpdump when looking at the last ping: > # tcpdump -i re0 ip proto 1 > 11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 313, length 64 > 11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 313, length 64 > 11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 314, length 64 > 11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 314, length 64 > > =3D /etc/rc.conf relevant snippets =3D > firewall_enable=3D"YES" > firewall_nat_enable=3D"YES" > firewall_script=3D"/etc/rc.firewall.local" > > cloned_interfaces=3D"lo1" > ifconfig_lo1=3D"inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_lo1_alias0=3D"inet 10.0.0.2 netmask 255.255.255.0" > > gateway_enable=3D"YES" > > jail_enable=3D"YES" > jail_wleiden_rootdir=3D"/usr/jail/wleiden" > jail_wleiden_hostname=3D"wleiden.vanderzwet.net" > jail_wleiden_ip=3D"10.0.0.2" > jail_wleiden_devfs_enable=3D"YES" > jail_wleiden_devfs_ruleset=3D"devfsrules_jail" > > =3D relevant sysctl entries =3D > net.inet.ip.forwarding: 1 > security.jail.allow_raw_sockets: 1 > net.inet.ip.fw.enable: 1 > > =3D /etc/sysctl.conf =3D > security.jail.allow_raw_sockets=3D1 > > =3D Loaded modules =3D > %kldstat > Id Refs Address Size Name > 1 17 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 8 3 0xffffffff81022000 a1d1 ipfw.ko > 9 1 0xffffffff81031000 14d5 ipfw_nat.ko > 10 1 0xffffffff81033000 b39a libalias.ko > 11 1 0xffffffff8103f000 163f ipdivert.ko > > =3D /etc/rc.firewall.local =3D > #!/bin/sh - > fwcmd=3D"/sbin/ipfw" > > ############ > # Flush out the list before we begin. > ${fwcmd} -f flush > > ${fwcmd} add 100 pass all from any to any via lo0 > > # Also tested using the lines below > # natd -interface re0 -verbose | tee -i /tmp/natd.log & > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 > ${fwcmd} nat 200 config if re0 > > ${fwcmd} add 65001 allow all from any to any > > > =3D=3D pf setup =3D=3D > > =3D Loaded modules =3D > %kldstat > Id Refs Address Size Name > 1 11 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 11 1 0xffffffff81031000 2bbc1 pf.ko > > =3D /etc/pf.conf =3D > nat on re0 from lo1:network to any -> (re0) > > ## FILTER RULES > pass in log all keep state > pass out log all keep state > > =3D /etc/rc.conf =3D > pf_enable=3D"YES" > > ... [snip: interface/route setup same as above] > ... [snip: jail setup same as above] > > =3D Output test =3D > jexec 13 ping -c 3 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: icmp_seq=3D0 ttl=3D57 time=3D6.490 ms > 64 bytes from 8.8.8.8: icmp_seq=3D1 ttl=3D57 time=3D6.836 ms > 64 bytes from 8.8.8.8: icmp_seq=3D2 ttl=3D57 time=3D6.252 ms > > --- 8.8.8.8 ping statistics --- > 3 packets transmitted, 3 packets received, 0.0% packet loss > round-trip min/avg/max/stddev =3D 6.252/6.526/6.836/0.240 ms > > > -- > http://rickvanderzwet.nl > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > --=20 =D0=9F=D0=B5=D1=82=D1=80=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=90=D0=BB= =D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 / Alexander Petrovsky, ICQ: 350342118 Jabber: juise@jabber.ru Phone: +7 914 8 820 815 From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 15:19:49 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96FA31065675 for ; Sat, 31 Jul 2010 15:19:49 +0000 (UTC) (envelope-from rickvanderzwet@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 27BDA8FC08 for ; Sat, 31 Jul 2010 15:19:48 +0000 (UTC) Received: by fxm13 with SMTP id 13so1366525fxm.13 for ; Sat, 31 Jul 2010 08:19:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=0l99JMWWnor9UyVd0y2rPbWT9NKKePeXL1LopxBkYfA=; b=JcOwT3/h+ySkD8hBnLOA6BpIlN5vcogNCs4jzkL4bixF+TMvTgx13xPdZi6JRE+X10 bSqt5sNm8U8RgnB9152qCtIkUhMg9kisvRKY7nX9JQ+TrkOVAu7j6AseLHKagH/rESuT ZkcE45gixAFjVICVDFUqXWbjkqoEV2VpMpOGc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=idhatfglpKY3qGXTcjun26gAtPoMY4HakZEeYT7L2wtuS2EIr8Bf8ZPciLUEoPb7do StIfHve2gHi78zUtTX1Wu+QV7WTq2TfMbRMsukTok11tHV1F+XwHSxdzn3ixUWL9VNSN B9f/uRGHJHbdhDppWr2QmFoec8hKH6CfchUh0= MIME-Version: 1.0 Received: by 10.223.119.136 with SMTP id z8mr3538363faq.63.1280589588000; Sat, 31 Jul 2010 08:19:48 -0700 (PDT) Sender: rickvanderzwet@gmail.com Received: by 10.223.26.27 with HTTP; Sat, 31 Jul 2010 08:19:47 -0700 (PDT) In-Reply-To: References: Date: Sat, 31 Jul 2010 17:19:47 +0200 X-Google-Sender-Auth: Q82W_uiTEirBGJhzClDRG8tiPiM Message-ID: From: Rick van der Zwet To: Alexander Petrovsky Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 15:19:49 -0000 On 31 July 2010 16:06, Alexander Petrovsky wrote: > Show ifconfig plz! > Show netstat -arn! %ifconfig -a re0: flags=8843 metric 0 mtu 1500 options=389b ether 40:61:86:e9:d3:12 inet 78.46.85.230 netmask 0xffffffe0 broadcast 78.46.85.255 inet6 fe80::4261:86ff:fee9:d312%re0 prefixlen 64 scopeid 0x1 inet6 2a01:4f8:120:13a3::2 prefixlen 59 inet 78.46.112.168 netmask 0xfffffff0 broadcast 78.46.112.175 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=3 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 inet 127.0.0.2 netmask 0xffffffff inet 127.0.0.3 netmask 0xffffffff lo1: flags=8049 metric 0 mtu 16384 options=3 inet 10.0.0.1 netmask 0xffffff00 inet 10.0.0.2 netmask 0xffffff00 %netstat -am 257/3328/3585 mbufs in use (current/cache/total) 256/2318/2574/25600 mbuf clusters in use (current/cache/total/max) 256/1792 mbuf+clusters out of packet secondary zone in use (current/cache) 0/263/263/12800 4k (page size) jumbo clusters in use (current/cache/total/max) 0/0/0/6400 9k jumbo clusters in use (current/cache/total/max) 0/0/0/3200 16k jumbo clusters in use (current/cache/total/max) 576K/6520K/7096K bytes allocated to network (current/cache/total) 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) 0/0/0 requests for jumbo clusters denied (4k/9k/16k) 0/0/0 sfbufs in use (current/peak/max) 0 requests for sfbufs denied 0 requests for sfbufs delayed 139 requests for I/O initiated by sendfile 0 calls to protocol drain routines /Rick -- http://rickvanderzwet.nl From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 16:45:02 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5B98C106566C for ; Sat, 31 Jul 2010 16:45:02 +0000 (UTC) (envelope-from askjuise@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0A74B8FC13 for ; Sat, 31 Jul 2010 16:45:01 +0000 (UTC) Received: by qwk3 with SMTP id 3so851589qwk.13 for ; Sat, 31 Jul 2010 09:45:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=gp3TSNiphKnPO+Qr5tVZrgH/APR0jIXnRhcWhlX/SVw=; b=n03qZ+ZEaRyXy1KMqFuxt9JHaElCzi+DA976UP2lbZZV9oCeQhCD36f2rZiq1de7gr M2sUHKbKvRJxUxwl+S1t7SDjic72oSILc/nBkJxgUGlWh85wE+iirzXNBnzM9iFx1KIE s62/kBS5y/uN5tdQ5jq3gJO68u5Rhewj0yU6s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=euwllkISW6XmbTrQlX+9Edabib4lRJwk9lvtDE2pc0BsfkzP0gZ+m/oK1QIqz281P8 jtgGp2ix4dCGKthLxtWqGeYtAD/9YnUfVUQHrq/cJGt2NaLcW2QVSeo+OVAyq8fgoJ8k 9axuiEsEdrqFWEgGX1ZDzkEIOmibuRcPp4dL0= MIME-Version: 1.0 Received: by 10.220.168.10 with SMTP id s10mr2344546vcy.50.1280594700968; Sat, 31 Jul 2010 09:45:00 -0700 (PDT) Received: by 10.220.190.5 with HTTP; Sat, 31 Jul 2010 09:45:00 -0700 (PDT) In-Reply-To: References: Date: Sun, 1 Aug 2010 00:45:00 +0800 Message-ID: From: Alexander Petrovsky To: Rick van der Zwet Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 16:45:02 -0000 This is too stupid rule: ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 ${fwcmd} nat 200 config if re0 Try like someting like this: ${fwcmd} add nat 1 all from 10.0.0.0/24 to any out recv lo1 xmit re0 ${fwcmd} add nat 1 all from any to 78.46.85.230 in recv re0 ${fwcmd} nat 1 config if re0 or this: ${fwcmd} add nat 1 all from 10.0.0.0/24 to any out via re0 ${fwcmd} add nat 1 all from any to 78.46.85.230 in via re0 ${fwcmd} nat 1 config if re0 2010/7/31 Rick van der Zwet > On 31 July 2010 16:06, Alexander Petrovsky wrote: > > Show ifconfig plz! > > Show netstat -arn! > > %ifconfig -a > re0: flags=3D8843 metric 0 mtu 15= 00 > > options=3D389b > ether 40:61:86:e9:d3:12 > inet 78.46.85.230 netmask 0xffffffe0 broadcast 78.46.85.255 > inet6 fe80::4261:86ff:fee9:d312%re0 prefixlen 64 scopeid 0x1 > inet6 2a01:4f8:120:13a3::2 prefixlen 59 > inet 78.46.112.168 netmask 0xfffffff0 broadcast 78.46.112.175 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=3D8049 metric 0 mtu 16384 > options=3D3 > inet 127.0.0.1 netmask 0xff000000 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 > inet 127.0.0.2 netmask 0xffffffff > inet 127.0.0.3 netmask 0xffffffff > lo1: flags=3D8049 metric 0 mtu 16384 > options=3D3 > inet 10.0.0.1 netmask 0xffffff00 > inet 10.0.0.2 netmask 0xffffff00 > %netstat -am > 257/3328/3585 mbufs in use (current/cache/total) > 256/2318/2574/25600 mbuf clusters in use (current/cache/total/max) > 256/1792 mbuf+clusters out of packet secondary zone in use (current/cache= ) > 0/263/263/12800 4k (page size) jumbo clusters in use > (current/cache/total/max) > 0/0/0/6400 9k jumbo clusters in use (current/cache/total/max) > 0/0/0/3200 16k jumbo clusters in use (current/cache/total/max) > 576K/6520K/7096K bytes allocated to network (current/cache/total) > 0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters) > 0/0/0 requests for jumbo clusters denied (4k/9k/16k) > 0/0/0 sfbufs in use (current/peak/max) > 0 requests for sfbufs denied > 0 requests for sfbufs delayed > 139 requests for I/O initiated by sendfile > 0 calls to protocol drain routines > > /Rick > -- > http://rickvanderzwet.nl > --=20 =D0=9F=D0=B5=D1=82=D1=80=D0=BE=D0=B2=D1=81=D0=BA=D0=B8=D0=B9 =D0=90=D0=BB= =D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80 / Alexander Petrovsky, ICQ: 350342118 Jabber: juise@jabber.ru Phone: +7 914 8 820 815 From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 17:01:23 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62E89106566C for ; Sat, 31 Jul 2010 17:01:23 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id A6D358FC17 for ; Sat, 31 Jul 2010 17:01:22 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o6VGiHkp003494; Sun, 1 Aug 2010 02:44:17 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 1 Aug 2010 02:44:17 +1000 (EST) From: Ian Smith To: Rick van der Zwet In-Reply-To: Message-ID: <20100801021347.O34284@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 17:01:23 -0000 On Sat, 31 Jul 2010, Rick van der Zwet wrote: > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] > and the Jails should be enabled for access to the outside world using > NAT as I have only external IP address, The jails are connected to > ip's configured on the lo1 interfaces. > > ICMP packets seems to flow out and in looking at my tcpdump, but the > new got received by my Jail anymore. A natd setup does not work > either. if I use the pf firewall how-ever it works like a charm. > > Is this setup not supported by IPFW+NAT or am I doing something wrong? The latter. > /Rick > > I test my connection using: > # ping -c 1 8.8.8.8 >/dev/null ; echo $? > 0 > # jls | grep 13 > 13 10.0.0.2 wleiden.vanderzwet.net /usr/jail/wleiden > # jexec 13 ping -c 1 10.0.0.1 > /dev/null ; echo $? > 0 > # jexec 13 ping 8.8.8.8 > ^C > --- 8.8.8.8 ping statistics --- > 15 packets transmitted, 0 packets received, 100.0% packet loss > > Tcpdump when looking at the last ping: > # tcpdump -i re0 ip proto 1 > 11:04:33.176393 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 313, length 64 > 11:04:33.183051 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 313, length 64 > 11:04:34.186391 IP 78.46.85.230 > 8.8.8.8: ICMP echo request, id > 43582, seq 314, length 64 > 11:04:34.192663 IP 8.8.8.8 > 78.46.85.230: ICMP echo reply, id > 43582, seq 314, length 64 > > = /etc/rc.conf relevant snippets = > firewall_enable="YES" > firewall_nat_enable="YES" > firewall_script="/etc/rc.firewall.local" > > cloned_interfaces="lo1" > ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0" > > gateway_enable="YES" > > jail_enable="YES" > jail_wleiden_rootdir="/usr/jail/wleiden" > jail_wleiden_hostname="wleiden.vanderzwet.net" > jail_wleiden_ip="10.0.0.2" > jail_wleiden_devfs_enable="YES" > jail_wleiden_devfs_ruleset="devfsrules_jail" > > = relevant sysctl entries = > net.inet.ip.forwarding: 1 > security.jail.allow_raw_sockets: 1 > net.inet.ip.fw.enable: 1 > > = /etc/sysctl.conf = > security.jail.allow_raw_sockets=1 > > = Loaded modules = > %kldstat > Id Refs Address Size Name > 1 17 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 8 3 0xffffffff81022000 a1d1 ipfw.ko > 9 1 0xffffffff81031000 14d5 ipfw_nat.ko > 10 1 0xffffffff81033000 b39a libalias.ko > 11 1 0xffffffff8103f000 163f ipdivert.ko I'll take all of your jail setup on faith, but .. > = /etc/rc.firewall.local = > #!/bin/sh - > fwcmd="/sbin/ipfw" > > ############ > # Flush out the list before we begin. > ${fwcmd} -f flush > > ${fwcmd} add 100 pass all from any to any via lo0 > > # Also tested using the lines below > # natd -interface re0 -verbose | tee -i /tmp/natd.log & > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 > ${fwcmd} nat 200 config if re0 > > ${fwcmd} add 65001 allow all from any to any .. here you're only doing NAT on the way out, ie packets from 10.x are only 'via re0' on the way out - they have no receive interface on the way in, being from the local host, see ipfw(8). But mainly, you have no nat rule for the response packets coming in on the outside interface, which is where they need to get mapped back to the internal address/es. Generally better to not use 'via' but be more specific (ie clear) about direction on nat rules: ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 $outside_addr can be 'any', if you're not routing other addresses. Perhaps also specify ip4 rather than all, if that's what's implied. Certainly passing ip6 packets to natd is bad news (panics, currently) cheers, Ian > == pf setup == > > = Loaded modules = > %kldstat > Id Refs Address Size Name > 1 11 0xffffffff80100000 d188c0 kernel > 2 1 0xffffffff80e19000 20ab0 geom_mirror.ko > 4 1 0xffffffff8102d000 7f2 accf_http.ko > 5 1 0xffffffff8102e000 1ea accf_data.ko > 6 1 0xffffffff8102f000 1f3e nullfs.ko > 11 1 0xffffffff81031000 2bbc1 pf.ko > > = /etc/pf.conf = > nat on re0 from lo1:network to any -> (re0) > > ## FILTER RULES > pass in log all keep state > pass out log all keep state > > = /etc/rc.conf = > pf_enable="YES" > > ... [snip: interface/route setup same as above] > ... [snip: jail setup same as above] > > = Output test = > jexec 13 ping -c 3 8.8.8.8 > PING 8.8.8.8 (8.8.8.8): 56 data bytes > 64 bytes from 8.8.8.8: icmp_seq=0 ttl=57 time=6.490 ms > 64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=6.836 ms > 64 bytes from 8.8.8.8: icmp_seq=2 ttl=57 time=6.252 ms > > --- 8.8.8.8 ping statistics --- > 3 packets transmitted, 3 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 6.252/6.526/6.836/0.240 ms > > > -- > http://rickvanderzwet.nl From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 18:14:30 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B75B3106566B for ; Sat, 31 Jul 2010 18:14:30 +0000 (UTC) (envelope-from rickvanderzwet@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 49A6D8FC08 for ; Sat, 31 Jul 2010 18:14:29 +0000 (UTC) Received: by fxm13 with SMTP id 13so1393919fxm.13 for ; Sat, 31 Jul 2010 11:14:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; bh=bKndb/KjkDhPxMCR8GG+IuEK8YASTgj19UoB3yO79I0=; b=L2ekxGaRJlxJl8rsmebXTIljyiXKkDvVZAHQ8Mu8GKevbY2X+XEp/7i4KK9EuYHKV6 b12UemmG2CWOVZRT8nFfzJJkXSEFF+ESkQPJqNbXsvs5mdyrnWr9CyGzF30ewH26lud5 eXnsfv/202byUeKGUJpAwbQIusd9VYTEhP95E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=hE11cKU/q3KRNdUI3O6dyq5LtzqshI6R7UX2tYarKjowW7K0yG7HFW4b4yZxhQrwW7 RYQt546NwnbhQy9EzLDRzv7w0aHwPdVYNWPNw2zBa7Bs23h14+8hCm26ej0GR6klXrfR 4+Kvm7SsNQ7aFZqK1IFpKVg8V3SrqcWXy0Dok= MIME-Version: 1.0 Received: by 10.223.112.10 with SMTP id u10mr3710307fap.50.1280600066909; Sat, 31 Jul 2010 11:14:26 -0700 (PDT) Sender: rickvanderzwet@gmail.com Received: by 10.223.26.27 with HTTP; Sat, 31 Jul 2010 11:14:26 -0700 (PDT) In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> References: <20100801021347.O34284@sola.nimnet.asn.au> Date: Sat, 31 Jul 2010 20:14:26 +0200 X-Google-Sender-Auth: Nq-ojEVVe0eKBjwUIwtjL4rncao Message-ID: From: Rick van der Zwet To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 18:14:30 -0000 On 31 July 2010 18:44, Ian Smith wrote: > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > > I like to run Jails on this system [FreeBSD 8.0-RELEASE-p4 (amd64)] > > and the Jails should be enabled for access to the outside world using > > NAT as I have only external IP address, The jails are connected to > > ip's configured on the lo1 interfaces. > > > > ICMP packets seems to flow out and in looking at my tcpdump, but the > > new got received by my Jail anymore. A natd setup does not work > > either. if I use the pf firewall how-ever it works like a charm. > > > > Is this setup not supported by IPFW+NAT or am I doing something wrong? > > The latter. [snip: old test details] > > > > = /etc/rc.conf relevant snippets = > > firewall_enable="YES" > > firewall_nat_enable="YES" > > firewall_script="/etc/rc.firewall.local" > > > > cloned_interfaces="lo1" > > ifconfig_lo1="inet 10.0.0.1 netmask 255.255.255.0" > > ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0" > > > > gateway_enable="YES" > > > > jail_enable="YES" > > jail_wleiden_rootdir="/usr/jail/wleiden" > > jail_wleiden_hostname="wleiden.vanderzwet.net" > > jail_wleiden_ip="10.0.0.2" > > jail_wleiden_devfs_enable="YES" > > jail_wleiden_devfs_ruleset="devfsrules_jail" [snip: jail setup] > > I'll take all of your jail setup on faith, but .. > > > = /etc/rc.firewall.local = > > #!/bin/sh - > > fwcmd="/sbin/ipfw" > > > > ############ > > # Flush out the list before we begin. > > ${fwcmd} -f flush > > > > ${fwcmd} add 100 pass all from any to any via lo0 > > > > # Also tested using the lines below > > # natd -interface re0 -verbose | tee -i /tmp/natd.log & > > # ${fwcmd} add divert natd all from 10.0.0.0/24 to any via re0 > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any via re0 > > ${fwcmd} nat 200 config if re0 > > > > ${fwcmd} add 65001 allow all from any to any > > .. here you're only doing NAT on the way out, ie packets from 10.x are > only 'via re0' on the way out - they have no receive interface on the > way in, being from the local host, see ipfw(8). > > But mainly, you have no nat rule for the response packets coming in on > the outside interface, which is where they need to get mapped back to > the internal address/es. Generally better to not use 'via' but be more > specific (ie clear) about direction on nat rules: > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > $outside_addr can be 'any', if you're not routing other addresses. Both suggestions works like a charm. > Perhaps also specify ip4 rather than all, if that's what's implied. > Certainly passing ip6 packets to natd is bad news (panics, currently) Hint taken and applied. Works oke now. Thanks! /Rick -- http://rickvanderzwet.nl From owner-freebsd-jail@FreeBSD.ORG Sat Jul 31 18:18:26 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D02CA106567C for ; Sat, 31 Jul 2010 18:18:26 +0000 (UTC) (envelope-from rickvanderzwet@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5E58E8FC12 for ; Sat, 31 Jul 2010 18:18:25 +0000 (UTC) Received: by fxm13 with SMTP id 13so1394442fxm.13 for ; Sat, 31 Jul 2010 11:18:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=1zv5gzYOtb4fuGE2H5DsThT3OZWB4O3Q8iOKBk9VsuM=; b=xNUdwC9TMLk3TqKILvEzqkvdrhMuFWA50rUfZUxMrVNKEap0J7W8OduM9EBBQJF1/h 6/Q5eGugwcw6C51jMrKUUHv8vO7QFd0ntPNuOGhiF75nLJYopNuVopzw7l5cLNXYUqpC t5b9ws++UeZ62Ayx1gCkmPOdxKLC3MNMXUsBk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=STwDyn/Ac/j8z4MomhKD+XqC7p+EtDMDZl4vIE3OlAyOAGGKAJGIFCTF9NnInBPmXv RwBrbGAjnFz9lyN2ndfY/KIQ2d/k+ZyB/bts0zRFHvlZ2tmlxBf8UafsxogcnU+Op+Xq pR92wW9Pgnz634ijd8Y6LadKFX/ntriFdilNY= MIME-Version: 1.0 Received: by 10.223.121.133 with SMTP id h5mr3684025far.74.1280600304978; Sat, 31 Jul 2010 11:18:24 -0700 (PDT) Sender: rickvanderzwet@gmail.com Received: by 10.223.26.27 with HTTP; Sat, 31 Jul 2010 11:18:24 -0700 (PDT) In-Reply-To: References: Date: Sat, 31 Jul 2010 20:18:24 +0200 X-Google-Sender-Auth: 4x9uASZwI_rfLQtG7QIig7L0L38 Message-ID: From: Rick van der Zwet To: Alexander Petrovsky Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Jul 2010 18:18:26 -0000 On 31 July 2010 18:45, Alexander Petrovsky wrote: > This is too stupid rule: > ${fwcmd} add nat 200 all from=A010.0.0.0/24=A0to any via re0 > ${fwcmd} nat 200 config if re0 > Try like someting like this: > ${fwcmd} add nat 1 all from 10.0.0.0/24 to any out recv lo1 xmit re0 > ${fwcmd} add nat 1 all from any to=A078.46.85.230 in recv re0 > ${fwcmd} nat 1 config if re0 That's not working, no NAT get 'applied'. 18:15:44.223649 IP 10.0.0.2 > 8.8.8.8: ICMP echo request, id 19034, seq 0, length 64 18:15:45.228834 IP 10.0.0.2 > 8.8.8.8: ICMP echo request, id 19034, seq 1, length 64 18:15:46.234813 IP 10.0.0.2 > 8.8.8.8: ICMP echo request, id 19034, seq 2, length 64 18:15:47.240807 IP 10.0.0.2 > 8.8.8.8: ICMP echo request, id 19034, seq 3, length 64 > or this: > ${fwcmd} add nat 1 all from 10.0.0.0/24 to any out via re0 > ${fwcmd} add nat 1 all from any to=A078.46.85.230 in via re0 > ${fwcmd} nat 1 config if re0 Cool works like a charm. Thanks! /Rick --=20 http://rickvanderzwet.nl