From owner-freebsd-questions@FreeBSD.ORG Thu Jun 17 19:58:52 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33BEA1065673 for ; Thu, 17 Jun 2010 19:58:52 +0000 (UTC) (envelope-from demelier.david@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id B4B9C8FC13 for ; Thu, 17 Jun 2010 19:58:51 +0000 (UTC) Received: by bwz8 with SMTP id 8so103621bwz.13 for ; Thu, 17 Jun 2010 12:58:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=ZfwSxRxv7m3fXHLwGp9RiZyck5kyTvFRi7smonkVvSQ=; b=L6wlLoeuUoV124WU8L3wHJZV6Cfwqk/cZMThFHhSOd4ZHTO+inmc+3cJFNqaoB3wTo eFDgG2gwSaFBO6y1BSi+B4fA6A8tz+leC0TUlsvXwmbYK6t75kOnp0UqRobCzpCZcyrW Ost5zdVPaLrZsDP2iJtJcKlqrSqQ6AJ0jSg/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=BJdqzMgyuFtipUeig3E44NgunHmLqWllhegYkJ+buxy0zQPVccqpRqJAUKB49Mm+n/ M5ej+gkNXExlNMM05/1icURLqFPgfJWlUQ9Lpy5Mumvq+ByzdQ+SSIYzDr36Pq91BtI5 XDqm6cnKRAV0/LncO9+onMUe3sO9Q1E2SIHT8= MIME-Version: 1.0 Received: by 10.204.83.101 with SMTP id e37mr24508bkl.48.1276804730175; Thu, 17 Jun 2010 12:58:50 -0700 (PDT) Received: by 10.204.123.202 with HTTP; Thu, 17 Jun 2010 12:58:50 -0700 (PDT) Date: Thu, 17 Jun 2010 21:58:50 +0200 Message-ID: From: David DEMELIER To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: Problem filtering port between host and jail. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 19:58:52 -0000 Hi, Because I don't want to enable jail_sysvipc, I installed PostgreSQL on my host and it works fine. The problem is accessing a database within a jail. The jails are nat'ed and they can connect to the Internet. However trying psql -h 192.168.1.23 -U markand markanddb time out and said : psql: could not connect to server: Operation timed out Is the server running on host "192.168.1.23" and accepting TCP/IP connections on port 5432? my /etc/pf.conf is like : # General macros. ext_if="rl0" int_if="lo1" jails="10.0.0.0/24" host_ip = "192.168.1.23" # Nat for jails. nat on $ext_if from $jails to any -> $ext_if # Redirecting and accepting ports to jails. rdr pass inet proto tcp from any to port $ports_users -> $jail_users rdr pass inet proto tcp from any to port $ports_www -> $jail_www # Filtering ports. block log all # Filtering in. pass in on $ext_if proto tcp from any to port $ports # Filtering out. pass out all So I tried something like : pass out quick from $jails to host but it timeout too. With tcpdump I can see these messages : 00:00:12.202519 rule 0/0(match): block out on lo1: markand.malikania.fr.postgresql > 10.0.0.30.33431: tcp 20 [bad hdr length 0 - too short, < 20] I don't understand what i'm doing wrong here, if anyone can solve this, it would be great! Kind regards. -- Demelier David