From owner-freebsd-questions@FreeBSD.ORG  Fri Jun 18 10:20:00 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 99B68106564A
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Jun 2010 10:20:00 +0000 (UTC)
	(envelope-from demelier.david@gmail.com)
Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com
	[209.85.161.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 2A55E8FC17
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Jun 2010 10:19:59 +0000 (UTC)
Received: by fxm7 with SMTP id 7so717079fxm.13
	for <freebsd-questions@freebsd.org>;
	Fri, 18 Jun 2010 03:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:in-reply-to
	:references:date:message-id:subject:from:to:content-type
	:content-transfer-encoding;
	bh=ME1g76UyZnQuBIr78NuOuLAPpKHatdDNwhqHo8tfrqs=;
	b=s3aaTXiauk6+NiHq5PqgWG+Xn8lHoLWJSWNKgDiz1RrHKQcYs5lWnQzCEUwErvojwS
	KUjBraPiYtkynFYK6tVfDuZMVp7sRraswH2oQ7BQqU4dgb2DUzHNrfWHiovz//pl7cHF
	R6DwMqV7g6/1UDy+bpuorYUmIhJ0Dr1mSgYl0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type:content-transfer-encoding;
	b=Wi0cV5Eor26UAh2n5RDiE1fzY+XW/4Yt7t6YVZZc869f2gbcqA2r9KJvijQGfu4GJC
	5tUNyWfKgje8q+sh7Q78i+SjzFbJiLrALpi82nYBaSpA2UOkHdCOKcVK3uvFSWFLPw+d
	TqX3pHkoH9WY/Z1lN6yJE5ymUB8DfOU2M4cuc=
MIME-Version: 1.0
Received: by 10.204.4.66 with SMTP id 2mr604483bkq.214.1276856398958; Fri, 18 
	Jun 2010 03:19:58 -0700 (PDT)
Received: by 10.204.68.142 with HTTP; Fri, 18 Jun 2010 03:19:58 -0700 (PDT)
In-Reply-To: <AANLkTimWP41RhxR24Y-Vupq-gqDvZApe-ryIGS6BnXi3@mail.gmail.com>
References: <AANLkTimWP41RhxR24Y-Vupq-gqDvZApe-ryIGS6BnXi3@mail.gmail.com>
Date: Fri, 18 Jun 2010 12:19:58 +0200
Message-ID: <AANLkTimY50ANvSNbR9Xbty-RD1Hal8YUN9PCNL9j_xvQ@mail.gmail.com>
From: David DEMELIER <demelier.david@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: Problem filtering port between host and jail.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jun 2010 10:20:00 -0000

2010/6/17 David DEMELIER <demelier.david@gmail.com>:
> Hi,
>
> Because I don't want to enable jail_sysvipc, I installed PostgreSQL on
> my host and it works fine. The problem is accessing a database within
> a jail.
> The jails are nat'ed and they can connect to the Internet. However
> trying psql -h 192.168.1.23 -U markand markanddb time out and said :
>
> psql: could not connect to server: Operation timed out
> =C2=A0 =C2=A0 =C2=A0 =C2=A0Is the server running on host "192.168.1.23" a=
nd accepting
> =C2=A0 =C2=A0 =C2=A0 =C2=A0TCP/IP connections on port 5432?
>
> my /etc/pf.conf is like :
>
> # General macros.
> ext_if=3D"rl0"
> int_if=3D"lo1"
> jails=3D"10.0.0.0/24"
> host_ip =3D "192.168.1.23"
>
> # Nat for jails.
> nat on $ext_if from $jails to any -> $ext_if
>
> # Redirecting and accepting ports to jails.
> rdr pass inet proto tcp from any to port $ports_users -> $jail_users
> rdr pass inet proto tcp from any to port $ports_www -> $jail_www
>
> # Filtering ports.
> block log all
>
> # Filtering in.
> pass in on $ext_if proto tcp from any to port $ports
>
> # Filtering out.
> pass out all
>
> So I tried something like :
>
> pass out quick from $jails to host
>
> but it timeout too. With tcpdump I can see these messages :
>
> 00:00:12.202519 rule 0/0(match): block out on lo1:
> markand.malikania.fr.postgresql > 10.0.0.30.33431: =C2=A0tcp 20 [bad hdr
> length 0 - too short, < 20]
>
> I don't understand what i'm doing wrong here, if anyone can solve
> this, it would be great!
>
> Kind regards.
>
> --
> Demelier David
>

Please ignore, I switched the jails to use the physical interface and
now it works.

--=20
Demelier David