From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 12:47:37 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8AC5D106566C for ; Mon, 12 Jul 2010 12:47:37 +0000 (UTC) (envelope-from steve@ipv6canada.com) Received: from smtp.ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id 0A9A88FC1D for ; Mon, 12 Jul 2010 12:47:36 +0000 (UTC) Received: (qmail 57832 invoked by uid 89); 12 Jul 2010 12:49:45 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 12 Jul 2010 12:49:45 -0000 Message-ID: <4C3B0ED7.9010807@ipv6canada.com> Date: Mon, 12 Jul 2010 08:47:19 -0400 From: Steve Bertrand User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20100111 Lightning/1.0b1 Thunderbird/3.0.1 MIME-Version: 1.0 To: Michael References: <4C3AEA4E.50005@gmail.com> In-Reply-To: <4C3AEA4E.50005@gmail.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: please help with NATing my jails X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2010 12:47:37 -0000 On 2010.07.12 06:11, Michael wrote: > Hello. > > Does anybody has a working configuration with ipfw nated jails on > loopback interface? > It simply doesn't work on my system. I can not get any connections to > outside world from within a jail. > > FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with > 192.168.1.111 address obtained with DHCP. > Jail with IP 127.127.127.1 aliased on lo0. > > Host system configuration: > /etc/rc.conf > ifconfig_wlan0="WPA DHCP" > ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255" > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_nat_enable="YES" > firewall_nat_interface="wlan0" > /etc/resolve.conf > nameserver 208.67.222.222 > nameserver 208.67.220.220 > /etc/ipfw.conf > ipfw -q -f flush > ipfw add 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0 > ipfw add 20 check-state > ipfw add 30 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state ...do you need a second nat rule for the inbound traffic, or does nat handle that by itself? If you run tcpdump on the wlan interface, do you see the inbound traffic that relates to your request? Steve