From owner-freebsd-questions@FreeBSD.ORG Mon Jul 19 09:05:40 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEBE61065679 for ; Mon, 19 Jul 2010 09:05:40 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from avmxsmtp3.comclark.com (avmxsmtp3.comclark.com [202.69.191.117]) by mx1.freebsd.org (Postfix) with ESMTP id 49A9B8FC15 for ; Mon, 19 Jul 2010 09:05:40 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Aj0UAN+xQ0zKRaxEPGdsb2JhbAAHgxmEUpgFAQEBATWuY5BmgSmDCXMEg36HGQ X-IronPort-AV: E=Sophos;i="4.55,226,1278259200"; d="scan'208";a="13940431" Received: from unknown (HELO [10.0.10.3]) ([202.69.172.68]) by avmxsmtp3.comclark.com with ESMTP; 19 Jul 2010 17:05:38 +0800 Message-ID: <4C44154D.1060109@comclark.com> Date: Mon, 19 Jul 2010 17:05:17 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Michael References: <4C378D58.5010404@gmail.com> In-Reply-To: <4C378D58.5010404@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipfw nat and jails on loopback - is it possible? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 09:05:40 -0000 Michael wrote: > Hello. > > Does anybody has a working configuration with ipfw nated jails on > loopback interface? > It simply doesn't work on my system. I can not get any connections to > outside world from within a jail. > > FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with > 192.168.1.111 address. > Jail with IP 127.127.127.1 aliased on lo0. > > Host system configuration: > /etc/rc.conf > ifconfig_wlan0="WPA DHCP" > ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255" > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_nat_enable="YES" > firewall_nat_interface="wlan0" > /etc/resolve.conf > nameserver 208.67.222.222 > nameserver 208.67.220.220 > /etc/ipfw.conf > ipfw -q -f flush > ipfw add 00001 allow all from 127.0.0.1 to 127.0.0.1 via lo0 > ipfw add 00002 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state > ipfw nat 100 config ip 192.168.1.111 > ipfw add 00003 allow all from any to any > > Jailed system configuration: > /etc/rc.conf > network_interfaces="" > /etc/resolve.conf > nameserver 208.67.222.222 > nameserver 208.67.220.220 > > > Now I'm doing ssh into a jailed system (127.127.127.1). Then on jail > system I'm trying to do for example: > > host freebsd.org > ;; connection timed out; no servers could be reached > > And on host system: > ipfw -d show > 00001 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 > 00002 4 228 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state > 00003 182 24627 allow ip from any to any > 65535 0 0 deny ip from any to any > ## Dynamic rules (2): > 00002 1 57 (1s) STATE udp 127.127.127.1 58340 <-> 208.67.222.222 53 > 00002 1 57 (2s) STATE udp 127.127.127.1 39870 <-> 208.67.220.220 53 > > > So no packets got blocked but still it doesn't work properly. I'm trying > to get it working for couple weeks now and I'm afraid I just run out of > ideas so any help would be very appreciated. > you have to put your hosts /etc/resolve.conf in each jail before you can get network connection.