From owner-freebsd-questions@freebsd.org Tue Feb 27 22:46:15 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DAAFF30B93 for ; Tue, 27 Feb 2018 22:46:15 +0000 (UTC) (envelope-from peter@ludikovsky.name) Received: from ludikovsky.name (ludikovsky.name [IPv6:2a03:f80:ed15:158:255:212:178:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 76773752C6 for ; Tue, 27 Feb 2018 22:46:14 +0000 (UTC) (envelope-from peter@ludikovsky.name) Received: from [192.168.1.30] (84-115-25-42.cable.dynamic.surfer.at [84.115.25.42]) by ludikovsky.name (Postfix) with ESMTPSA id 60A41458A; Tue, 27 Feb 2018 22:46:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ludikovsky.name; s=mail; t=1519771572; bh=zU5aG1o5DzOjhlN4vzdQbr9lo/mXSfd1ENGCLhjbBZQ=; h=Date:In-Reply-To:References:Subject:To:CC:From:From; b=MdOt46NKh5PIJJ45LOZS0xHKpfcg2rb/0veq5FQ+ffgXXQ66kZ7SHOAdrU2BDuP3e kr0OIS6kl0tGKfJGmlZJO4+K84g1Otko0QqfQ90u5SwfrS9aHArqGbVM2bvaUbz/5U vhdPrH6vsD0+DopK8sNMPkgOCIAUAxBRRarKkYAQ= Date: Tue, 27 Feb 2018 23:46:15 +0100 User-Agent: K-9 Mail for Android In-Reply-To: References: <8B3177FE-1FE5-4455-8F3C-CB5CE664B8C1@ludikovsky.name> <6ADC216F-CD1E-4AFA-8E57-01E928BC2776@ludikovsky.name> <18932E8F-0FA3-4C0C-A507-3FB9AF9B8367@sigsegv.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Autocrypt: addr=peter@ludikovsky.name; keydata=mQINBFNfuq4BEAC/hp9TgsaqRR+Vj 0W1y8NEkaPanVMShqqL1vIfaqrVkGj14faOe+uY4QhkhIwc3Vhm7eJ+z5Gn253TzZTf9KibZDAaF +jWJNrIK7LqmfN6AQ0iJ+UeDBDd5wWzi32LNisbEvjiLYTkq/KFc9ghtjKx6bm//23E6WSCt5GGM P+tXrq3g/Gp2uDZUiLs3Y0y+DVGXcC0LCa3BRBgt5J7Hsb0IPsihzjoZgwuDYQTKV8cuDzcZvGJY ZEW2DEoSN0nzADOZy6PKckSRpRa7WCrhM7W0A5TXFIzBmc4PHUNMQTf2Bp7S3Fuxs0cTvIU9TS10 fdCOem1q5h+5lYmDhMMIERzBJuTepb+zhYF9qIMFQTfbblbHkZPHc1R2q4xnMW4nrGUouvzj2Hh9 mkPj42bFVUf0GyejV9xZnhWVUXMDZQOor/cc9oK6/wJUL3+FUL1ltWn6Ar6jgdgzUbsrnm55GgLe eaokpOWh8J0AMX5WL1xSlQsCkshicmugOVz7gzyLhE/7ncFaxIAtB+T/UowbSPrbVr2T/6Hk1IKf M3trs7m+SMsHexfydoq+6OGzoQwbQZnpLhRBeUYcAH4jRqBC2yT8gENGh97RVbHqKVJygPxjjmUN pmmMNpDjPhBfkoZ5YCQYqZyMG6jDntwLShpnCkT6iX4lqkXhZ5p8ZnI62scmwARAQABtChQZXRlc iBMdWRpa292c2t5IDxwZXRlckBsdWRpa292c2t5Lm5hbWU+iQJCBBMBAgAsAhsDBwsJCAcDAgEGF QgCCQoLBBYCAwECHgECF4ACGQEFAlfO2qgFCQlnV3oACgkQz7o2Dmlu3Jlu9g/+Od4DFpkotJS6K XADU46Zwh5rqUSUgiZud90yiO3gpdjUaB64y3GtMlEuvm0ynzAN5V86sVY5GNvRZugXbiu+oTYEx RUmX2Jl2eP0k2dzpJhdhu917AvEg75OBfnPLb9rmrLxNnySOTXSApVbCrVZJp4+l0sce3dz/83BO 2qTtbwOvnlkFxOxyvCrlsyoN+t6JUQCeh8ApN72sHC2MHaVIwdeNwuA+2wknswbDLstw5HZka2lt Ftld/RUdPv4GwlGhCkKBob8rxbC77GxrYIjxWRlLWRTg9G0Dkcpb3oMnFUaFe/dnoU7NpUSOqnEY cWYXI4Oq5k8FJwpPX/ULyVVet+hWYkoD6vi4EZ2FLqYhzs4AtunLBnLl15b439w/W+ROE+FC83Ts lRGDifgcFdx4H3P5jb31aTQsTALEiex+PpW5BCUKzSvhyqwkEgIDppFpEhwyeMl79ChSqe1x090K yYtowGiyQ4JBWSe+I42XmZXdvAJA33zHtmzRUIkIEUdf+DRsRVIU6X+TGDweGI1f1Tq0prkw8qvB zkUcU8NnJyL5kl2F50vGKHxcnGtXOLkaU8LEKD1zW5ACDXqO61xRF0d9kG9I1cawkjTQSRCkC74I aFcG48HqzoIZ/dp9fQzDZxPIDXS63IXHbyHWvRFLk15aSy8FD0Ltvb8gvsd/ZS5Ag0EU1+6rgEQA Kvcn6keAzvTQGRfw2VL3Q0yUlHsRJFkL9ATXPXQzn0p2kd1TY3SUM6EZjDi/7Wem6YspzBPU+tNc kKHxLu/AC1Zi3L9bRXp3uiSicCgLjpg80hKFLw6jk4DcEyoHd2sAyyI7QmfDVSNl/scl2wwu4GLM kJha5DZFiE4dX9sFczXEKOksHxKXnEFvlBG4OMVjO7PNtY1HwENjW98acxBjirg9LcW99z8Exwln HGCBI9qb12cxHDcpdCPuwsTXPbwzx4XL4ghxMtNgBp8PQXXY4ZscPfkMp5xI/t87A1CCfxiQTUC4 1Q7kdz6WtBiHbm7/n4suEQD23mHUBX+oXP1YF62gMiAaRQWAIAG7dXcTjGLbd9Ddma4LhQFTZfcs 2aWVvMplmviIL3QcJjzjQIPZZWrIjYiec8UeQMugYWWmZfjbuRBoPpUgULabUnSOpdV2t9BwcMlh Zrc8q0ljAvD1NvuwHtZ0//+WfZQkYNnl5UFjL23yYLYfnoUzB51JyIFhKy4fFbmszzbxY+7Opxo8 3LRef6a+KW2BYsbBgH4wiJcnLT8IZkFj5SaCEyAY+am9aE+BHH9vm4Uxct2WVd/fPLBE6akrkVZt B8cr39uaV7+HLXHpR8sfdS0DEcTSSAD/Mc4T/H6cwWD9szoOau4j1eJplT9smGZ8cIa1lPb3qUdA BEBAAGJAiUEGAECAA8CGwwFAlfO2qgFCQlnV3oACgkQz7o2Dmlu3JkCPA//TF8xfQenM4usl1Swc Gn9LZL1y7GFtpvg6wDZh8JC5ZR2a8WRMrw5XD3jEWk2TcXcg3g/nlncuGaSlWflrqcRqzQ2dooHu Cn56FyqBOzxOe0AqWSO8YdX3fcvohgY2JmceKwRVBczRlcxeJWn+J9YSzHsTebc3+6t6vcrV5ERS t8+oXFj4IDNm6UuO/nLblpjbI5S2h47rvavngWDw9OBy9IsdvT33NXI36WQsppqCfxQL3W5S+xsD Pw3FklAPN4O1cgOdoTT4jxP1P+mgjIRZsjccSu4Egt32+uum5rMaPEKeNJTE6HN1Sqi+Csa8/NIB axBD9pFHYpACQ5nGnZSFtdqhzRMs/7YMBYCNRNX20AG1+k5XjmaSJ4GGf6mm0GKA5ReEs2Nuqb/C Ge1qXaHQuXvM0yipW8bK490uFTs2FkT6ssLL4iIJCG1hUTtCvkXfdto1+dB+ykqsIVoKt2/aO3DU AB3zYInnLXIP0zKFTI4/NykTMq0SGD4eIabOJIQp8+EpgP0YW6dSSrYcDkb1NUQpOZ4kWwRkI14x tMb7pfdtquqw0r1Sj2gxm6EO7JeXqdaeTROVjjaX0ydt/wRT3/aGI9hR7ZE93RZ30BfNuUqrvRcQ FQS+n4f5X930k/ptRG28fvsLZrn7h6DvV6QeYwUWp2PDI8x9t83vxbrghw= Subject: Re: UDP connections from NAT'ed jails To: krad CC: FreeBSD Questions , Kristof Provost From: Peter Ludikovsky Message-ID: X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Feb 2018 22:46:15 -0000 Need? No=2E Just one more thing for me to get experience with, as I do want= to run some jails later on that shouldn't be directly accessible, eg=2E DB= =2E Am 27=2E Februar 2018 12:30:54 MEZ schrieb krad : >Just checking but do you need/want to run the jails in natted mode? I >ask >as its a lot simpler to setup jails with vimage and a bridged >interface=2E > >On 27 February 2018 at 09:07, Peter Ludikovsky >wrote: > >> No, nothing at all=2E But truss gave me the right idea: somehow a >zero-with >> char got into resolv=2Econf, and the resolver defaulted to 127=2E0=2E0= =2E1, >which >> won't work (yet)=2E >> >> Thanks for your help! >> >> Regards >> /peter >> >> Am 27=2E Februar 2018 05:23:39 MEZ schrieb Kristof Provost < >> kristof@sigsegv=2Ebe>: >> >On 26 Feb 2018, at 20:20, Peter Ludikovsky wrote: >> >> With the adapdation on the VM: >> >> >> >> [peter@doctor ~]$ sudo service pf reload >> >> Reloading pf rules=2E >> >> [peter@doctor ~]$ cat /etc/pf=2Econf >> >> IP_PUB=3D"10=2E0=2E2=2E15" >> >> IP_JAIL=3D"192=2E168=2E5=2E2" >> >> NET_JAIL=3D"192=2E168=2E5=2E0/24" >> >> scrub in all >> >> #set skip on lo >> >> nat pass on em0 from $NET_JAIL to any -> $IP_PUB >> >> pass out keep state >> >> [peter@doctor ~]$ sudo pfctl -sn >> >> nat pass on em0 inet from 192=2E168=2E5=2E0/24 to any -> 10=2E0= =2E2=2E15 >> >> [peter@doctor ~]$ host pkg=2Efreebsd=2Eorg >> >> pkg=2Efreebsd=2Eorg is an alias for pkgmir=2Egeo=2Efreebsd=2Eorg= =2E >> >> pkgmir=2Egeo=2Efreebsd=2Eorg has address 149=2E20=2E1=2E201 >> >> pkgmir=2Egeo=2Efreebsd=2Eorg has IPv6 address 2001:4f8:1:11::50:= 1 >> >> >> >> No change in the jail=2E >> >> >> >> tcpdump on the host shows resolution happening for the jail-host, >but >> >> nothing for the jail itself=2E >> >> >> >So you don=E2=80=99t see any UDP/DNS packets at all when the jail trie= s to >> >resolve a hostname? >> >That=E2=80=99s certainly odd=2E >> > >> >Does `truss host google=2Ecom` in the jail show anything interesting? >> > >> >Regards, >> >Kristof >> >_______________________________________________ >> >freebsd-questions@freebsd=2Eorg mailing list >> >https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-questions >> >To unsubscribe, send any mail to >> >"freebsd-questions-unsubscribe@freebsd=2Eorg" >> _______________________________________________ >> freebsd-questions@freebsd=2Eorg mailing list >> https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions- >> unsubscribe@freebsd=2Eorg" >>