Date: Sun, 23 May 2004 19:49:08 +0800 From: Khairil Yusof <kaeru@pd.jaring.my> To: freebsd-questions@freebsd.org Subject: internet access from jail with nat Message-ID: <1085312947.44118.23.camel@wolverine>
next in thread | raw e-mail | index | archive | help
--=-5y/79wAYTaYpyOk+nP/i
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
My host machine acts as a gateway and has a simple firewall setup with
ipfw and natd. There are no problems with other computers on the local
network or the host machine in accessing the internet with this setup.
However I'm having problems with getting jails on the host pc, to access
the internet. Jails can access the host pc and vice versa, but not
external ip addresses from within a jail.
My host pc has ip 192.168.1.1 and aliased 10.1.1.1 as well as 10.1.1.2
(jail ip).
What am I missing to allow jails to access the internet via ipfw/nat?
Any help would be much apprecieated.
More settings below:
natd flags are: -dynamic yes -s -p -n tun0
my ipfw setup:
#firewall command
fwcmd=3D"/sbin/ipfw"
=20
# Force a flushing of the current rules before we reload.
$fwcmd -f flush
# Divert all packets through the tunnel interface.
$fwcmd add divert natd all from any to any via tun0
# Allow all connections that have dynamic rules built for them,
# but deny established connections that don't have a dynamic rule.
# See ipfw(8) for
details. =
=20
$fwcmd add check-state
$fwcmd add deny tcp from any to any established
#Allow all localhost connections
$fwcmd add allow tcp from me to any out via lo0 setup keep-state
$fwcmd add deny tcp from me to any out via lo0
$fwcmd add allow ip from me to any out via lo0 keep-state
# Allow all connections from my network card that I initiate
$fwcmd add allow tcp from me to any out xmit any setup keep-state
$fwcmd add deny tcp from me to any
$fwcmd add allow ip from me to any out xmit any keep-state
# Allow all local connections
$fwcmd add allow tcp from any to any via fxp0 setup keep-state
$fwcmd add allow ip from any to any via fxp0 keep-state
#Allow IP fragments through
$fwcmd add pass all from any to any frag
# Allow ICMP (for ping and traceroute to work).
$fwcmd add allow icmp from any to any
# This sends a RESET to all ident packets.
$fwcmd add reset log tcp from any to me 113 in recv any
# Deny all the rest.
$fwcmd add deny log ip from any to any
--=-5y/79wAYTaYpyOk+nP/i
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQBAsI+zDAqnLW/+/X8RAqwaAKDz4hsk0DYm+YNrK8MzK7p8qh1FawCfVbG0
gSTUIR/BOBFMc3Ge+sol7Eo=
=POLp
-----END PGP SIGNATURE-----
--=-5y/79wAYTaYpyOk+nP/i--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1085312947.44118.23.camel>