From owner-freebsd-questions@FreeBSD.ORG Sun May 23 04:49:33 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A80CA16A4CE for ; Sun, 23 May 2004 04:49:33 -0700 (PDT) Received: from smtp106.mail.sc5.yahoo.com (smtp106.mail.sc5.yahoo.com [66.163.169.226]) by mx1.FreeBSD.org (Postfix) with SMTP id CFB1343D2F for ; Sun, 23 May 2004 04:49:32 -0700 (PDT) (envelope-from kaeru@pd.jaring.my) Received: from unknown (HELO ?219.95.63.45?) (khairil?yusof@219.95.63.45 with plain) by smtp106.mail.sc5.yahoo.com with SMTP; 23 May 2004 11:49:12 -0000 From: Khairil Yusof To: freebsd-questions@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-5y/79wAYTaYpyOk+nP/i" Message-Id: <1085312947.44118.23.camel@wolverine> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.5.7FreeBSD GNOME Team Port Date: Sun, 23 May 2004 19:49:08 +0800 Subject: internet access from jail with nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 May 2004 11:49:33 -0000 --=-5y/79wAYTaYpyOk+nP/i Content-Type: text/plain Content-Transfer-Encoding: quoted-printable My host machine acts as a gateway and has a simple firewall setup with ipfw and natd. There are no problems with other computers on the local network or the host machine in accessing the internet with this setup. However I'm having problems with getting jails on the host pc, to access the internet. Jails can access the host pc and vice versa, but not external ip addresses from within a jail. My host pc has ip 192.168.1.1 and aliased 10.1.1.1 as well as 10.1.1.2 (jail ip). What am I missing to allow jails to access the internet via ipfw/nat? Any help would be much apprecieated. More settings below: natd flags are: -dynamic yes -s -p -n tun0 my ipfw setup: #firewall command fwcmd=3D"/sbin/ipfw" =20 # Force a flushing of the current rules before we reload. $fwcmd -f flush # Divert all packets through the tunnel interface. $fwcmd add divert natd all from any to any via tun0 # Allow all connections that have dynamic rules built for them, # but deny established connections that don't have a dynamic rule. # See ipfw(8) for details. = =20 $fwcmd add check-state $fwcmd add deny tcp from any to any established #Allow all localhost connections $fwcmd add allow tcp from me to any out via lo0 setup keep-state $fwcmd add deny tcp from me to any out via lo0 $fwcmd add allow ip from me to any out via lo0 keep-state # Allow all connections from my network card that I initiate $fwcmd add allow tcp from me to any out xmit any setup keep-state $fwcmd add deny tcp from me to any $fwcmd add allow ip from me to any out xmit any keep-state # Allow all local connections $fwcmd add allow tcp from any to any via fxp0 setup keep-state $fwcmd add allow ip from any to any via fxp0 keep-state #Allow IP fragments through $fwcmd add pass all from any to any frag # Allow ICMP (for ping and traceroute to work). $fwcmd add allow icmp from any to any # This sends a RESET to all ident packets. $fwcmd add reset log tcp from any to me 113 in recv any # Deny all the rest. $fwcmd add deny log ip from any to any --=-5y/79wAYTaYpyOk+nP/i Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAsI+zDAqnLW/+/X8RAqwaAKDz4hsk0DYm+YNrK8MzK7p8qh1FawCfVbG0 gSTUIR/BOBFMc3Ge+sol7Eo= =POLp -----END PGP SIGNATURE----- --=-5y/79wAYTaYpyOk+nP/i--