From owner-freebsd-jail@FreeBSD.ORG Thu Aug 5 06:12:46 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6FAE91065674 for ; Thu, 5 Aug 2010 06:12:46 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id C72158FC15 for ; Thu, 5 Aug 2010 06:12:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o756Ch8J056601; Thu, 5 Aug 2010 16:12:44 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 5 Aug 2010 16:12:43 +1000 (EST) From: Ian Smith To: Michael In-Reply-To: <4C59D871.1010506@gmail.com> Message-ID: <20100805144424.P34284@sola.nimnet.asn.au> References: <20100801021347.O34284@sola.nimnet.asn.au> <4C59D871.1010506@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Aug 2010 06:12:46 -0000 On Wed, 4 Aug 2010, Michael wrote: > On 31/07/2010 17:44, Ian Smith wrote: > > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > > > But mainly, you have no nat rule for the response packets coming in on > > the outside interface, which is where they need to get mapped back to > > the internal address/es. Generally better to not use 'via' but be more > > specific (ie clear) about direction on nat rules: > > > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > > > $outside_addr can be 'any', if you're not routing other addresses. > > I have run into some troubles using above rules. At first it looks all good > (to me) and works fine. Here are my rules: > > $cmd_nat nat 1 config reset if $if_ext log same_ports > $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid > $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext > > The problem is that rule 20 can not distinguish between replies to jail and > replies to localhost. In other words it catches answers both to host system > and to jailed system. > > I can tell that after checking counters on rule 20. They go up even when I > run "host freebsd.org" on localhost (host environment for jails). > > Note that this problem doesn't applies to rule 10 because of "jail" match > pattern. Unfortunately this rule option doesn't work for incoming packets, > i.e. this rule is not working: > > $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid > > What am I missing? How can ipfw distinguish between incoming packets for > jailed system (in which case they should be NATed) and incoming packets for > host system (in which case they shouldn't be NATed)? First checking your assumptions: you want the jail, ie packets from $jail_ip, to be able to communicate to the outside only on UDP, and only to address $dns? (or dns="$address 53")? If you pass incoming packets to NAT that match with its table of source address/port, destination address/port and protocol, established when an outgoing packet was mapped from an inside to the outside address, then they will be mapped back to the original address/port. Otherwise, they will be unaffected and so delivered to the address specified (here, to the current address of $if_ext). It should be clear that rule 20 can't distinguish on $jail_jid _before_ the NAT translation; at this stage all packets are addressed to $extIP and nothing else is known, so it's not "doesn't work" but "couldn't". You need another rule _after_ doing inbound NAT to allow/deny/whatever packets that are NOW from $dns destined for $jail_ip (plus $jail_jid if you like, but that's implied by $jail_ip anyway). Basically, using NAT you have to pass all inbound ip4 packets received on your external interface to NAT (unless you're receiving packets for more than one external IP); only after NAT can you distinguish packets then destined for different addresses. Only on packets going out from your external address can you restrict NATing to only certain flows. HTH, Ian PS if it gets more complicated, maybe freebsd-ipfw is the better list?