From owner-freebsd-questions@freebsd.org Mon Feb 26 12:26:17 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08B2FF1C62C for ; Mon, 26 Feb 2018 12:26:17 +0000 (UTC) (envelope-from peter@ludikovsky.name) Received: from ludikovsky.name (ludikovsky.name [IPv6:2a03:f80:ed15:158:255:212:178:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 80C43729EE for ; Mon, 26 Feb 2018 12:26:16 +0000 (UTC) (envelope-from peter@ludikovsky.name) Received: from [10.1.13.98] (unknown [85.193.140.104]) by ludikovsky.name (Postfix) with ESMTPSA id 8F4BB4585 for ; Mon, 26 Feb 2018 12:26:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ludikovsky.name; s=mail; t=1519647966; bh=rc7DJrK8WiOGlURcHpymxoIWN2vIcH2PlQJ6Svsp7G0=; h=Date:Subject:To:From:From; b=VB48ZyggOKc1/cO6oA0ZPyrrdLJVPautD0jq3OAmE9+YtLg0hk/Z96RIBbmodHd08 B9M3awKsbSXqU5S0LUltKAk3duEVLE+uhUUmDRnTV8d7wLAwT5lpwRTGPPF9avCKiX hgIZh5gvIh/z6G6lQ6tKdTund+dAhZPPBgRvDNn0= Date: Mon, 26 Feb 2018 13:26:09 +0100 User-Agent: K-9 Mail for Android MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Autocrypt: addr=peter@ludikovsky.name; keydata=mQINBFNfuq4BEAC/hp9TgsaqRR+Vj 0W1y8NEkaPanVMShqqL1vIfaqrVkGj14faOe+uY4QhkhIwc3Vhm7eJ+z5Gn253TzZTf9KibZDAaF +jWJNrIK7LqmfN6AQ0iJ+UeDBDd5wWzi32LNisbEvjiLYTkq/KFc9ghtjKx6bm//23E6WSCt5GGM P+tXrq3g/Gp2uDZUiLs3Y0y+DVGXcC0LCa3BRBgt5J7Hsb0IPsihzjoZgwuDYQTKV8cuDzcZvGJY ZEW2DEoSN0nzADOZy6PKckSRpRa7WCrhM7W0A5TXFIzBmc4PHUNMQTf2Bp7S3Fuxs0cTvIU9TS10 fdCOem1q5h+5lYmDhMMIERzBJuTepb+zhYF9qIMFQTfbblbHkZPHc1R2q4xnMW4nrGUouvzj2Hh9 mkPj42bFVUf0GyejV9xZnhWVUXMDZQOor/cc9oK6/wJUL3+FUL1ltWn6Ar6jgdgzUbsrnm55GgLe eaokpOWh8J0AMX5WL1xSlQsCkshicmugOVz7gzyLhE/7ncFaxIAtB+T/UowbSPrbVr2T/6Hk1IKf M3trs7m+SMsHexfydoq+6OGzoQwbQZnpLhRBeUYcAH4jRqBC2yT8gENGh97RVbHqKVJygPxjjmUN pmmMNpDjPhBfkoZ5YCQYqZyMG6jDntwLShpnCkT6iX4lqkXhZ5p8ZnI62scmwARAQABtChQZXRlc iBMdWRpa292c2t5IDxwZXRlckBsdWRpa292c2t5Lm5hbWU+iQJCBBMBAgAsAhsDBwsJCAcDAgEGF QgCCQoLBBYCAwECHgECF4ACGQEFAlfO2qgFCQlnV3oACgkQz7o2Dmlu3Jlu9g/+Od4DFpkotJS6K XADU46Zwh5rqUSUgiZud90yiO3gpdjUaB64y3GtMlEuvm0ynzAN5V86sVY5GNvRZugXbiu+oTYEx RUmX2Jl2eP0k2dzpJhdhu917AvEg75OBfnPLb9rmrLxNnySOTXSApVbCrVZJp4+l0sce3dz/83BO 2qTtbwOvnlkFxOxyvCrlsyoN+t6JUQCeh8ApN72sHC2MHaVIwdeNwuA+2wknswbDLstw5HZka2lt Ftld/RUdPv4GwlGhCkKBob8rxbC77GxrYIjxWRlLWRTg9G0Dkcpb3oMnFUaFe/dnoU7NpUSOqnEY cWYXI4Oq5k8FJwpPX/ULyVVet+hWYkoD6vi4EZ2FLqYhzs4AtunLBnLl15b439w/W+ROE+FC83Ts lRGDifgcFdx4H3P5jb31aTQsTALEiex+PpW5BCUKzSvhyqwkEgIDppFpEhwyeMl79ChSqe1x090K yYtowGiyQ4JBWSe+I42XmZXdvAJA33zHtmzRUIkIEUdf+DRsRVIU6X+TGDweGI1f1Tq0prkw8qvB zkUcU8NnJyL5kl2F50vGKHxcnGtXOLkaU8LEKD1zW5ACDXqO61xRF0d9kG9I1cawkjTQSRCkC74I aFcG48HqzoIZ/dp9fQzDZxPIDXS63IXHbyHWvRFLk15aSy8FD0Ltvb8gvsd/ZS5Ag0EU1+6rgEQA Kvcn6keAzvTQGRfw2VL3Q0yUlHsRJFkL9ATXPXQzn0p2kd1TY3SUM6EZjDi/7Wem6YspzBPU+tNc kKHxLu/AC1Zi3L9bRXp3uiSicCgLjpg80hKFLw6jk4DcEyoHd2sAyyI7QmfDVSNl/scl2wwu4GLM kJha5DZFiE4dX9sFczXEKOksHxKXnEFvlBG4OMVjO7PNtY1HwENjW98acxBjirg9LcW99z8Exwln HGCBI9qb12cxHDcpdCPuwsTXPbwzx4XL4ghxMtNgBp8PQXXY4ZscPfkMp5xI/t87A1CCfxiQTUC4 1Q7kdz6WtBiHbm7/n4suEQD23mHUBX+oXP1YF62gMiAaRQWAIAG7dXcTjGLbd9Ddma4LhQFTZfcs 2aWVvMplmviIL3QcJjzjQIPZZWrIjYiec8UeQMugYWWmZfjbuRBoPpUgULabUnSOpdV2t9BwcMlh Zrc8q0ljAvD1NvuwHtZ0//+WfZQkYNnl5UFjL23yYLYfnoUzB51JyIFhKy4fFbmszzbxY+7Opxo8 3LRef6a+KW2BYsbBgH4wiJcnLT8IZkFj5SaCEyAY+am9aE+BHH9vm4Uxct2WVd/fPLBE6akrkVZt B8cr39uaV7+HLXHpR8sfdS0DEcTSSAD/Mc4T/H6cwWD9szoOau4j1eJplT9smGZ8cIa1lPb3qUdA BEBAAGJAiUEGAECAA8CGwwFAlfO2qgFCQlnV3oACgkQz7o2Dmlu3JkCPA//TF8xfQenM4usl1Swc Gn9LZL1y7GFtpvg6wDZh8JC5ZR2a8WRMrw5XD3jEWk2TcXcg3g/nlncuGaSlWflrqcRqzQ2dooHu Cn56FyqBOzxOe0AqWSO8YdX3fcvohgY2JmceKwRVBczRlcxeJWn+J9YSzHsTebc3+6t6vcrV5ERS t8+oXFj4IDNm6UuO/nLblpjbI5S2h47rvavngWDw9OBy9IsdvT33NXI36WQsppqCfxQL3W5S+xsD Pw3FklAPN4O1cgOdoTT4jxP1P+mgjIRZsjccSu4Egt32+uum5rMaPEKeNJTE6HN1Sqi+Csa8/NIB axBD9pFHYpACQ5nGnZSFtdqhzRMs/7YMBYCNRNX20AG1+k5XjmaSJ4GGf6mm0GKA5ReEs2Nuqb/C Ge1qXaHQuXvM0yipW8bK490uFTs2FkT6ssLL4iIJCG1hUTtCvkXfdto1+dB+ykqsIVoKt2/aO3DU AB3zYInnLXIP0zKFTI4/NykTMq0SGD4eIabOJIQp8+EpgP0YW6dSSrYcDkb1NUQpOZ4kWwRkI14x tMb7pfdtquqw0r1Sj2gxm6EO7JeXqdaeTROVjjaX0ydt/wRT3/aGI9hR7ZE93RZ30BfNuUqrvRcQ FQS+n4f5X930k/ptRG28fvsLZrn7h6DvV6QeYwUWp2PDI8x9t83vxbrghw= Subject: UDP connections from NAT'ed jails To: freebsd-questions@freebsd.org From: Peter Ludikovsky Message-ID: <8B3177FE-1FE5-4455-8F3C-CB5CE664B8C1@ludikovsky.name> X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2018 12:26:17 -0000 Hi, I'm experimenting with jails in preparation for moving my home server from Linux to FreeBSD=2E I'm doing this from within a VirtualBox VM, since it's easier to revert to a previous state in case I break something=2E My biggest issue ATM is that my first jail can't resolve any host=2E TCP and ICMP packets pass without issue, but DNS requests time out=2E I checked with tcpdump on both the outside interface of the VM and of the host, neither show any DNS requests=2E Both hosts use 9=2E9=2E9=2E10 as th= e DNS server in /etc/resolv=2Econf=2E On the host: [peter@doctor ~]$ ifconfig -a em0: flags=3D8843 metric 0 mtu= 1500 options=3D9b ether 08:00:27:8f:47:bc hwaddr 08:00:27:8f:47:bc inet 10=2E0=2E2=2E15 netmask 0xffffff00 broadcast 10=2E0=2E2=2E255= =20 nd6 options=3D29 media: Ethernet autoselect (1000baseT ) status: active lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet6 ::1 prefixlen 128=20 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2=20 inet 127=2E0=2E0=2E1 netmask 0xff000000=20 nd6 options=3D21 groups: lo=20 lo1: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet 192=2E168=2E5=2E1 netmask 0xffffff00=20 inet 192=2E168=2E5=2E3 netmask 0xffffffff=20 inet 192=2E168=2E5=2E4 netmask 0xffffffff=20 inet 192=2E168=2E5=2E5 netmask 0xffffffff=20 nd6 options=3D29 groups: lo=20 [peter@doctor ~]$ cat /usr/local/etc/ezjail/bind9=20 # To specify the start up order of your ezjails, use these lines to # create a Jail dependency tree=2E See rcorder(8) for more details=2E # # PROVIDE: standard_ezjail # REQUIRE:=20 # BEFORE:=20 # export jail_bind9_hostname=3D"bind9" export jail_bind9_ip=3D"192=2E168=2E5=2E3" export jail_bind9_rootdir=3D"/usr/jails/bind9" export jail_bind9_exec_start=3D"/bin/sh /etc/rc" export jail_bind9_exec_stop=3D"" export jail_bind9_mount_enable=3D"YES" export jail_bind9_devfs_enable=3D"YES" export jail_bind9_devfs_ruleset=3D"devfsrules_jail" export jail_bind9_procfs_enable=3D"YES" export jail_bind9_fdescfs_enable=3D"YES" export jail_bind9_image=3D"" export jail_bind9_imagetype=3D"zfs" export jail_bind9_attachparams=3D"" export jail_bind9_attachblocking=3D"" export jail_bind9_forceblocking=3D"" export jail_bind9_zfs_datasets=3D"" export jail_bind9_cpuset=3D"" export jail_bind9_fib=3D"" export jail_bind9_parentzfs=3D"data/jails" export jail_bind9_parameters=3D"allow=2Eraw_sockets=3D1" export jail_bind9_post_start_script=3D"" export jail_bind9_retention_policy=3D"" [peter@doctor ~]$ nc -z -w 1 pkg=2Efreebsd=2Eorg 80; echo $? Connection to pkg=2Efreebsd=2Eorg 80 port [tcp/http] succeeded! 0 [peter@doctor ~]$ nc -z -w 1 149=2E20=2E1=2E201 80 ; echo $? Connection to 149=2E20=2E1=2E201 80 port [tcp/http] succeeded! 0 [peter@doctor ~]$ cat /etc/pf=2Econf=20 IP_PUB=3D"10=2E0=2E2=2E15" IP_JAIL=3D"192=2E168=2E5=2E2" NET_JAIL=3D"192=2E168=2E5=2E0/24" scrub in all set skip on lo nat pass on em0 from $NET_JAIL to any -> $IP_PUB pass out keep state [peter@doctor ~]$ sudo pfctl -sn nat pass on em0 inet from 192=2E168=2E5=2E0/24 to any -> 10=2E0=2E2=2E= 15 In the jail: root@bind9:~ # ifconfig -a em0: flags=3D8843 metric 0 mtu= 1500 options=3D9b ether 08:00:27:8f:47:bc hwaddr 08:00:27:8f:47:bc media: Ethernet autoselect (1000baseT ) status: active lo0: flags=3D8049 metric 0 mtu 16384 options=3D600003 groups: lo=20 lo1: flags=3D8049 metric 0 mtu 16384 options=3D600003 inet 192=2E168=2E5=2E3 netmask 0xffffffff=20 groups: lo=20 root@bind9:~ # netstat -r netstat: kvm not available: /dev/mem: No such file or directory Routing tables Internet: Destination Gateway Flags Netif Expire 192=2E168=2E5=2E3 link#3 UH lo1 root@bind9:~ # cat /etc/resolv=2Econf=20 server 10=2E1=2E9=2E253 root@bind9:~ # host pkg=2Efreebsd=2Eorg ;; connection timed out; no servers could be reached root@bind9:~ # nc -z -w 1 pkg=2Efreebsd=2Eorg 80 ; echo $? nc: getaddrinfo: hostname nor servname provided, or not known 1 root@bind9:~ # nc -z -w 1 149=2E20=2E1=2E201 80 ; echo $? Connection to 149=2E20=2E1=2E201 80 port [tcp/http] succeeded! 0 root@bind9:~ # ping -c3 pkg=2Efreebsd=2Eorg ping: cannot resolve pkg=2Efreebsd=2Eorg: Host name lookup failure root@bind9:~ # ping -c3 149=2E20=2E1=2E201 PING 149=2E20=2E1=2E201 (149=2E20=2E1=2E201): 56 data bytes 64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D0 ttl=3D63 time=3D165=2E6= 86 ms 64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D1 ttl=3D63 time=3D164=2E2= 83 ms 64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D2 ttl=3D63 time=3D165=2E5= 78 ms --- 149=2E20=2E1=2E201 ping statistics --- 3 packets transmitted, 3 packets received, 0=2E0% packet loss round-trip min/avg/max/stddev =3D 164=2E283/165=2E182/165=2E686/0=2E63= 7 ms Anyone got a pointer on what's going wrong here? Regards, /peter