From owner-freebsd-questions@FreeBSD.ORG Mon Jul 19 14:46:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A63A106566B for ; Mon, 19 Jul 2010 14:46:14 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 1D9128FC0A for ; Mon, 19 Jul 2010 14:46:13 +0000 (UTC) Received: by wyf22 with SMTP id 22so5339948wyf.13 for ; Mon, 19 Jul 2010 07:46:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=FnGKnMwbUWIYzMwrt3mJwIR5IS85sXOAsdbpCvhqEbQ=; b=I7fwmkxlm6nceFwn/oxeVlIwmaNCisTfhJbChyOhrAMfizbhbnf6kFlmfvRMLTuzOd 9/C+LR8Hz+BLd/72Amgz33V4PLzwvJXfcQsAFigHU6bMpCheDBA+KIC8ZP8JvB0R+QLF m2rNreXxonpb0O7rYltxI6VBRkdL36Hu+8ugA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; b=PWfe4R7VJyhOpH2zYpPPVGIP4x5gcpf1fjptn6GfLBzbWrMSzSyl8VXDorjwJM91cN TipwA1HZmlGBkHZwB336HSapADpHfNPQMSi1LJB1YbM38zGvCYlCX9eVQBhrq+7YDpVw ORJ78wjI62lZgI5Q3N5Fbf1hs3fZyltcDiexc= MIME-Version: 1.0 Received: by 10.216.232.229 with SMTP id n79mr3998622weq.52.1279550771436; Mon, 19 Jul 2010 07:46:11 -0700 (PDT) Received: by 10.216.229.202 with HTTP; Mon, 19 Jul 2010 07:46:11 -0700 (PDT) In-Reply-To: <4C419944.8030702@locolomo.org> References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> Date: Mon, 19 Jul 2010 10:46:11 -0400 Message-ID: From: alexus To: Erik Norgaard Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: google@alexus.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 14:46:14 -0000 On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard wrot= e: > On 16/07/10 02.56, alexus wrote: > >>>>> su-3.2# cat /etc/ipnat.rules >>>>> map fxp0 lama -> =C2=A0 =C2=A00/32 >>>>> rdr fxp0 64.52.58.58 port ssh -> =C2=A0 =C2=A0lama port ssh tcp >>> >>> What's that first rule supposed to do? >> >> provides a NAT within jail > > Just guessing, try to put the rdr rule first. Another thing, the > firewall/nat may be loaded before starting the jail and thus unaware of > interfaces etc assigned to the jail. tried switching rules - didn't help tried restarting ipnat after everything is started it >>>>> su-3.2# ifconfig >>>>> vr0: flags=3D8943 >>>>> =C2=A0metric >>>>> 0 mtu 1500 >>>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 172.16.172.16 netmask 0xffffffff broa= dcast 172.16.172.16 >>>>> fxp0: flags=3D8843 =C2=A0 =C2= =A0metric 0 >>>>> mtu >>>>> 1500 >>>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 64.52.58.58 netmask 0xffffffe0 broadc= ast 64.52.58.63 >>> >>> Where is this? this "su-3.2" is a bit confusing, would be useful to set >>> your >>> hostname to "jail" within the jail... >> >> su-3.2 is a host environment where jail is hosted > > And from within the jail, what do you see? From what I understand > 172.16.172.16 is the jail IP? from host's rc.conf su-3.2# grep ^jail /etc/rc.conf jail_enable=3D"YES" jail_lama_devfs_enable=3D"YES" jail_lama_hostname=3D"lama" jail_lama_ip=3D"172.16.172.16" jail_lama_rootdir=3D"/usr/jail/lama" jail_list=3D"lama" su-3.2# this is within jail -bash-3.2$ ifconfig vr0: flags=3D8943 metric 0 mtu 1500 options=3D2808 ether 00:19:5b:68:9b:01 inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16 media: Ethernet autoselect (none) status: no carrier fxp0: flags=3D8843 metric 0 mtu 150= 0 options=3D2009 ether 00:0f:fe:aa:f4:61 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=3D108810 metric 0 mt= u 1500 lo0: flags=3D8049 metric 0 mtu 16384 -bash-3.2$ >>> I think it is typical for jails to clone the loopback interface for thi= s >>> setup. >> >> not sure what you mean by this... >> if you referring this statement as if you though this is jail itself >> then >> this is not jail this is host environment (where jail is hosted) > >>> Use tcpdump, you should see if your rdr/map rules work as expected. Als= o, >>> pfctl -ss and similar. >> >> su-3.2# pfctl -ss >> pfctl: /dev/pf: No such file or directory >> su-3.2# > > Ah, you use ipfilter? yes, i use ipfilter & ipnat su-3.2# grep ^ip /etc/rc.conf ipfilter_enable=3D"YES" ipmon_enable=3D"YES" ipnat_enable=3D"YES" su-3.2# >> i don't know how to use tcpdump, can you provide exact syntax so i can r= un >> it? > > The man-page is excelent. tried that, unfortunately not really sure what am i doing.. still >>> anyone? >>> >>> If nobody replies, maybe try to rephrase your question, investigate >>> further >>> and provide additional information rather than just repost. >> >> i was under impression that i pretty much covered all basis, or at >> least i thought i so ... apparently not... > > Honestly, I don't have a clear picture of what works and what doesn't or > where. You haven't posted your jail config from rc.conf and you could hel= p > by making it clear when running any command that this is in the jail, jai= l# > this is on the hosting system hostname# and this is the client client# > etc... > > BR, Erik > > > lama is a jail environment (see rc.conf output from earlier) su-3.2 is a host environment any other questions? please just ask i'll provide you with whatever information is needed thanks again --=20 http://alexus.org/