From owner-freebsd-questions@FreeBSD.ORG  Tue Jul 17 14:47:18 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9D633106566B
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jul 2012 14:47:18 +0000 (UTC)
	(envelope-from h.skuhra@gmail.com)
Received: from mail-pb0-f54.google.com (mail-pb0-f54.google.com
	[209.85.160.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D8A78FC16
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jul 2012 14:47:18 +0000 (UTC)
Received: by pbbro2 with SMTP id ro2so998727pbb.13
	for <freebsd-questions@freebsd.org>;
	Tue, 17 Jul 2012 07:47:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:content-type; bh=2J4uSrIehn31PVlHQCrNipgBPunerRLFiMKIuf871fs=;
	b=hLoNC6uhsTecw9RlhHuAWoNXXBjmLysrnOa4dOQics1c9alQaeWLTpQXceTTBibFlC
	9waZuEZuUzifHYt3K4dgnKgEIud9RyoJIPWbuc0NNHz3gVfIFtlJ4Xm1Wz3w8NC7raE0
	XRyGm+kLFemH95rLoXSWgf2cltQda/CNRzHnr1UmFW+uD45peBnII8mBb1Nw7/0o5amb
	U+L98CiQmJAqYKcMxmSVzdAUUYy4OlyV26TSps0sG9vtj8ai3yjBbnTUaarww6Z3UZ0a
	ukuGncsr7cJxv2arDlWqSJRvMCZloHOVOJgClOEpXVcsiSWFOvHRe2Kfbj8Sfkj+cAE6
	MrMg==
MIME-Version: 1.0
Received: by 10.68.213.67 with SMTP id nq3mr6928689pbc.142.1342536438153; Tue,
	17 Jul 2012 07:47:18 -0700 (PDT)
Received: by 10.68.239.67 with HTTP; Tue, 17 Jul 2012 07:47:17 -0700 (PDT)
In-Reply-To: <CADfJ1PaaqC6CupoWww5OXy+G1b6jXGadXN+4L63QVPmCwP2Fgg@mail.gmail.com>
References: <87fw8yariq.wl%h.skuhra@gmail.com>
	<CADfJ1PYDaJ-ogJq8ewvzLk3sCjqrE0bw36grVSAn2_16dZHDhw@mail.gmail.com>
	<CAPd55qAiWO5eQ=KkweuWir+gD4C1LSSbiky2VgZwiDpwwUyJaw@mail.gmail.com>
	<CADfJ1Pa1dpZ5StTTrG=8KVnFNzUuK58MhLXrg4prAqq4cKLK2g@mail.gmail.com>
	<CAMaK76HJfvVpn8qURDoUbBVKsowgrqmO7Nv=VXrtU0Yq4VbohA@mail.gmail.com>
	<CADfJ1PaaqC6CupoWww5OXy+G1b6jXGadXN+4L63QVPmCwP2Fgg@mail.gmail.com>
Date: Tue, 17 Jul 2012 16:47:17 +0200
Message-ID: <CADfJ1PZfTEYFv-zHaW8rdwCaJy8VnwZx_N+CNgCJEzyMsuLNtg@mail.gmail.com>
From: "Herbert J. Skuhra" <h.skuhra@gmail.com>
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=UTF-8
Subject: Re: Jails on FreeBSD 9.0
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 14:47:18 -0000

On Tue, Jul 17, 2012 at 11:46 AM, Herbert J. Skuhra <h.skuhra@gmail.com> wrote:

> With pf:
>
> I see the packets going out/coming in on fxp0 but somehow the jail
> does not "see" them.

Running 'nc 173.194.35.177 80"

'pfctl -ss' shows:

all tcp xx.xxx.xx.xxx:54724 (192.168.1.1:30177) -> 173.194.35.177:80
    ESTABLISHED:SYN_SENT

tcpdump on pflog0 shows :

16:32:28.489495 rule 11..16777216/0(match): pass out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13114581 ecr
0], length 0
16:32:28.499804 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073042 ecr
13114581,nop,wscale 6], length 0
16:32:28.893420 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073436 ecr
13114581,nop,wscale 6], length 0
16:32:29.494073 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463074036 ecr
13114581,nop,wscale 6], length 0
16:32:30.695744 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463075237 ecr
13114581,nop,wscale 6], length 0
16:32:31.489462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13117581 ecr
0], length 0
16:32:31.500226 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463076040 ecr
13114581,nop,wscale 6], length 0
16:32:33.098531 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463077639 ecr
13114581,nop,wscale 6], length 0
16:32:34.689460 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13120781 ecr
0], length 0
16:32:34.699834 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463079239 ecr
13114581,nop,wscale 6], length 0
16:32:37.889462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:37.899648 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082437 ecr
13114581,nop,wscale 6], length 0
16:32:37.906102 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082444 ecr
13114581,nop,wscale 6], length 0
16:32:41.089474 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:41.100282 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463085636 ecr
13114581,nop,wscale 6], length 0
16:32:44.289462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:44.300060 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463088834 ecr
13114581,nop,wscale 6], length 0

What's wrong?

In the meantime I've found kern/164271.

Regards,
Herbert