From owner-freebsd-net@FreeBSD.ORG Thu Mar 17 15:30:44 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF10916A4CE for ; Thu, 17 Mar 2005 15:30:44 +0000 (GMT) Received: from swordfish.vsip.net (swordfish.vsip.net [205.209.169.160]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58CA943D55 for ; Thu, 17 Mar 2005 15:30:44 +0000 (GMT) (envelope-from gizmen@swordfish.vsip.net) Received: from localhost (localhost.localhost [127.0.0.1]) by swordfish.vsip.net (Postfix) with ESMTP id C7F70509F1 for ; Thu, 17 Mar 2005 07:34:16 -0800 (PST) Received: from swordfish.vsip.net ([127.0.0.1]) by localhost (swordfish.vsip.net [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 38421-03 for ; Thu, 17 Mar 2005 07:34:16 -0800 (PST) Received: by swordfish.vsip.net (Postfix, from userid 1003) id 6533350994; Thu, 17 Mar 2005 07:34:16 -0800 (PST) Date: Thu, 17 Mar 2005 07:34:16 -0800 From: GiZmen To: freebsd-net@freebsd.org Message-ID: <20050317153416.GA38586@swordfish.vsip.net> References: <787bbe1c050315152733f79e7c@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <787bbe1c050315152733f79e7c@mail.gmail.com> User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: amavisd-new at swordfish.vsip.net Subject: Re: Setup of jail bound to lo0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2005 15:30:44 -0000 > Hi, > > I need to have some jails configured, sharing single IP address (IPv6 > is a no-no for the time being:). Therefore I came up with an idea of > binding them all to lo0 and assigning subsequent IP aliases as the > addresses. The requirement for the jails is to let them to receive > (the easy part) and *send* packets to the outside. > > The jails cannot directly access the Internet as they cannot bind to > the external IP address of course. Some translation needs to be made, > I think. After wrestling with ipfw/ipf/pf for a couple of hours I > don't have a working solution. > > My last attempt to get outside from the jail with ipfw was: > > # ipfw add 200 divert natd log tcp from 127.0.0.2 to 127.0.0.2 222 in via lo0 > > and for natd: > > redirect_port tcp 192.168.153.2:22 127.0.0.2:222 > > I get this log from natd: > > In {default} 0000ffff[TCP] [TCP] 127.0.0.2:53057 -> 127.0.0.2:301 aliased to > [TCP] 127.0.0.2:53057 -> 192.168.153.2:22 > > Which obviously doesn't work. I've tried to add alias IP, but then it > stops the natd `rule' matching. > ---end quoted text--- I have setup my box in that way you want with pf and it works perfect. I have cloned lo interface to lo1 and i have made aliases for every running jail. lo1: flags=8049 mtu 1500 inet 127.1.1.1 netmask 0xff000000 inet 127.0.0.53 netmask 0xffffffff inet 127.0.1.53 netmask 0xffffffff inet 127.0.0.67 netmask 0xffffffff inet 127.0.0.25 netmask 0xffffffff inet 127.0.0.80 netmask 0xffffffff inet 127.0.0.65 netmask 0xffffffff my pf rules are like that: nat on $ext_if inet from 127.1.1.1 to any -> $ext_addr static-port pass out quick on $ext_if inet proto tcp from 127.1.1.1 to any flags S/SA modulate state and it works and this is only for nating this jail to get access to this jail from outside you have to put some rdr rules in your packet filter. if you have more questions PM me.