From owner-freebsd-stable  Wed Feb 13  0:35: 8 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95])
	by hub.freebsd.org (Postfix) with SMTP id 0F29737B405
	for <stable@FreeBSD.ORG>; Wed, 13 Feb 2002 00:35:05 -0800 (PST)
Received: (qmail 22154 invoked by uid 1000); 13 Feb 2002 08:35:02 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 13 Feb 2002 08:35:02 -0000
Date: Wed, 13 Feb 2002 09:35:02 +0100 (CET)
From: Attila Nagy <bra@fsn.hu>
To: Michael Meltzer <mjm@michaelmeltzer.com>
Cc: Ruslan Ermilov <ru@FreeBSD.ORG>, <stable@FreeBSD.ORG>
Subject: Re: 127/8 in ip_output.c
In-Reply-To: <00c701c1b3f3$169409f0$34f820c0@ix1x1000>
Message-ID: <Pine.LNX.4.44.0202130930060.21764-100000@scribble.fsn.hu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Hello,

> http://www.obfuscation.org/ipf/ipf-howto.txt about page 28+-
Besides that I often use jail to separate different services on the same
machine.
For this task I like to use addresses from the 127/8 range and bind the
jails to those on the lo0 interface.

For a shell jail I can run this on 127.0.0.5 with a RDR line in
/etc/ipnat.rules:
rdr fxp0 1.2.3.4/32 port 22 -> 127.0.0.5 port 22

And if users want to connect out from this jail I specify a:
map fxp0 127.0.0.5/32 -> 1.2.3.4/32

as you can see this way I don't use 127/8 addresses on external
interfaces, but the current behaviour stops this, because it sees the
traffic before IPF can NAT the packages, so it deny the 127.0.0.5.

I think this is not a breakage of the RFC, since I use 127/8 *internally*
for an internal network (that's what 127/8 is for) and FreeBSD denies it
to work.

I think it should be very good to give a sysctl for setting this...

Thanks,
--------------------------------------------------------------------------
Attila Nagy                                    e-mail:  Attila.Nagy@fsn.hu
Budapest Polytechnic (BMF.HU)                   @work: +361 210 1415 (194)
H-1084 Budapest, Tavaszmezo u. 15-17.           cell.: +3630 306 6758


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message