Date: Mon, 26 Feb 2018 15:35:08 +0100 From: Peter Ludikovsky <peter@ludikovsky.name> To: freebsd-questions@freebsd.org Subject: Re: UDP connections from NAT'ed jails Message-ID: <6ADC216F-CD1E-4AFA-8E57-01E928BC2776@ludikovsky.name> In-Reply-To: <CB81FE3C-CA97-43DF-85D0-8C271C96DB9C@sigsegv.be> References: <8B3177FE-1FE5-4455-8F3C-CB5CE664B8C1@ludikovsky.name> <CB81FE3C-CA97-43DF-85D0-8C271C96DB9C@sigsegv.be>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
With the adapdation on the VM:
[peter@doctor ~]$ sudo service pf reload
Reloading pf rules.
[peter@doctor ~]$ cat /etc/pf.conf
IP_PUB="10.0.2.15"
IP_JAIL="192.168.5.2"
NET_JAIL="192.168.5.0/24"
scrub in all
#set skip on lo
nat pass on em0 from $NET_JAIL to any -> $IP_PUB
pass out keep state
[peter@doctor ~]$ sudo pfctl -sn
nat pass on em0 inet from 192.168.5.0/24 to any -> 10.0.2.15
[peter@doctor ~]$ host pkg.freebsd.org
pkg.freebsd.org is an alias for pkgmir.geo.freebsd.org.
pkgmir.geo.freebsd.org has address 149.20.1.201
pkgmir.geo.freebsd.org has IPv6 address 2001:4f8:1:11::50:1
No change in the jail.
tcpdump on the host shows resolution happening for the jail-host, but
nothing for the jail itself.
Regards,
/peter
Am 26. Februar 2018 13:58:23 MEZ schrieb Kristof Provost <kristof@sigsegv.be>:
>On 26 Feb 2018, at 18:11, Peter Ludikovsky wrote:
>> I'm experimenting with jails in preparation for moving my home server
>> from Linux to FreeBSD. I'm doing this from within a VirtualBox VM,
>> since
>> it's easier to revert to a previous state in case I break something.
>>
>> My biggest issue ATM is that my first jail can't resolve any host.
>TCP
>> and ICMP packets pass without issue, but DNS requests time out. I
>> checked with tcpdump on both the outside interface of the VM and of
>> the
>> host, neither show any DNS requests. Both hosts use 9.9.9.10 as the
>> DNS
>> server in /etc/resolv.conf.
>>
>…
>> Anyone got a pointer on what's going wrong here?
>>
>Hmm. That’s interesting. Can you tcpdump on the host to see what’s
>going on with your DNS packets?
>
>Also, I’d try to remove the ‘set skip on lo’ pf rule.
>
>Regards,
>Kristof
>_______________________________________________
>freebsd-questions@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to
>"freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6ADC216F-CD1E-4AFA-8E57-01E928BC2776>