Date: Wed, 9 Jul 2014 15:34:40 +1000 (EST) From: Peter Ross <Peter.Ross@alumni.tu-berlin.de> To: freebsd-jail@freebsd.org Subject: vnet jail and ipfw/nat on host - keep-state problem? Message-ID: <alpine.DEB.2.02.1407091517130.32174@PetersBigBox>
next in thread | raw e-mail | index | archive | help
Hi all, I am setting up a host with vnet jails without a public IP. E.g. a vnet jail with a DNS server (bind) running inside. The setup: Internet->age0(host interface with natd and external IP) ->bridge10(10.0.10.254)->epair1a ->epair1b(10.0.10.1 in bind vnet jail) Inside the jail I have a simple open ipfw firewall (ipfw allow ip4 from any to any) Here the rules relevant to let UDP port 53 connect from the outside world (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") 00100 divert 8668 ip4 from any to any via age0 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state 03200 allow udp from any to me dst-port 53 keep-state This does not allow DNS requests from the outside, they only get returned by adding 03300 allow udp from me 53 to any I am pretty confident that the rules above work with "real interfaces". I have similar routers with ipfw/natd, there things are even more limited by interface rules (recv/xmit). Does this mean, "keep-state" are not working properly in the mentioned vnet setup? Regards Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.02.1407091517130.32174>