Date: Mon, 14 Oct 2013 21:33:27 +1100 From: Peter Jeremy <peter@rulingia.com> To: freebsd-net@freebsd.org Subject: Unable to use pf(4) NAT with jail on 9.2-RELEASE Message-ID: <20131014103327.GC68355@server.rulingia.com>
next in thread | raw e-mail | index | archive | help
--2fHTh5uZTiUOsy+g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I am trying to configure a new firewall and want to run squid in a jail but have been unsuccessful in getting outgoing NAT to work. I have previously used jails on 8.x and 10.x with traffic going both into and out of jails but I admit this is the first time I've tried to use NAT on the outgoing traffic. I've tried attaching the jail to each of lo0, lo1 using a 127/8 address; lo1, the internal and the external interface using a dummy (RFC1918) address and the internal interface using a valid-for-my-internal-network RFC1918 address, using a NAT rule like: nat on $ext_if from $jail_subnet to any -> $ext_addr Monitoring the external interface on another host, either no packets are transmitted (for the 127/8 addresses) or the source address is the unchanged RFC1918 address unchanged. As a specific example: In rc.conf: jail_squid_ip=3D"198.168.120.4" # Dummy address jail_squid_interface=3D"em0" # Internal interface jail_squid_exec_start=3D"/usr/bin/fetch -o /tmp/zzz https://223.223.223.1/" Complete pf.conf: nat log on re0 from 192.168.120.4/32 to any -> 223.223.223.2 pass quick all (changing the /32 to /24 makes no difference). ifconfig whilst the jail is trying to start: em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,T= SO4,VLAN_HWTSO> inet 192.168.123.124 netmask 0xffffff00 broadcast 192.168.123.255 inet 198.168.120.4 netmask 0xffffffff broadcast 198.168.120.4 re0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=3D8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,W= OL_MAGIC,LINKSTATE> inet 223.223.223.2 netmask 0xfffffffc broadcast 223.223.223.3 And tcpdump on a system connected to re0 shows: 21:25:44.030983 IP 198.168.120.4.36205 > 223.223.223.1.443: Flags [S], seq = 1462646452, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 7128992= 26 ecr 0], length 0 (the source address should be 223.223.223.2). OTOH, if I use a more complete pf.conf and initiate the connection either on the host or on an "internal" box set to route through the firewall, everything works as expected. What am I doing wrong? --=20 Peter Jeremy --2fHTh5uZTiUOsy+g Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (FreeBSD) iKYEARECAGYFAlJbyHdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldDBCRjc3QTcyNTg5NEVCRTY0RjREN0VFRUZF OEE0N0JGRjAwRkI4ODcACgkQ/opHv/APuIcbEACgvcDBUL216yo7ihYNkPFz3vC2 xmsAn3CHhcGBLqd1hb8bzHY6/sY75FH8 =/nWz -----END PGP SIGNATURE----- --2fHTh5uZTiUOsy+g--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20131014103327.GC68355>