From owner-freebsd-net@FreeBSD.ORG  Mon Oct 14 10:39:14 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id C68915BC
 for <freebsd-net@freebsd.org>; Mon, 14 Oct 2013 10:39:14 +0000 (UTC)
 (envelope-from peter@rulingia.com)
Received: from vps.rulingia.com (host-122-100-2-194.octopus.com.au
 [122.100.2.194])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 55AFC2A61
 for <freebsd-net@freebsd.org>; Mon, 14 Oct 2013 10:39:13 +0000 (UTC)
Received: from server.rulingia.com
 (c220-239-237-213.belrs5.nsw.optusnet.com.au [220.239.237.213])
 by vps.rulingia.com (8.14.7/8.14.5) with ESMTP id r9EAXWMB038350
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
 for <freebsd-net@freebsd.org>; Mon, 14 Oct 2013 21:33:33 +1100 (EST)
 (envelope-from peter@rulingia.com)
X-Bogosity: Ham, spamicity=0.000000
Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1])
 by server.rulingia.com (8.14.7/8.14.7) with ESMTP id r9EAXRqK061778
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <freebsd-net@freebsd.org>; Mon, 14 Oct 2013 21:33:27 +1100 (EST)
 (envelope-from peter@server.rulingia.com)
Received: (from peter@localhost)
 by server.rulingia.com (8.14.7/8.14.7/Submit) id r9EAXRtH061777
 for freebsd-net@freebsd.org; Mon, 14 Oct 2013 21:33:27 +1100 (EST)
 (envelope-from peter)
Date: Mon, 14 Oct 2013 21:33:27 +1100
From: Peter Jeremy <peter@rulingia.com>
To: freebsd-net@freebsd.org
Subject: Unable to use pf(4) NAT with jail on 9.2-RELEASE
Message-ID: <20131014103327.GC68355@server.rulingia.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="2fHTh5uZTiUOsy+g"
Content-Disposition: inline
X-PGP-Key: http://www.rulingia.com/keys/peter.pgp
User-Agent: Mutt/1.5.21 (2010-09-15)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2013 10:39:14 -0000


--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I am trying to configure a new firewall and want to run squid in a jail
but have been unsuccessful in getting outgoing NAT to work.  I have
previously used jails on 8.x and 10.x with traffic going both into and
out of jails but I admit this is the first time I've tried to use NAT
on the outgoing traffic.

I've tried attaching the jail to each of lo0, lo1 using a 127/8 address;
lo1, the internal and the external interface using a dummy (RFC1918)
address and the internal interface using a valid-for-my-internal-network
RFC1918 address, using a NAT rule like:

nat on $ext_if from $jail_subnet to any -> $ext_addr

Monitoring the external interface on another host, either no packets are
transmitted (for the 127/8 addresses) or the source address is the
unchanged RFC1918 address unchanged.

As a specific example:
In rc.conf:
jail_squid_ip=3D"198.168.120.4"   # Dummy address
jail_squid_interface=3D"em0"      # Internal interface
jail_squid_exec_start=3D"/usr/bin/fetch -o /tmp/zzz https://223.223.223.1/"

Complete pf.conf:
nat log on re0 from 192.168.120.4/32 to any -> 223.223.223.2
pass quick all
(changing the /32 to /24 makes no difference).

ifconfig whilst the jail is trying to start:
em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3D4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,T=
SO4,VLAN_HWTSO>
        inet 192.168.123.124 netmask 0xffffff00 broadcast 192.168.123.255
        inet 198.168.120.4 netmask 0xffffffff broadcast 198.168.120.4
re0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=3D8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,W=
OL_MAGIC,LINKSTATE>
        inet 223.223.223.2 netmask 0xfffffffc broadcast 223.223.223.3

And tcpdump on a system connected to re0 shows:
21:25:44.030983 IP 198.168.120.4.36205 > 223.223.223.1.443: Flags [S], seq =
1462646452, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 7128992=
26 ecr 0], length 0
(the source address should be 223.223.223.2).

OTOH, if I use a more complete pf.conf and initiate the connection either
on the host or on an "internal" box set to route through the firewall,
everything works as expected.

What am I doing wrong?

--=20
Peter Jeremy

--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (FreeBSD)

iKYEARECAGYFAlJbyHdfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDBCRjc3QTcyNTg5NEVCRTY0RjREN0VFRUZF
OEE0N0JGRjAwRkI4ODcACgkQ/opHv/APuIcbEACgvcDBUL216yo7ihYNkPFz3vC2
xmsAn3CHhcGBLqd1hb8bzHY6/sY75FH8
=/nWz
-----END PGP SIGNATURE-----

--2fHTh5uZTiUOsy+g--