From owner-freebsd-stable@FreeBSD.ORG Sat Nov 24 10:17:08 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1BA64555 for ; Sat, 24 Nov 2012 10:17:08 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by mx1.freebsd.org (Postfix) with ESMTP id CB8778FC12 for ; Sat, 24 Nov 2012 10:17:07 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id n9so12256381oag.13 for ; Sat, 24 Nov 2012 02:17:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=2pW1VxTBMBaNCahoAL4sBh75DT7WAlaXRpwSjTjB7Gc=; b=WL5tpAAVSojxrJh6kk7iDU3WkFWifeBBXMZp+kwh96mY9GDH3rh4vk2VgrIylQywFa zSkORXQ9xWuJKuM/SejtMOyyYtlgPeABMXBNbbrUTiFCvrGeEsTQv+2RSfhV0SlA8B+5 gUVAN0O1cXlm2oaHHBYvNwKeOHL5XaaNWp6MoyRb1zOfaNpF05NvXWit5qPu0yVY2nJ5 yhH0TTq9N15kNVSTqhJEK7sHDAnnLd4MgMQfYACf2flAiPTWPw5FgS4JJQtfN+DOpEK5 haZQB89xTsjOUyR9q3esmi9wZLVfn6t7a6WFOiLuoj85R6uFTfbcQ8aurxkw+5ZqC4rJ Vqjg== Received: by 10.60.31.130 with SMTP id a2mr4952232oei.95.1353752227166; Sat, 24 Nov 2012 02:17:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.76.132.72 with HTTP; Sat, 24 Nov 2012 02:16:46 -0800 (PST) In-Reply-To: <20121124183549.R21191@sola.nimnet.asn.au> References: <20121124183549.R21191@sola.nimnet.asn.au> From: Morgan Reed Date: Sat, 24 Nov 2012 21:16:46 +1100 Message-ID: Subject: Re: natd in a jail To: Ian Smith Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-stable@freebsd.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 10:17:08 -0000 On Sat, Nov 24, 2012 at 7:26 PM, Ian Smith wrote: > Unless you needed to include FIREWALL_FORWARD, you really didn't need to > build ipfw into the kernel, it's all loadable by module. No harm, but. The ipfw_nat module was causing an instant panic at load and I was going to have to rebuild my kernel to debug that anyway, went with the sledgehammer approach and built it in, this box won't be doing anything else so it's no problem. > And with ipfw nat you won't be needing ipdivert. Again, no harm. Yeah, I didn't think it should be necessary but something was trying to load it from within the jails and throwing an error, probably the natd startup script, not sure why, I might do some digging if I get bored at some point. > If the address of the tunX interface is fixed in the jail, you can > specify it by IP instead of the interface in the nat setup, like: > > ipfw nat 1 config ip $address same_ports deny_in > ipfw add 500 nat 1 ip from any to any via $address > > Your use of 'reset' in nat config makes me wonder if it's a variable > address though? If IP varies you will need to specify the interface. Dynamically assigned IP address, I don't control the remote end of the tunnel, IP changes each time the tunnel connects.