Date: Wed, 21 Jul 2010 03:34:08 +0800 From: Fbsd8 <fbsd8@a1poweruser.com> To: google@alexus.org Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! Message-ID: <4C45FA30.8020004@a1poweruser.com> In-Reply-To: <AANLkTimSIMKbBun8xAaoKbNgLhLm38CpGsBa14JN8QIt@mail.gmail.com> References: <AANLkTilVTo36Fzdh2DKAQhRjyDj8MNUuV9dhwvQ7Gf-V@mail.gmail.com> <AANLkTinh0CykJ1Av3f2THPDFOLS0YtYLDvRMHXm_wD3w@mail.gmail.com> <4C3F91CF.5090206@locolomo.org> <AANLkTin6hYyHiG8taifkNHPBtKI0rKOkAaGRYodV1LLC@mail.gmail.com> <4C419944.8030702@locolomo.org> <AANLkTin8H47Z7suztGnWpa8fm-XIagQ6vzlxP85OIT-B@mail.gmail.com> <4C447F7F.6020308@locolomo.org> <AANLkTinM1E2Obrs8VqSsm3S_jcXqbw_Q1YLkc51tgJsS@mail.gmail.com> <4C45CBA3.9020800@comclark.com> <AANLkTileySmaFe4WCud1_MFWXnlHsnNF6DEQUgsmSHE1@mail.gmail.com> <4C45E7EA.7090403@comclark.com> <AANLkTimSIMKbBun8xAaoKbNgLhLm38CpGsBa14JN8QIt@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
alexus wrote: > On Tue, Jul 20, 2010 at 2:16 PM, Aiza <aiza21@comclark.com> wrote: >> alexus wrote: >>>> su-3.2# grep ^firewall /etc/rc.conf >>>> firewall_enable="YES" >>>> firewall_type="open" >>>> >>>> su-3.2# grep ^ip /etc/rc.conf >>>> ipfilter_enable="YES" >>>> ipmon_enable="YES" >>>> ipnat_enable="YES" >>>> ipnat_flags="-d" >>>> >>>> This is not good. >>>> You are running 2 different firewalls at the same time. >>>> comment out >>>> firewall_enable="YES" >>>> firewall_type="open" >>>> >>>> and reboot your system. >>>> >>>> >>> do you know that for a fact or you just guessing?? >>> >>> because first of all it worked before just fine with 2 firewalls >>> second i disabled firewall, so firewall is no longer an issue >>> third i have another system just like that that runs 2 firewall and >>> everything working just fine! >>> >>> if you dont know the answer there is no need to throw just any answer >>> as its pretty clear that this isn't the right answer >>> >> Just because 2 firewalls at same time didn't blow up in your face before, >> sure don't mean they are working correctly. Thats one bad assumption to base >> debugging on. > > i never had any problem doing so, not that i'm saying it's a smart thing to do > i'm well aware of that, and as i mention before both firewall doing > different purposes > its not like i'm filtering packets with both firewalls at the same time. > >> Jumping in my face, questioning the free advice given, sure makes you look >> foolish. You should read the handbook firewall section before opening your >> month and sticking your foot into it. > > i wasn't jumping in your face, i just outline some of the facts. > i'm asking help here, there is no point for me to jump anyone. > >> People on this list will stop helping if you turn on them and bit the hand >> that feeds you. >> >> And another thing. Network access for a jail is not controlled by the hosts >> firewall. You need to look else where for your jail network access solution. > > my jail has a private IP address, so in order to get to my jail you > need to go through public IP and that being hosted within host > environment > jail itself seem like it's functional fine as i can ssh into jail from > host environment > > so my guess i gotta look somewhere inside of ipnat, since ipnat is > responsible for routing packets from/to jail > >> If your attitude was not so XXXXXXX, I could have told you the solution, but >> now go learn it the hard way. > > i'm sorry you feel that way, surely didn't mean anything bad by outlining facts. > Have you copied your hosts /etc/resolv.conf file to your jail? How did you create your jail? ezjail??? What application are you planing on running inside of the jail? Did you give the jail the ip address of your public network? check it again to verify the numbers are correct. Doing ssh from the host is not the way to test. You need someone from the public network to try to ssh in by using your public ip address. But the first test, is to start the jail and access the jails console from the host and them issue dug or whois command from the jails console to see if you have outbound public network access. The ping command is a security leak and not allowed from a jail by design. See "man jail" for details about ping. If no public network access, then the hosts /etc/resolv.conf is missing form the jail, or named wrong, or not in the correct location or the jails assigned ip address is not your public ip address, or if you created the jail without using ezjail you messed it up. And all of this is done with all your firewalls disabled. And jails do not have their own firewalls. If your jail has one disable it. Firewalls DO NOT drive network traffic to a jail, so erase that idea from your mind. Your barking up the wrong tree going down that road. Your problem is not a firewall one, but a jail config one. This debugging method is called "process of elimination"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C45FA30.8020004>