From owner-freebsd-stable@FreeBSD.ORG Sat Nov 24 13:19:28 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F3F48CF7 for ; Sat, 24 Nov 2012 13:19:27 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id BA04B8FC12 for ; Sat, 24 Nov 2012 13:19:27 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so10047570iec.13 for ; Sat, 24 Nov 2012 05:19:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=uSbrhXa6pmiPC4akP3qHVxIdtNXfchENUvuniY33BPE=; b=bJFIPdBND66j90ddNRFM0lhkQKvdQVk1O1MkT8sKsehZbVunGl8ogNeBXM1zkVCWLc UmpuT3/thF8e6GZJC1d1Mt8zYBW0pHP+a3cGZtQ7ikLubw4q+Utul8a78ryBh9+RScAa xlaVsmwzn5Qb6RjsZphsvx3uhUZ2TWgla0/VdvnwhEGkASTXBE58AYka5TEZY2ffoN0X ltjWjnjASAbfEE4JxooHxqhFA7N6jqxmL1aDh3GO0xFADWcxptJxTLvlNtAzVHptn5xC 5c+qHaTIR2WPR2mk166pnHbGbDPcLOWTm1L11YCg2L4pr2c2NveeWRQ69L6wt8XcKK42 t7SA== Received: by 10.50.222.233 with SMTP id qp9mr6121120igc.61.1353763167329; Sat, 24 Nov 2012 05:19:27 -0800 (PST) MIME-Version: 1.0 Received: by 10.64.6.71 with HTTP; Sat, 24 Nov 2012 05:19:07 -0800 (PST) In-Reply-To: References: From: Morgan Reed Date: Sun, 25 Nov 2012 00:19:07 +1100 Message-ID: Subject: Re: natd in a jail To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Nov 2012 13:19:28 -0000 SOLVED: Thanks all for your assistance. SUMMARY: - Kernel rebuilt with option IPFIREWALL and friends turned on (not necessary if your ipfw modules work you should just be able to load them, mine didn't for reasons I don't really have the time or inclination to track down) - OpenVPN configurations modified to use a specific tun device ('device tun' directive replaced with 'device tun0') - OpenVPN configurations modified to run the following script prior to dropping privs (via the 'up' directive); /usr/local/etc/openvpn/up.sh --- ipfw -q flush pfw nat 1 config if tun0 reset same_ports deny_in ipfw add 500 nat 1 ip from any to any via tun0 --- This script assumes that option IPFILTER_DEFAULT_TO_ACCEPT or the equivalent sysctl frob is set, this is most probably *not* what you want to do in the "real world". Modify as needed, and be sure to set the permissions on the file appropriately as the script will be executed by root. A warning though; this is a total hack, the ipfw stuff should be moved to /etc/ipfw.rules or similar and processed by ipfw at boot but I'm not sure how it'll react if you try to do this config before the tun device is created, I expect it'll be unhappy so you'll need to create a static tun device for openvpn, this is the "right" way to do things but I'm being exceedingly lazy. The script above is a filthy hack, and potentially dangerous. - Normal requirements for gateway operation also apply here (which essentially means set gateway_enable=YES in rc.conf on the host and all router jails).