Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 09 Jul 2010 21:58:00 +0100
From:      Michael <mlmichael70@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   ipfw nat and jails on loopback - is it possible?
Message-ID:  <4C378D58.5010404@gmail.com>
next in thread | raw e-mail | index | archive | help 
Hello.

Does anybody has a working configuration with ipfw nated jails on 
loopback interface?
It simply doesn't work on my system. I can not get any connections to 
outside world from within a jail.

FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 
192.168.1.111 address.
Jail with IP 127.127.127.1 aliased on lo0.

Host system configuration:
/etc/rc.conf
    ifconfig_wlan0="WPA DHCP"
    ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255"
    gateway_enable="YES"
    firewall_enable="YES"
    firewall_script="/etc/ipfw.rules"
    firewall_nat_enable="YES"
    firewall_nat_interface="wlan0"
/etc/resolve.conf
    nameserver 208.67.222.222
    nameserver 208.67.220.220
/etc/ipfw.conf
    ipfw -q -f flush
    ipfw add 00001 allow all from 127.0.0.1 to 127.0.0.1 via lo0
    ipfw add 00002 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
    ipfw nat 100 config ip 192.168.1.111
    ipfw add 00003 allow all from any to any

Jailed system configuration:
/etc/rc.conf
    network_interfaces=""
/etc/resolve.conf
    nameserver 208.67.222.222
    nameserver 208.67.220.220


Now I'm doing ssh into a jailed system (127.127.127.1). Then on jail 
system I'm trying to do for example:

host freebsd.org
;; connection timed out; no servers could be reached

And on host system:
ipfw -d show
00001   0     0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00002   4   228 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
00003 182 24627 allow ip from any to any
65535   0     0 deny ip from any to any
## Dynamic rules (2):
00002   1    57 (1s) STATE udp 127.127.127.1 58340 <-> 208.67.222.222 53
00002   1    57 (2s) STATE udp 127.127.127.1 39870 <-> 208.67.220.220 53


So no packets got blocked but still it doesn't work properly. I'm trying 
to get it working for couple weeks now and I'm afraid I just run out of 
ideas so any help would be very appreciated.

Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C378D58.5010404>