From owner-freebsd-hackers@FreeBSD.ORG Sun Sep 21 14:08:36 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B0A716A4E9 for ; Sun, 21 Sep 2003 14:08:36 -0700 (PDT) Received: from mail.yazzy.org (yazzy.org [217.8.140.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC2C843FF3 for ; Sun, 21 Sep 2003 14:08:34 -0700 (PDT) (envelope-from masta@wifibsd.org) Received: from localhost (localhost [127.0.0.1]) by mail.yazzy.org (Postfix) with ESMTP id 550203980F; Sun, 21 Sep 2003 23:08:27 +0200 (CEST) Received: from mail.yazzy.org ([127.0.0.1]) by localhost (urukhai.yazzy.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50592-09; Sun, 21 Sep 2003 23:07:56 +0200 (CEST) Received: from wifibsd.org (localhost [127.0.0.1]) by mail.yazzy.org (Postfix) with SMTP id 43C4039812; Sun, 21 Sep 2003 23:07:53 +0200 (CEST) Received: from 12-238-113-137.client.attbi.com ([12.238.113.137]) (SquirrelMail authenticated user masta@wifibsd.org) by mail.yazzy.org with HTTP; Sun, 21 Sep 2003 16:07:54 -0500 (CDT) Message-ID: <1132.12.238.113.137.1064178474.squirrel@mail.yazzy.org> Date: Sun, 21 Sep 2003 16:07:54 -0500 (CDT) From: "masta" To: X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.11) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-hackers@freebsd.org Subject: X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: masta@wifibsd.org List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2003 21:08:36 -0000 Mario Freitas wrote: > Hi, > I recently configured a jail on a FreeBSD gateway doing nat for the > interface alias (the jail address, say 192.168.J.J). I tried with natd > and ipnat too. > However there are some problems I still do not understand. First > when I added "nameserver 192.168.X.X" (the nameserver running outside > the jail environment) to the jail, every query to the name server is > made via the loopback interface instead of the internal interface, or > $intif (where I have 192.168.X.X plus 192.168.J.J). Shouldn't the packet > travel(virtually) via the $intif interface (as if the request was coming > from any machine on the LAN)? Also, the packets are travelling through > the loopback interface, where bind _is not_ listening :) (another weird > behaviour?) This is normal. Jails use the loopback interface. You should alter your configuration accordingly. > Second, I've tried using, unsuccessfully, many ipfw rules so any user > inside the jail environment can establish statefully any tcp connection > to the internet. What I do not understand is why the request does not > (virtually) come through $intif (192.168.J.J). Because the jail(8) uses the loopback interface. [snip] I seem to recall some old discussion about the roadmap for jail(8), and somebody mentioned the consideration of a set of patches to virtualize the entire freebsd network stack to facilitate the type of feature you thought jail's have, but don't. __ __ _ | \/ | __ _ ___| |_ __ _ | |\/| |/ _` / __| __/ _` | | | | | (_| \__ \ || (_| | |_| |_|\__,_|___/\__\__,_| masta@wifibsd.org http://wifibsd.org