Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 04 Aug 2010 22:15:29 +0100
From:      Michael <mlmichael70@gmail.com>
To:        freebsd-jail@freebsd.org
Cc:        smithi@nimnet.asn.au
Subject:   Re: trouble getting Jail with IPFW+NAT to work
Message-ID:  <4C59D871.1010506@gmail.com>
In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au>
References:  <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> <20100801021347.O34284@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 31/07/2010 17:44, Ian Smith wrote:
> On Sat, 31 Jul 2010, Rick van der Zwet wrote:
>
> But mainly, you have no nat rule for the response packets coming in on
> the outside interface, which is where they need to get mapped back to
> the internal address/es.  Generally better to not use 'via' but be more
> specific (ie clear) about direction on nat rules:
>
> ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0
> ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0
>
> $outside_addr can be 'any', if you're not routing other addresses.

I have run into some troubles using above rules. At first it looks all 
good (to me) and works fine. Here are my rules:

$cmd_nat nat 1 config reset if $if_ext log same_ports
$cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail 
$jail_jid
$cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext

The problem is that rule 20 can not distinguish between replies to jail 
and replies to localhost. In other words it catches answers both to host 
system and to jailed system.

I can tell that after checking counters on rule 20. They go up even when 
I run "host freebsd.org" on localhost (host environment for jails).

Note that this problem doesn't applies to rule 10 because of "jail" 
match pattern. Unfortunately this rule option doesn't work for incoming 
packets, i.e. this rule is not working:

$cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid

What am I missing? How can ipfw distinguish between incoming packets for 
jailed system (in which case they should be NATed) and incoming packets 
for host system (in which case they shouldn't be NATed)?

Thank you in advance.
Michael

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C59D871.1010506>