Date: Wed, 04 Aug 2010 22:15:29 +0100 From: Michael <mlmichael70@gmail.com> To: freebsd-jail@freebsd.org Cc: smithi@nimnet.asn.au Subject: Re: trouble getting Jail with IPFW+NAT to work Message-ID: <4C59D871.1010506@gmail.com> In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> References: <AANLkTinfQrE=eRSQ1gEFQfoib=9=PC4einxBWTqFBhyj@mail.gmail.com> <20100801021347.O34284@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 31/07/2010 17:44, Ian Smith wrote: > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > But mainly, you have no nat rule for the response packets coming in on > the outside interface, which is where they need to get mapped back to > the internal address/es. Generally better to not use 'via' but be more > specific (ie clear) about direction on nat rules: > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > $outside_addr can be 'any', if you're not routing other addresses. I have run into some troubles using above rules. At first it looks all good (to me) and works fine. Here are my rules: $cmd_nat nat 1 config reset if $if_ext log same_ports $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext The problem is that rule 20 can not distinguish between replies to jail and replies to localhost. In other words it catches answers both to host system and to jailed system. I can tell that after checking counters on rule 20. They go up even when I run "host freebsd.org" on localhost (host environment for jails). Note that this problem doesn't applies to rule 10 because of "jail" match pattern. Unfortunately this rule option doesn't work for incoming packets, i.e. this rule is not working: $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid What am I missing? How can ipfw distinguish between incoming packets for jailed system (in which case they should be NATed) and incoming packets for host system (in which case they shouldn't be NATed)? Thank you in advance. Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C59D871.1010506>