From owner-freebsd-jail@FreeBSD.ORG Wed Aug 4 21:14:44 2010 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0931C1065679 for ; Wed, 4 Aug 2010 21:14:44 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 856E18FC25 for ; Wed, 4 Aug 2010 21:14:43 +0000 (UTC) Received: by bwz12 with SMTP id 12so3460675bwz.13 for ; Wed, 04 Aug 2010 14:14:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=NbdXvv9EVqO9ndiFyu5h+hmz9OTHxkP+8pptUPF6Agg=; b=AqNGALvR+Mh+l5u3AP4UsC2qVVcEWWubbewq44dUpMEGtN8q6PDZrXiYnXPAP8Dol7 dk3Y12QF+AuvyCZxiiyyEafjzRTCEgm0ZLtzGKT26bG16OivYctPmF3T/FOESIH+kfip PQj7mu0MxhsM3gAO0PZQU3Q6gCpxcJRi+/SKQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=YVAy7O2nQ4hxarSXcvMDwW/pG+iLSMqpNj+Rz/b8sKpMkSSiKD6ciGkgJ6U5ge/T87 B0mSERb7rL+SfwC9vOU5qkmRFLIRPEmJFbJLFzZ8NJPnzZdW9kzBcJ8YYq5QUM/yBdZm YBlApIkDXahykJIE5xEthOBabP8CNNEQHcd3M= Received: by 10.204.84.92 with SMTP id i28mr6727240bkl.57.1280956477530; Wed, 04 Aug 2010 14:14:37 -0700 (PDT) Received: from prime.nonspace (94-193-57-116.zone7.bethere.co.uk [94.193.57.116]) by mx.google.com with ESMTPS id y2sm6251892bkx.20.2010.08.04.14.14.26 (version=SSLv3 cipher=RC4-MD5); Wed, 04 Aug 2010 14:14:29 -0700 (PDT) Message-ID: <4C59D871.1010506@gmail.com> Date: Wed, 04 Aug 2010 22:15:29 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.11) Gecko/20100721 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <20100801021347.O34284@sola.nimnet.asn.au> In-Reply-To: <20100801021347.O34284@sola.nimnet.asn.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: smithi@nimnet.asn.au Subject: Re: trouble getting Jail with IPFW+NAT to work X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Aug 2010 21:14:44 -0000 On 31/07/2010 17:44, Ian Smith wrote: > On Sat, 31 Jul 2010, Rick van der Zwet wrote: > > But mainly, you have no nat rule for the response packets coming in on > the outside interface, which is where they need to get mapped back to > the internal address/es. Generally better to not use 'via' but be more > specific (ie clear) about direction on nat rules: > > ${fwcmd} add nat 200 all from 10.0.0.0/24 to any out xmit re0 > ${fwcmd} add nat 200 all from any to ${outside_addr} in recv re0 > > $outside_addr can be 'any', if you're not routing other addresses. I have run into some troubles using above rules. At first it looks all good (to me) and works fine. Here are my rules: $cmd_nat nat 1 config reset if $if_ext log same_ports $cmd_nat 10 add nat 1 udp from $jail_ip to $dns out xmit $if_ext jail $jail_jid $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext The problem is that rule 20 can not distinguish between replies to jail and replies to localhost. In other words it catches answers both to host system and to jailed system. I can tell that after checking counters on rule 20. They go up even when I run "host freebsd.org" on localhost (host environment for jails). Note that this problem doesn't applies to rule 10 because of "jail" match pattern. Unfortunately this rule option doesn't work for incoming packets, i.e. this rule is not working: $cmd_nat 20 add nat 1 udp from $dns to me in recv $if_ext jail $jail_jid What am I missing? How can ipfw distinguish between incoming packets for jailed system (in which case they should be NATed) and incoming packets for host system (in which case they shouldn't be NATed)? Thank you in advance. Michael