Date: Sat, 24 Nov 2012 21:16:46 +1100 From: Morgan Reed <morgan.s.reed@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-stable@freebsd.org Subject: Re: natd in a jail Message-ID: <CAKnh_YsYsfXzTM-hpEYU1YFT6V1ESufS0-=aKzs6TxXaOZfMOg@mail.gmail.com> In-Reply-To: <20121124183549.R21191@sola.nimnet.asn.au> References: <CAKnh_YtF5f_0-vuGO0ov%2BJDKa_gxF%2Bf80-DCcfxPYyew0_ZG7Q@mail.gmail.com> <D0670FDB8ED04E92BD4A44BB347E786F@white> <CAKnh_YtaY8uMo0W=LQ8L=Ntz6j9bVv8bOkQ_xFoAtz86qLZKDA@mail.gmail.com> <CAKnh_YteQ8YO5HFWGeFNgZqBx6-EK0BX7uujnAoqLi-JJ-yk_g@mail.gmail.com> <CAKnh_Yt4TiPEgdaZQ0J=meKDP_WiUWgUwodEMBqdzCNBNcOAHQ@mail.gmail.com> <20121124183549.R21191@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Nov 24, 2012 at 7:26 PM, Ian Smith <smithi@nimnet.asn.au> wrote: > Unless you needed to include FIREWALL_FORWARD, you really didn't need to > build ipfw into the kernel, it's all loadable by module. No harm, but. The ipfw_nat module was causing an instant panic at load and I was going to have to rebuild my kernel to debug that anyway, went with the sledgehammer approach and built it in, this box won't be doing anything else so it's no problem. > And with ipfw nat you won't be needing ipdivert. Again, no harm. Yeah, I didn't think it should be necessary but something was trying to load it from within the jails and throwing an error, probably the natd startup script, not sure why, I might do some digging if I get bored at some point. > If the address of the tunX interface is fixed in the jail, you can > specify it by IP instead of the interface in the nat setup, like: > > ipfw nat 1 config ip $address same_ports deny_in > ipfw add 500 nat 1 ip from any to any via $address > > Your use of 'reset' in nat config makes me wonder if it's a variable > address though? If IP varies you will need to specify the interface. Dynamically assigned IP address, I don't control the remote end of the tunnel, IP changes each time the tunnel connects.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKnh_YsYsfXzTM-hpEYU1YFT6V1ESufS0-=aKzs6TxXaOZfMOg>