FreeBSD Mail Archives

Date:      Tue, 17 Jul 2012 16:47:17 +0200
From:      "Herbert J. Skuhra" <h.skuhra@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Jails on FreeBSD 9.0
Message-ID:  <CADfJ1PZfTEYFv-zHaW8rdwCaJy8VnwZx_N%2BCNgCJEzyMsuLNtg@mail.gmail.com>
In-Reply-To: <CADfJ1PaaqC6CupoWww5OXy%2BG1b6jXGadXN%2B4L63QVPmCwP2Fgg@mail.gmail.com>
References:  <87fw8yariq.wl%h.skuhra@gmail.com> <CADfJ1PYDaJ-ogJq8ewvzLk3sCjqrE0bw36grVSAn2_16dZHDhw@mail.gmail.com> <CAPd55qAiWO5eQ=KkweuWir%2BgD4C1LSSbiky2VgZwiDpwwUyJaw@mail.gmail.com> <CADfJ1Pa1dpZ5StTTrG=8KVnFNzUuK58MhLXrg4prAqq4cKLK2g@mail.gmail.com> <CAMaK76HJfvVpn8qURDoUbBVKsowgrqmO7Nv=VXrtU0Yq4VbohA@mail.gmail.com> <CADfJ1PaaqC6CupoWww5OXy%2BG1b6jXGadXN%2B4L63QVPmCwP2Fgg@mail.gmail.com>

On Tue, Jul 17, 2012 at 11:46 AM, Herbert J. Skuhra <h.skuhra@gmail.com> wrote:

> With pf:
>
> I see the packets going out/coming in on fxp0 but somehow the jail
> does not "see" them.

Running 'nc 173.194.35.177 80"

'pfctl -ss' shows:

all tcp xx.xxx.xx.xxx:54724 (192.168.1.1:30177) -> 173.194.35.177:80
    ESTABLISHED:SYN_SENT

tcpdump on pflog0 shows :

16:32:28.489495 rule 11..16777216/0(match): pass out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13114581 ecr
0], length 0
16:32:28.499804 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073042 ecr
13114581,nop,wscale 6], length 0
16:32:28.893420 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073436 ecr
13114581,nop,wscale 6], length 0
16:32:29.494073 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463074036 ecr
13114581,nop,wscale 6], length 0
16:32:30.695744 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463075237 ecr
13114581,nop,wscale 6], length 0
16:32:31.489462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13117581 ecr
0], length 0
16:32:31.500226 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463076040 ecr
13114581,nop,wscale 6], length 0
16:32:33.098531 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463077639 ecr
13114581,nop,wscale 6], length 0
16:32:34.689460 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13120781 ecr
0], length 0
16:32:34.699834 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463079239 ecr
13114581,nop,wscale 6], length 0
16:32:37.889462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:37.899648 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082437 ecr
13114581,nop,wscale 6], length 0
16:32:37.906102 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463082444 ecr
13114581,nop,wscale 6], length 0
16:32:41.089474 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:41.100282 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463085636 ecr
13114581,nop,wscale 6], length 0
16:32:44.289462 rule 0..16777216/0(match): nat out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,sackOK,eol], length 0
16:32:44.300060 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463088834 ecr
13114581,nop,wscale 6], length 0

What's wrong?

In the meantime I've found kern/164271.

Regards,
Herbert

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADfJ1PZfTEYFv-zHaW8rdwCaJy8VnwZx_N%2BCNgCJEzyMsuLNtg>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation