From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 21 05:53:11 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 829CE16A4B3; Sun, 21 Sep 2003 05:53:11 -0700 (PDT) Received: from unbreakable.homeunix.org (a213-22-54-44.netcabo.pt [213.22.54.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 912DF43FE3; Sun, 21 Sep 2003 05:53:10 -0700 (PDT) (envelope-from sub_0@netcabo.pt) Received: from [192.168.1.2] (unknown [192.168.1.2]) by unbreakable.homeunix.org (unknown) with ESMTP id 6437313CAE; Sun, 21 Sep 2003 13:53:08 +0100 (WEST) From: Mario Freitas To: freebsd-ipfw@freebsd.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-V4jJ/eJUIauNTyrxyjUh" Message-Id: <1064148796.973.50.camel@suzy.unbreakable.homeunix.org> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Sun, 21 Sep 2003 13:53:16 +0100 cc: freebsd-hackers@freebsd.org Subject: jails & ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sub_0@netcabo.pt List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2003 12:53:11 -0000 --=-V4jJ/eJUIauNTyrxyjUh Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, I recently configured a jail on a FreeBSD gateway doing nat for the interface alias (the jail address, say 192.168.J.J). I tried with natd and ipnat too. However there are some problems I still do not understand. First when I added "nameserver 192.168.X.X" (the nameserver running outside the jail environment) to the jail, every query to the name server is made via the loopback interface instead of the internal interface, or $intif (where I have 192.168.X.X plus 192.168.J.J). Shouldn't the packet travel(virtually) via the $intif interface (as if the request was coming from any machine on the LAN)? Also, the packets are travelling through the loopback interface, where bind _is not_ listening :) (another weird behaviour?) Second, I've tried using, unsuccessfully, many ipfw rules so any user inside the jail environment can establish statefully any tcp connection to the internet. What I do not understand is why the request does not (virtually) come through $intif (192.168.J.J). Inside the jail, after executing telnet www.google.com 80, tcpdump -i $intif(outside the jail) shows nothing, but tcpdump -i $extif(also outside) shows packets coming from www.google.com:80 to $extip, both in natd and ipnat cases: ipfw logs the packet being denied tcp from www.google.com:80 to $extip in via $extif (keep-state is not triggered). Any clarification would be appreciated. Sincerely, --=20 M=E1rio Freitas (sub_0@netcabo.pt) N=FAcleo Portugu=EAs de FreeBSD (NPF) --=-V4jJ/eJUIauNTyrxyjUh Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/bZ88mOO46MB/5oURAoXfAKCE9LWe65Ne4t7LpWQ1uUdi0hS5YwCgsr5y vp8WuM/g18zTFsy9O57gsuc= =tUx2 -----END PGP SIGNATURE----- --=-V4jJ/eJUIauNTyrxyjUh--