Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 19 Jul 2010 17:05:17 +0800
From:      Aiza <aiza21@comclark.com>
To:        Michael <mlmichael70@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ipfw nat and jails on loopback - is it possible?
Message-ID:  <4C44154D.1060109@comclark.com>
In-Reply-To: <4C378D58.5010404@gmail.com>
References:  <4C378D58.5010404@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Michael wrote:
> Hello.
> 
> Does anybody has a working configuration with ipfw nated jails on 
> loopback interface?
> It simply doesn't work on my system. I can not get any connections to 
> outside world from within a jail.
> 
> FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 
> 192.168.1.111 address.
> Jail with IP 127.127.127.1 aliased on lo0.
> 
> Host system configuration:
> /etc/rc.conf
>    ifconfig_wlan0="WPA DHCP"
>    ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255"
>    gateway_enable="YES"
>    firewall_enable="YES"
>    firewall_script="/etc/ipfw.rules"
>    firewall_nat_enable="YES"
>    firewall_nat_interface="wlan0"
> /etc/resolve.conf
>    nameserver 208.67.222.222
>    nameserver 208.67.220.220
> /etc/ipfw.conf
>    ipfw -q -f flush
>    ipfw add 00001 allow all from 127.0.0.1 to 127.0.0.1 via lo0
>    ipfw add 00002 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
>    ipfw nat 100 config ip 192.168.1.111
>    ipfw add 00003 allow all from any to any
> 
> Jailed system configuration:
> /etc/rc.conf
>    network_interfaces=""
> /etc/resolve.conf
>    nameserver 208.67.222.222
>    nameserver 208.67.220.220
> 
> 
> Now I'm doing ssh into a jailed system (127.127.127.1). Then on jail 
> system I'm trying to do for example:
> 
> host freebsd.org
> ;; connection timed out; no servers could be reached
> 
> And on host system:
> ipfw -d show
> 00001   0     0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
> 00002   4   228 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
> 00003 182 24627 allow ip from any to any
> 65535   0     0 deny ip from any to any
> ## Dynamic rules (2):
> 00002   1    57 (1s) STATE udp 127.127.127.1 58340 <-> 208.67.222.222 53
> 00002   1    57 (2s) STATE udp 127.127.127.1 39870 <-> 208.67.220.220 53
> 
> 
> So no packets got blocked but still it doesn't work properly. I'm trying 
> to get it working for couple weeks now and I'm afraid I just run out of 
> ideas so any help would be very appreciated.
> 


you have to put your hosts /etc/resolve.conf  in each jail before you 
can get network connection.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C44154D.1060109>