Date: Mon, 26 Feb 2018 13:26:09 +0100 From: Peter Ludikovsky <peter@ludikovsky.name> To: freebsd-questions@freebsd.org Subject: UDP connections from NAT'ed jails Message-ID: <8B3177FE-1FE5-4455-8F3C-CB5CE664B8C1@ludikovsky.name>
next in thread | raw e-mail | index | archive | help
Hi,
I'm experimenting with jails in preparation for moving my home server
from Linux to FreeBSD=2E I'm doing this from within a VirtualBox VM, since
it's easier to revert to a previous state in case I break something=2E
My biggest issue ATM is that my first jail can't resolve any host=2E TCP
and ICMP packets pass without issue, but DNS requests time out=2E I
checked with tcpdump on both the outside interface of the VM and of the
host, neither show any DNS requests=2E Both hosts use 9=2E9=2E9=2E10 as th=
e DNS
server in /etc/resolv=2Econf=2E
On the host:
[peter@doctor ~]$ ifconfig -a
em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu=
1500
options=3D9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:8f:47:bc
hwaddr 08:00:27:8f:47:bc
inet 10=2E0=2E2=2E15 netmask 0xffffff00 broadcast 10=2E0=2E2=2E255=
=20
nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128=20
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2=20
inet 127=2E0=2E0=2E1 netmask 0xff000000=20
nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo=20
lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 192=2E168=2E5=2E1 netmask 0xffffff00=20
inet 192=2E168=2E5=2E3 netmask 0xffffffff=20
inet 192=2E168=2E5=2E4 netmask 0xffffffff=20
inet 192=2E168=2E5=2E5 netmask 0xffffffff=20
nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
groups: lo=20
[peter@doctor ~]$ cat /usr/local/etc/ezjail/bind9=20
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree=2E See rcorder(8) for more details=2E
#
# PROVIDE: standard_ezjail
# REQUIRE:=20
# BEFORE:=20
#
export jail_bind9_hostname=3D"bind9"
export jail_bind9_ip=3D"192=2E168=2E5=2E3"
export jail_bind9_rootdir=3D"/usr/jails/bind9"
export jail_bind9_exec_start=3D"/bin/sh /etc/rc"
export jail_bind9_exec_stop=3D""
export jail_bind9_mount_enable=3D"YES"
export jail_bind9_devfs_enable=3D"YES"
export jail_bind9_devfs_ruleset=3D"devfsrules_jail"
export jail_bind9_procfs_enable=3D"YES"
export jail_bind9_fdescfs_enable=3D"YES"
export jail_bind9_image=3D""
export jail_bind9_imagetype=3D"zfs"
export jail_bind9_attachparams=3D""
export jail_bind9_attachblocking=3D""
export jail_bind9_forceblocking=3D""
export jail_bind9_zfs_datasets=3D""
export jail_bind9_cpuset=3D""
export jail_bind9_fib=3D""
export jail_bind9_parentzfs=3D"data/jails"
export jail_bind9_parameters=3D"allow=2Eraw_sockets=3D1"
export jail_bind9_post_start_script=3D""
export jail_bind9_retention_policy=3D""
[peter@doctor ~]$ nc -z -w 1 pkg=2Efreebsd=2Eorg 80; echo $?
Connection to pkg=2Efreebsd=2Eorg 80 port [tcp/http] succeeded!
0
[peter@doctor ~]$ nc -z -w 1 149=2E20=2E1=2E201 80 ; echo $?
Connection to 149=2E20=2E1=2E201 80 port [tcp/http] succeeded!
0
[peter@doctor ~]$ cat /etc/pf=2Econf=20
IP_PUB=3D"10=2E0=2E2=2E15"
IP_JAIL=3D"192=2E168=2E5=2E2"
NET_JAIL=3D"192=2E168=2E5=2E0/24"
scrub in all
set skip on lo
nat pass on em0 from $NET_JAIL to any -> $IP_PUB
pass out keep state
[peter@doctor ~]$ sudo pfctl -sn
nat pass on em0 inet from 192=2E168=2E5=2E0/24 to any -> 10=2E0=2E2=2E=
15
In the jail:
root@bind9:~ # ifconfig -a
em0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu=
1500
options=3D9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:8f:47:bc
hwaddr 08:00:27:8f:47:bc
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo=20
lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 192=2E168=2E5=2E3 netmask 0xffffffff=20
groups: lo=20
root@bind9:~ # netstat -r
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
Internet:
Destination Gateway Flags Netif Expire
192=2E168=2E5=2E3 link#3 UH lo1
root@bind9:~ # cat /etc/resolv=2Econf=20
server 10=2E1=2E9=2E253
root@bind9:~ # host pkg=2Efreebsd=2Eorg
;; connection timed out; no servers could be reached
root@bind9:~ # nc -z -w 1 pkg=2Efreebsd=2Eorg 80 ; echo $?
nc: getaddrinfo: hostname nor servname provided, or not known
1
root@bind9:~ # nc -z -w 1 149=2E20=2E1=2E201 80 ; echo $?
Connection to 149=2E20=2E1=2E201 80 port [tcp/http] succeeded!
0
root@bind9:~ # ping -c3 pkg=2Efreebsd=2Eorg
ping: cannot resolve pkg=2Efreebsd=2Eorg: Host name lookup failure
root@bind9:~ # ping -c3 149=2E20=2E1=2E201
PING 149=2E20=2E1=2E201 (149=2E20=2E1=2E201): 56 data bytes
64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D0 ttl=3D63 time=3D165=2E6=
86 ms
64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D1 ttl=3D63 time=3D164=2E2=
83 ms
64 bytes from 149=2E20=2E1=2E201: icmp_seq=3D2 ttl=3D63 time=3D165=2E5=
78 ms
--- 149=2E20=2E1=2E201 ping statistics ---
3 packets transmitted, 3 packets received, 0=2E0% packet loss
round-trip min/avg/max/stddev =3D 164=2E283/165=2E182/165=2E686/0=2E63=
7 ms
Anyone got a pointer on what's going wrong here?
Regards,
/peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8B3177FE-1FE5-4455-8F3C-CB5CE664B8C1>