From owner-freebsd-jail@FreeBSD.ORG Wed Jul 9 06:43:19 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 79B559EF for ; Wed, 9 Jul 2014 06:43:19 +0000 (UTC) Received: from mail1.chu658.uecomm.net.au (mail1.chu658.uecomm.net.au [218.185.10.246]) by mx1.freebsd.org (Postfix) with ESMTP id 3780F2835 for ; Wed, 9 Jul 2014 06:43:18 +0000 (UTC) Received: from mail.fdrive.com.au (unknown [115.186.196.106]) by mail1.chu658.uecomm.net.au (Postfix) with ESMTP id 08B451CB1; Wed, 9 Jul 2014 16:24:36 +1000 (EST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.fdrive.com.au (Postfix) with ESMTP id 1154AE6491; Wed, 9 Jul 2014 16:18:54 +1000 (EST) X-Virus-Scanned: amavisd-new at fdrive.com.au Received: from mail.fdrive.com.au ([127.0.0.1]) by localhost (mail.fdrive.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEKP2y0+7rij; Wed, 9 Jul 2014 16:18:45 +1000 (EST) Received: from PetersBigBox (ws-pross.vv.fda [192.168.50.199]) by mail.fdrive.com.au (Postfix) with ESMTPS id 7BCEDE64E4; Wed, 9 Jul 2014 16:18:45 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by PetersBigBox (Postfix) with ESMTP id AEBBB19204BB; Wed, 9 Jul 2014 16:24:27 +1000 (EST) Date: Wed, 9 Jul 2014 16:24:27 +1000 (EST) From: Peter Ross X-X-Sender: petros@PetersBigBox To: Peter Ross Subject: Re: vnet jail and ipfw/nat on host - keep-state problem? In-Reply-To: Message-ID: References: User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2014 06:43:19 -0000 P.S. I also have the following rules near the top: 01000 check-state 01100 allow tcp from any to any established 01200 allow ip from any to any frag Peter On Wed, 9 Jul 2014, Peter Ross wrote: > Hi all, > > I am setting up a host with vnet jails without a public IP. > > E.g. a vnet jail with a DNS server (bind) running inside. > > The setup: > > Internet->age0(host interface with natd and external IP) > ->bridge10(10.0.10.254)->epair1a > ->epair1b(10.0.10.1 in bind vnet jail) > > Inside the jail I have a simple open ipfw firewall > (ipfw allow ip4 from any to any) > > Here the rules relevant to let UDP port 53 connect from the outside world > (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53") > > 00100 divert 8668 ip4 from any to any via age0 > 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state > 03200 allow udp from any to me dst-port 53 keep-state > > This does not allow DNS requests from the outside, they only get returned by > adding > > 03300 allow udp from me 53 to any > > I am pretty confident that the rules above work with "real interfaces". I > have similar routers with ipfw/natd, there things are even more limited by > interface rules (recv/xmit). > > Does this mean, "keep-state" are not working properly in the mentioned vnet > setup? > > Regards > Peter >