From owner-freebsd-jail@FreeBSD.ORG Sun Jun 2 17:34:53 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9080C5E8 for ; Sun, 2 Jun 2013 17:34:53 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 7BDF8110B for ; Sun, 2 Jun 2013 17:34:53 +0000 (UTC) Received: from [10.0.10.1] ([173.88.196.224]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 2 Jun 2013 10:34:48 -0700 Message-ID: <51AB8236.7030706@a1poweruser.com> Date: Sun, 02 Jun 2013 13:34:46 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> <51A5F743.7080307@a1poweruser.com> <51A758FF.4080402@a1poweruser.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Jun 2013 17:34:48.0874 (UTC) FILETIME=[7B11C8A0:01CE5FB7] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jun 2013 17:34:53 -0000 Mogamat Abrahams wrote: > Joe writes: > > >> Your 67.205.xx.xx ip address looks like a dynamic ip address that you >> use dhcp to automatically obtain all the network configuration >> information needed by your host. Static ip addresses don't work that >> way. You have to manually configure the static network. If I remember >> correctly, for a block of 3 assignable ip addresses you need a block of >> 5 from your provider. The first and last ip address are used to config >> the network. > This address was provided and I manually configured the nic. > >> You never said if you have a firewall on your host. The firewall rules >> maybe dropping unsolicited inbound traffic for those 174 prefixed ip >> addresses. Try putting a pass all log from that NIC rule or just a log >> all rule or turn off the firewall all together and see what happens. >> Verify your NAT is not trying to NAT unsolicited inbound traffic for >> those 174 prefixed ip addresses. > > I had no firewall installed on the machine as we were still setting up and > usually only add firewalling last. Here is something interesting though, > since compiling a custom kernel and > including: > > device<><------>pf > device<><------>pflog > nooptions<----->sctp > options><------>VIMAGE > device ><------>epair > device ><------>if_bridge > options><------>NULLFS > > #firewall > > options MROUTING # Multicast routing > > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #enable logging to syslogd(8) > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > options IPFIREWALL_FORWARD #packet destination changes > > options ACCEPT_FILTER_DATA > options ACCEPT_FILTER_DNS > options ACCEPT_FILTER_HTTP > options ZERO_COPY_SOCKETS > > > My JAILS now both receive and respond to traffic! This was the only change i > remember making. > Just running on firewall_type="OPEN" and have not even defined any other > rules. > > So the problem seems solved, however still not sure what fixed it....!! Is > NAT a requirement > for Jail networking where the default gateway is not on the same subnet as > the Jail? > > Mogamat Abrahams It's customary to post your solution as the last post in this thread. Since you have so many kernel options included it would be nice to know which one really made the difference. BY process of limitation nooptions sctp problem was fixed in 8.1-release device pf your not using this firewall device pflog options ACCEPT_FILTER_DATA These 4 have never been talked about options ACCEPT_FILTER_DNS before in vnet context. Not likely options ACCEPT_FILTER_HTTP to have any bearing on your problem. options ZERO_COPY_SOCKETS Since your problem was happening with both if_bridge/epair and netgraph vnet networks seems unlikely that device epair device if_bridge compiled into the kernel has any bearing on your problem. My money is on options MROUTING # Multicast routing May I suggest you remove the above kernel options and recompile with modules. If it works then you know what kernel option is the solution to a vnet jail receiving inbound traffic. Then post the if_bridge/epair commands you used to create your vnet/vimage inbound and outbound network. Your solution post provides an answer (solution) for people who search the list email archives who have the same problem. Doing this is how you repay the people who help you on this list.