From owner-freebsd-questions@FreeBSD.ORG Tue Jul 20 20:23:34 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 935F61065675 for ; Tue, 20 Jul 2010 20:23:34 +0000 (UTC) (envelope-from alexus@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 20FE68FC08 for ; Tue, 20 Jul 2010 20:23:33 +0000 (UTC) Received: by wwf26 with SMTP id 26so2006758wwf.1 for ; Tue, 20 Jul 2010 13:23:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=6bjC3YB+wdwzVqT4PMXBGulvoSXaVo7Wb4FC+SPQ88g=; b=USJIrGv9X6XHGseOJSVr1r7fKp5Kzf+6GKTG/uCMDmLXmwYFXJAH2CEyrLUmYoySFA aC1KC9T57pOlQs2KtEatZwnaO3zcPdKVq46kmSrCygunOpGU9XDSeiB52BLfhxYse9bW B6uUBtV2MI1P0sSULk05U5qXB58Of1O0K0ZWk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:content-transfer-encoding; b=Ken9gld6SaogfvHn+0P1K80qf56FIRJ2eWJEuJJOuuXXubMvuPShdnBEJ3/+yJnbmG UakGyI9ogR2SKJYrPut3fVHsno5xrqcGL3MK928iLpyVTrfqQqv+LB5dwNrHdHRU0P28 nE/ftMqgRKFWjOJ/YvrQdB4rsKYbjZGkfk7Tk= MIME-Version: 1.0 Received: by 10.227.144.206 with SMTP id a14mr6018797wbv.112.1279657412812; Tue, 20 Jul 2010 13:23:32 -0700 (PDT) Received: by 10.216.229.202 with HTTP; Tue, 20 Jul 2010 13:23:32 -0700 (PDT) In-Reply-To: <4C45F0F1.7010609@locolomo.org> References: <4C3F91CF.5090206@locolomo.org> <4C419944.8030702@locolomo.org> <4C447F7F.6020308@locolomo.org> <4C45D57F.2020506@locolomo.org> <4C45F0F1.7010609@locolomo.org> Date: Tue, 20 Jul 2010 16:23:32 -0400 Message-ID: From: alexus To: Erik Norgaard Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: ipnat.conf - map and rdr won't work! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: google@alexus.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jul 2010 20:23:34 -0000 On Tue, Jul 20, 2010 at 2:54 PM, Erik Norgaard wrot= e: > On 20/07/10 20.07, alexus wrote: >> >> On Tue, Jul 20, 2010 at 12:57 PM, Erik Norgaard >> =C2=A0wrote: >> plan b is to run natd, but i'd rather run ipnat especially that ipnat >> used to work before no problem! > > Maybe move away from what used to work and towards what is working :) > Whichever you prefer, just stick to one solution only. right, yet I still would like to know where problem is :)) >> su-3.2# ping -c1 lama >> PING lama (172.16.172.16): 56 data bytes >> 64 bytes from 172.16.172.16: icmp_seq=3D0 ttl=3D64 time=3D0.075 ms >> >> --- lama ping statistics --- >> 1 packets transmitted, 1 packets received, 0.0% packet loss >> round-trip min/avg/max/stddev =3D 0.075/0.075/0.075/0.000 ms >> su-3.2# >> >> ip address tells me that this is in fact jail's IP > > Yes and no, if you shut down your jail you should still be able to ping t= hat > ip as I read your snippet from your rc.conf. you right, i'm pinging ip that resides on another interface and doesn't really belong to jail at the first place you asked me if I can ping jail from host, I dont know how else I can test it then pinging ip is kind of pointless then, so i ssh in that seems to be working, what else can I try? >>> So I suppose that from your host environment you can ssh into the jail? >>> Did >>> ssh start up, netstat -l? From the jail, can you ping the host >>> environment? >> >> su-3.2# jls >> =C2=A0 =C2=A0JID =C2=A0IP Address =C2=A0 =C2=A0 =C2=A0Hostname =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Path >> =C2=A0 =C2=A0 =C2=A01 =C2=A0172.16.172.16 =C2=A0 lama =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0/u= sr/jail/lama >> su-3.2# jexec 1 /etc/rc.d/sshd status >> sshd is running as pid 1085. >> su-3.2# ps -p 1085 >> =C2=A0 PID =C2=A0TT =C2=A0STAT =C2=A0 =C2=A0 =C2=A0TIME COMMAND >> =C2=A01085 =C2=A0?? =C2=A0IsJ =C2=A0 =C2=A00:00.00 /usr/sbin/sshd >> su-3.2# >> > > OK, but you didn't check where your ssh binds. su-3.2# netstat -tan | grep LISTEN | grep 22 tcp4 0 0 172.16.172.16.22 *.* LISTEN su-3.2# would that sufficient? I just don't know how else I can see .. >> i know, i can run it that IP address as an alias on public interface, >> but we on purpose added another NIC to be private NIC. > > Well, read the man jail(8): > > ip4.addr > =C2=A0 =C2=A0 =C2=A0A comma-separated list of IPv4 addresses assigned to = the prison. > =C2=A0 =C2=A0 =C2=A0If this is set, the jail is restricted to using only = these > =C2=A0 =C2=A0 =C2=A0address. =C2=A0Any attempts to use other addresses fa= il, and attempts > =C2=A0 =C2=A0 =C2=A0to use wildcard addresses silently use the jailed add= ress > =C2=A0 =C2=A0 =C2=A0instead. ... > > If I understand this correctly, remove the line > > =C2=A0jail_lama_ip=3D"172.16.172.16" > > from your rc.conf and your jail can then bind to port 22 on the external > interface thus bypassing the need for nat. This is ok, since all you did = was > redirecting traffic. And the map rule shouldn't be necessary either, nor > should the fxp interface. > > BR, Erik > i actually like this idea, i think i'm going give that a shot... i'll let you know how that worked out... --=20 http://alexus.org/