Peter Toth wrote:
Have not used natd with IPFW much as always preferred PF to do everything
on the host.
I have only a wild guess - the "me" keyword in IPFW is substituted only to
the host's IPs known to itself.
The host's IPFW firewall most likely doesn't know anything about IPs
assigned to vnet interfaces inside the jail.
Vnet jails behave more like separate physical hosts.
Internet ---> [host] ------- (10.0.10.0 LAN) ------> [vnet jail]
The PF issue inside a jail is a separate problem, PF is not fully
VIMAGE/VNET aware as far as I know.
Can someone comment on these or correct me?
P
On Fri, Jul 11, 2014 at 7:11 PM, Peter Ross <peter.r...@alumni.tu-berlin.de>
wrote:
On Thu, 10 Jul 2014, Peter Toth wrote:
Hi Peter,
Try to make these changes:
net.inet.ip.forwarding=1 # Enable IP forwarding between interfaces
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_bridge=0 # Packet filter on the bridge interface
net.link.bridge.pfil_member=0 # Packet filter on the member interface
You can find some info
here http://iocage.readthedocs.org/en/latest/help-no-internet.html
I've had these issues before with PF and IPFW, by default these will be
filtering on your bridge and member interfaces.
Thanks. It did not change anything.
Now, inside_ the jail I run "ipfw allow ip from any to any".
This on the host system:
01000 check-state
01100 allow tcp from any to any established
01200 allow ip from any to any frag
00100 divert 8668 ip4 from any to any via age0
03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state
03200 allow udp from any to me dst-port 53 keep-state
(with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53")
If I add
03300 allow udp from me 53 to any
it works..
So it makes me think check-state isn't usable - because
03200 allow udp from any to me dst-port 53 keep-state
should cover the returning packets.
I played with your parameters but it did not help. But thanks for the idea.
Here again the setup:
Internet->age0(host interface with natd and external IP)
->bridge10(10.0.10.254)->epair1a
->epair1b(10.0.10.1 in bind vnet jail)
I wonder what kind of restrictions exist with vnet.. it does not seem to
work _exactly_ as a "real" network stack (the issues with pf inside the
jail let me think of it too)
Did I find a restriction, a bug - or just that I've got it wrong?
Regards
Peter
Any firewall function that runs in the kernel will not function inside
of a vnet/vimage jail.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
