I am trying to configure a new firewall and want to run squid in a jail but have been unsuccessful in getting outgoing NAT to work. I have previously used jails on 8.x and 10.x with traffic going both into and out of jails but I admit this is the first time I've tried to use NAT on the outgoing traffic.
I've tried attaching the jail to each of lo0, lo1 using a 127/8 address; lo1, the internal and the external interface using a dummy (RFC1918) address and the internal interface using a valid-for-my-internal-network RFC1918 address, using a NAT rule like: nat on $ext_if from $jail_subnet to any -> $ext_addr Monitoring the external interface on another host, either no packets are transmitted (for the 127/8 addresses) or the source address is the unchanged RFC1918 address unchanged. As a specific example: In rc.conf: jail_squid_ip="198.168.120.4" # Dummy address jail_squid_interface="em0" # Internal interface jail_squid_exec_start="/usr/bin/fetch -o /tmp/zzz https://223.223.223.1/"; Complete pf.conf: nat log on re0 from 192.168.120.4/32 to any -> 223.223.223.2 pass quick all (changing the /32 to /24 makes no difference). ifconfig whilst the jail is trying to start: em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO> inet 192.168.123.124 netmask 0xffffff00 broadcast 192.168.123.255 inet 198.168.120.4 netmask 0xffffffff broadcast 198.168.120.4 re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> inet 223.223.223.2 netmask 0xfffffffc broadcast 223.223.223.3 And tcpdump on a system connected to re0 shows: 21:25:44.030983 IP 198.168.120.4.36205 > 223.223.223.1.443: Flags [S], seq 1462646452, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 712899226 ecr 0], length 0 (the source address should be 223.223.223.2). OTOH, if I use a more complete pf.conf and initiate the connection either on the host or on an "internal" box set to route through the firewall, everything works as expected. What am I doing wrong? -- Peter Jeremy
pgpHe3KFE2Zph.pgp
Description: PGP signature
