Re: ipfw nat and jails on loopback - is it possible?

Mon, 19 Jul 2010 02:06:01 -0700 

Michael wrote:

Hello.
Does anybody has a working configuration with ipfw nated jails on loopback interface? It simply doesn't work on my system. I can not get any connections to outside world from within a jail.
FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 192.168.1.111 address. 
Jail with IP 127.127.127.1 aliased on lo0.

Host system configuration:
/etc/rc.conf
   ifconfig_wlan0="WPA DHCP"
   ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255"
   gateway_enable="YES"
   firewall_enable="YES"
   firewall_script="/etc/ipfw.rules"
   firewall_nat_enable="YES"
   firewall_nat_interface="wlan0"
/etc/resolve.conf
   nameserver 208.67.222.222
   nameserver 208.67.220.220
/etc/ipfw.conf
   ipfw -q -f flush
   ipfw add 00001 allow all from 127.0.0.1 to 127.0.0.1 via lo0
   ipfw add 00002 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
   ipfw nat 100 config ip 192.168.1.111
   ipfw add 00003 allow all from any to any

Jailed system configuration:
/etc/rc.conf
   network_interfaces=""
/etc/resolve.conf
   nameserver 208.67.222.222
   nameserver 208.67.220.220
Now I'm doing ssh into a jailed system (127.127.127.1). Then on jail system I'm trying to do for example: 

host freebsd.org
;; connection timed out; no servers could be reached

And on host system:
ipfw -d show
00001   0     0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00002   4   228 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
00003 182 24627 allow ip from any to any
65535   0     0 deny ip from any to any
## Dynamic rules (2):
00002   1    57 (1s) STATE udp 127.127.127.1 58340 <-> 208.67.222.222 53
00002   1    57 (2s) STATE udp 127.127.127.1 39870 <-> 208.67.220.220 53
So no packets got blocked but still it doesn't work properly. I'm trying to get it working for couple weeks now and I'm afraid I just run out of ideas so any help would be very appreciated.
you have to put your hosts /etc/resolve.conf in each jail before you can get network connection. 

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to