Re: ipnat.conf - map and rdr won't work!

On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard <norgaard@xxxxxxxxxxxx> wrote:
On 16/07/10 02.56, alexus wrote:

su-3.2# cat /etc/ipnat.rules
map fxp0 lama ->    0/32
rdr fxp0 64.52.58.58 port ssh ->    lama port ssh tcp

What's that first rule supposed to do?

provides a NAT within jail

Just guessing, try to put the rdr rule first. Another thing, the
firewall/nat may be loaded before starting the jail and thus unaware of
interfaces etc assigned to the jail.

tried switching rules - didn't help
tried restarting ipnat after everything is started it

su-3.2# ifconfig
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
 metric
0 mtu 1500
       inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>    metric 0
mtu
1500
       inet 64.52.58.58 netmask 0xffffffe0 broadcast 64.52.58.63

Where is this? this "su-3.2" is a bit confusing, would be useful to set
your
hostname to "jail" within the jail...

su-3.2 is a host environment where jail is hosted

And from within the jail, what do you see? From what I understand
172.16.172.16 is the jail IP?

from host's rc.conf

su-3.2# grep ^jail /etc/rc.conf
jail_enable="YES"
jail_lama_devfs_enable="YES"
jail_lama_hostname="lama"
jail_lama_ip="172.16.172.16"
jail_lama_rootdir="/usr/jail/lama"
jail_list="lama"
su-3.2#

this is within jail

-bash-3.2$ ifconfig
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
0 mtu 1500
options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
ether 00:19:5b:68:9b:01
inet 172.16.172.16 netmask 0xffffffff broadcast 172.16.172.16
media: Ethernet autoselect (none)
status: no carrier
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether 00:0f:fe:aa:f4:61
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
-bash-3.2$


I think it is typical for jails to clone the loopback interface for this
setup.

not sure what you mean by this...
if you referring this statement as if you though this is jail itself
then
this is not jail this is host environment (where jail is hosted)

Use tcpdump, you should see if your rdr/map rules work as expected. Also,
pfctl -ss and similar.

su-3.2# pfctl -ss
pfctl: /dev/pf: No such file or directory
su-3.2#

Ah, you use ipfilter?

yes, i use ipfilter & ipnat

su-3.2# grep ^ip /etc/rc.conf
ipfilter_enable="YES"
ipmon_enable="YES"
ipnat_enable="YES"
su-3.2#


i don't know how to use tcpdump, can you provide exact syntax so i can run
it?

The man-page is excelent.

tried that, unfortunately not really sure what am i doing.. still

anyone?

If nobody replies, maybe try to rephrase your question, investigate
further
and provide additional information rather than just repost.

i was under impression that i pretty much covered all basis, or at
least i thought i so ... apparently not...

Honestly, I don't have a clear picture of what works and what doesn't or
where. You haven't posted your jail config from rc.conf and you could help
by making it clear when running any command that this is in the jail, jail#
this is on the hosting system hostname# and this is the client client#
etc...

BR, Erik




lama is a jail environment (see rc.conf output from earlier)
su-3.2 is a host environment

any other questions? please just ask i'll provide you with whatever
information is needed
thanks again

--
http://alexus.org/
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: unprivileged users are able to kill certain jailed processes
    ... Furthermore they are able to send signals to these processes. ... In attempt to enforce stronger isolation between the host and the jail, you will run into other, more significant problems. ... Since the host environment is typically rooted at the "real" root, and guest environments are typically chrooted to specific subtrees, containment is enforced. ... However, file system access control isn't aware of jails, so a uid in the host environment still "owns" files that appear in the chrooted name spaces. ...
    (freebsd-current)
  • Re: unprivileged users are able to kill certain jailed processes
    ... Furthermore they are able to send signals to these processes. ... In attempt to enforce stronger isolation between the host and the jail, you will run into other, more significant problems. ... Since the host environment is typically rooted at the "real" root, and guest environments are typically chrooted to specific subtrees, containment is enforced. ... However, file system access control isn't aware of jails, so a uid in the host environment still "owns" files that appear in the chrooted name spaces. ...
    (freebsd-current)
  • Do I need JAIL on my home server?
    ... I have a home server, ... What I am trying to determine is the number of jails to use, what set of services to run in each jail, and mainly if using jail is worth at under my circumstances. ... My basic idea so far is to run the firewall, NAT, and PPPoE in the host environment, and use port forwarding to private IPs assigned to each jail. ...
    (comp.unix.bsd.freebsd.misc)
  • jail issue
    ... I run a PGP key server inside of a jail. ... packets as the host environment. ... The IP configured in the jail (output of ifconfig) shows the proper IP ...
    (freebsd-stable)
  • Re: jail issue
    ... > packets as the host environment (not as the jail environment). ... Could you show the output of sockstat as run in the host environment? ... I'd like to see what the socket is bound ...
    (freebsd-stable)