please help with NATing my jails

Michael mlmichael70 at gmail.com
Mon Jul 12 10:41:34 UTC 2010


Hello.

Does anybody has a working configuration with ipfw nated jails on 
loopback interface?
It simply doesn't work on my system. I can not get any connections to 
outside world from within a jail.

FreeBSD 8.0-p3 amd64 laptop connected to internet via wlan0 (ath0) with 
192.168.1.111 address obtained with DHCP.
Jail with IP 127.127.127.1 aliased on lo0.

Host system configuration:
/etc/rc.conf
    ifconfig_wlan0="WPA DHCP"
    ifconfig_lo0_alias0="inet 127.127.127.1 netmask 255.255.255.255"
    gateway_enable="YES"
    firewall_enable="YES"
    firewall_script="/etc/ipfw.rules"
    firewall_nat_enable="YES"
    firewall_nat_interface="wlan0"
/etc/resolve.conf
    nameserver 208.67.222.222
    nameserver 208.67.220.220
/etc/ipfw.conf
    ipfw -q -f flush
    ipfw add 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0
    ipfw add 20 check-state
    ipfw add 30 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
    ipfw nat 100 config ip 192.168.1.111 log
    ipfw add 40 allow all from any to any


Jailed system configuration:
/etc/rc.conf
    network_interfaces=""
/etc/resolve.conf
    nameserver 208.67.222.222
    nameserver 208.67.220.220


Now I'm doing ssh into a jailed system (127.127.127.1). Then on the jail 
system I'm trying to do for example:

host freebsd.org
;; connection timed out; no servers could be reached


After that on the host system I can get some more information:

ipfw -d show
00010   0     0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
00020   0     0 check-state
00030   4   204 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
00040 204 26764 allow ip from any to any
65535   0     0 deny ip from any to any
## Dynamic rules (2):
00030   1    51 (5s) STATE udp 127.127.127.1 19333 <-> 208.67.220.220 53
00030   1    51 (4s) STATE udp 127.127.127.1 37497 <-> 208.67.222.222 53

ipfw nat show
nat 100: icmp=0, udp=4, tcp=0, sctp=0, pptp=0, proto=0, frag_id=0 
frag_ptr=0 / tot=4


So no packets got blocked but still it doesn't work properly. I'm 
struggling with this for couple weeks now and I'm afraid I just run out 
of ideas so any help would be very appreciated.
The same jail works fine with pf so I believe it's a problem with my 
ipfw rules.

Michael



More information about the freebsd-ipfw mailing list