Cant reach Jailed services from internet.
Mogamat Abrahams
lists at tabits.co.za
Sun Jun 2 12:52:12 UTC 2013
Joe <fbsd8 at ...> writes:
> Your 67.205.xx.xx ip address looks like a dynamic ip address that you
> use dhcp to automatically obtain all the network configuration
> information needed by your host. Static ip addresses don't work that
> way. You have to manually configure the static network. If I remember
> correctly, for a block of 3 assignable ip addresses you need a block of
> 5 from your provider. The first and last ip address are used to config
> the network.
This address was provided and I manually configured the nic.
> You never said if you have a firewall on your host. The firewall rules
> maybe dropping unsolicited inbound traffic for those 174 prefixed ip
> addresses. Try putting a pass all log from that NIC rule or just a log
> all rule or turn off the firewall all together and see what happens.
> Verify your NAT is not trying to NAT unsolicited inbound traffic for
> those 174 prefixed ip addresses.
I had no firewall installed on the machine as we were still setting up and
usually only add firewalling last. Here is something interesting though,
since compiling a custom kernel and
including:
device<><------>pf
device<><------>pflog
nooptions<----->sctp
options><------>VIMAGE
device ><------>epair
device ><------>if_bridge
options><------>NULLFS
#firewall
options MROUTING # Multicast routing
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options IPFIREWALL_FORWARD #packet destination changes
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_DNS
options ACCEPT_FILTER_HTTP
options ZERO_COPY_SOCKETS
My JAILS now both receive and respond to traffic! This was the only change i
remember making.
Just running on firewall_type="OPEN" and have not even defined any other
rules.
So the problem seems solved, however still not sure what fixed it....!! Is
NAT a requirement
for Jail networking where the default gateway is not on the same subnet as
the Jail?
More information about the freebsd-jail
mailing list