Cant reach Jailed services from internet.

Mogamat Abrahams lists at tabits.co.za
Sun Jun 2 12:52:12 UTC 2013 

Joe <fbsd8 at ...> writes:


>  Your 67.205.xx.xx ip address looks like a dynamic ip address that you 
> use dhcp to automatically obtain all the network configuration 
> information needed by your host. Static ip addresses don't work that 
> way. You have to manually configure the static network. If I remember 
> correctly, for a block of 3 assignable ip addresses you need a block of 
> 5 from your provider. The first and last ip address are used to config 
> the network.
This address was provided and I manually configured the nic. 

> You never said if you have a firewall on your host. The firewall rules 
> maybe dropping unsolicited inbound traffic for those 174 prefixed ip 
> addresses. Try putting a pass all log  from that NIC rule or just a log 
> all rule or turn off the firewall all together and see what happens. 
> Verify your NAT is not trying to NAT unsolicited inbound traffic for 
> those 174 prefixed ip addresses.

I had no firewall installed on the machine as we were still setting up and 
usually only add firewalling last. Here is something interesting though, 
since compiling a custom kernel and 
including:

device<><------>pf
device<><------>pflog
nooptions<----->sctp
options><------>VIMAGE
device ><------>epair
device ><------>if_bridge
options><------>NULLFS

#firewall

options         MROUTING                # Multicast routing

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_FORWARD      #packet destination changes

options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_DNS
options         ACCEPT_FILTER_HTTP
options         ZERO_COPY_SOCKETS


My JAILS now both receive and respond to traffic! This was the only change i 
remember making. 
Just running on firewall_type="OPEN" and have not even defined any other 
rules.

So the problem seems solved, however still not sure what fixed it....!! Is 
NAT a requirement 
for Jail networking where the default gateway is not on the same subnet as 
the Jail?

More information about the freebsd-jail mailing list