vnet jail and ipfw/nat on host - keep-state problem?
Peter Ross
Peter.Ross at alumni.tu-berlin.de
Wed Jul 9 06:05:37 UTC 2014
Hi all,
I am setting up a host with vnet jails without a public IP.
E.g. a vnet jail with a DNS server (bind) running inside.
The setup:
Internet->age0(host interface with natd and external IP)
->bridge10(10.0.10.254)->epair1a
->epair1b(10.0.10.1 in bind vnet jail)
Inside the jail I have a simple open ipfw firewall
(ipfw allow ip4 from any to any)
Here the rules relevant to let UDP port 53 connect from the outside world
(with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53")
00100 divert 8668 ip4 from any to any via age0
03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state
03200 allow udp from any to me dst-port 53 keep-state
This does not allow DNS requests from the outside, they only get returned
by adding
03300 allow udp from me 53 to any
I am pretty confident that the rules above work with "real interfaces". I
have similar routers with ipfw/natd, there things are even more limited by
interface rules (recv/xmit).
Does this mean, "keep-state" are not working properly in the mentioned
vnet setup?
Regards
Peter
More information about the freebsd-jail
mailing list