vnet jail and ipfw/nat on host - keep-state problem?
Peter Ross
Peter.Ross at alumni.tu-berlin.de
Wed Jul 9 06:43:19 UTC 2014
P.S. I also have the following rules near the top:
01000 check-state
01100 allow tcp from any to any established
01200 allow ip from any to any frag
Peter
On Wed, 9 Jul 2014, Peter Ross wrote:
> Hi all,
>
> I am setting up a host with vnet jails without a public IP.
>
> E.g. a vnet jail with a DNS server (bind) running inside.
>
> The setup:
>
> Internet->age0(host interface with natd and external IP)
> ->bridge10(10.0.10.254)->epair1a
> ->epair1b(10.0.10.1 in bind vnet jail)
>
> Inside the jail I have a simple open ipfw firewall
> (ipfw allow ip4 from any to any)
>
> Here the rules relevant to let UDP port 53 connect from the outside world
> (with natd redirecting "redirect_port udp 10.0.10.1:53 external.ip:53")
>
> 00100 divert 8668 ip4 from any to any via age0
> 03100 allow udp from any to 10.0.10.1 dst-port 53 keep-state
> 03200 allow udp from any to me dst-port 53 keep-state
>
> This does not allow DNS requests from the outside, they only get returned by
> adding
>
> 03300 allow udp from me 53 to any
>
> I am pretty confident that the rules above work with "real interfaces". I
> have similar routers with ipfw/natd, there things are even more limited by
> interface rules (recv/xmit).
>
> Does this mean, "keep-state" are not working properly in the mentioned vnet
> setup?
>
> Regards
> Peter
>
More information about the freebsd-jail
mailing list