Problem with ipfw, in-kernel NAT and port redirection to jails
Alexey Roslyakov
free at oneex.me
Sat Feb 6 08:07:13 UTC 2016
Hello.
I have same problem when I'm trying redirect incoming traffic into the
jailed web server.
I repeated my installation few times on different releases - problem
with redirected ports was here all time (except 9.3 - there was random
result).
As a temporary solution am using pf nat for redirect ports.
My test configuration:
/etc/rc.conf:
ifconfig_vtnet0="inet 192.168.1.18/24"
defaultrouter="192.168.1.1"
cloned_interfaces="lo1"
/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
j1 {
path = /home/jail1;
mount.devfs;
host.hostname = j1;
interface = "lo1";
ip4.addr = 10.8.0.1;
persist;
}
rc.firewall:
ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ipfw add allow ip from any to any
pf.conf:
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 ->
10.8.0.1 port 80
In jail I'm try nginx, apache24 and nc as source for redirection. Test
file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
On 10.1 and 10.2 there is no big differences, when using ipfw nat we can
get only part of file (I'm using curl on different machine: curl
http://192.168.1.18/tmp.raw > /dev/null):
with nginx: Received = 33045
with apache: Received = 33092
with nc: Received = 16384
and result seems to be very stable in numbers.
On 9.3:
nginx: random bytes received, has no successful downloads
apache: random bytes received, sometimes download entire file
nc: entire file received
My virtual environment is proxmox 3.
Maybe it's related to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not
properly configured ipfw nat?
More information about the freebsd-net
mailing list