ipnat.conf - map and rdr won't work!
Erik Norgaard
norgaard at locolomo.org
Mon Jul 19 16:38:28 UTC 2010
On 19/07/10 16.46, alexus wrote:
>>>> Use tcpdump, you should see if your rdr/map rules work as expected. Also,
>>>> pfctl -ss and similar.
>>> i don't know how to use tcpdump, can you provide exact syntax so i can run
>>> it?
>>
>> The man-page is excelent.
>
> tried that, unfortunately not really sure what am i doing.. still
Can't help you more, really, you need to investigate where packets are
dropped, tcpdump is a great tool and the man-page is excelent, can't
explain it better, if you don't like tcpdump then use any other packet
sniffing tool at hand, snort for example.
Do packets can get dropped because of your firewall default policy? For
stealth it may be set to simply drop packets which result in a
connection time-out rather than send a TCP-RST.
Do packets get dropped because of nat on the way in? or on the way out?
What if you just disable ipnat? What if you flush the firewall rules?
(disconnect from the Internet first)
Do you have any logs in the jail that indicate that the first packet is
actually received? Do your firewall log connections? If not, see how you
can enable logs on all rules to get more information.
Can you connect out from the jail, to external servers? only to the jail
hosting server? Did the jail's ssh log tell anything?
You wrote you can connect with ssh from the hosting server to the jail,
but it took a long time, did you investigate this? Is there some DNS
issue that times out and causes the connection to fail?
Can you ping your jail? Can you ping out? Default route is configured?
There are tons of tests you can do to figure out what's failing.
BR, Erik
More information about the freebsd-questions
mailing list