Unable to use pf(4) NAT with jail on 9.2-RELEASE

Peter Jeremy peter at rulingia.com
Mon Oct 14 10:39:14 UTC 2013 

I am trying to configure a new firewall and want to run squid in a jail
but have been unsuccessful in getting outgoing NAT to work.  I have
previously used jails on 8.x and 10.x with traffic going both into and
out of jails but I admit this is the first time I've tried to use NAT
on the outgoing traffic.

I've tried attaching the jail to each of lo0, lo1 using a 127/8 address;
lo1, the internal and the external interface using a dummy (RFC1918)
address and the internal interface using a valid-for-my-internal-network
RFC1918 address, using a NAT rule like:

nat on $ext_if from $jail_subnet to any -> $ext_addr

Monitoring the external interface on another host, either no packets are
transmitted (for the 127/8 addresses) or the source address is the
unchanged RFC1918 address unchanged.

As a specific example:
In rc.conf:
jail_squid_ip="198.168.120.4"   # Dummy address
jail_squid_interface="em0"      # Internal interface
jail_squid_exec_start="/usr/bin/fetch -o /tmp/zzz https://223.223.223.1/"

Complete pf.conf:
nat log on re0 from 192.168.120.4/32 to any -> 223.223.223.2
pass quick all
(changing the /32 to /24 makes no difference).

ifconfig whilst the jail is trying to start:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
        inet 192.168.123.124 netmask 0xffffff00 broadcast 192.168.123.255
        inet 198.168.120.4 netmask 0xffffffff broadcast 198.168.120.4
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        inet 223.223.223.2 netmask 0xfffffffc broadcast 223.223.223.3

And tcpdump on a system connected to re0 shows:
21:25:44.030983 IP 198.168.120.4.36205 > 223.223.223.1.443: Flags [S], seq 1462646452, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 712899226 ecr 0], length 0
(the source address should be 223.223.223.2).

OTOH, if I use a more complete pf.conf and initiate the connection either
on the host or on an "internal" box set to route through the firewall,
everything works as expected.

What am I doing wrong?

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 326 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20131014/252a230b/attachment.sig>

More information about the freebsd-net mailing list