ipnat.conf - map and rdr won't work!

Erik Norgaard norgaard at locolomo.org
Thu Jul 15 22:55:17 UTC 2010

On 15/07/10 21.17, alexus wrote:
> On Wed, Jul 14, 2010 at 10:32 PM, alexus<alexus at gmail.com>  wrote:
>> I can't put my mind around it, before reboot I was able to ssh in from
>> outside to my jail and right now I can't!

What did you change?

>> su-3.2# cat /etc/ipnat.rules
>> map fxp0 lama ->  0/32
>> rdr fxp0 port ssh ->  lama port ssh tcp

What's that first rule supposed to do?

>> su-3.2# grep lama /etc/hosts
>>           lama

>> su-3.2# ifconfig
>> 0 mtu 1500
>>         options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
>>         ether 00:19:5b:68:9b:01
>>         inet netmask 0xffffffff broadcast
>>         media: Ethernet autoselect (none)
>>         status: no carrier
>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>  metric 0 mtu 1500
>>         options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
>>         ether 00:0f:fe:aa:f4:61
>>         inet netmask 0xffffffe0 broadcast
>>         media: Ethernet autoselect (100baseTX<full-duplex>)
>>         status: active

Where is this? this "su-3.2" is a bit confusing, would be useful to set 
your hostname to "jail" within the jail...

I think it is typical for jails to clone the loopback interface for this 

>> su-3.2# jls
>>    JID  IP Address      Hostname                      Path
>>      1   lama                          /usr/jail/lama
>> and this is me from outside trying to ssh to my box and getting time out...
>> mp:~ alexus$ ssh -v jothost.com
>> OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
>> debug1: Reading configuration data /etc/ssh_config
>> debug1: Connecting to jothost.com [] port 22.
>> debug1: connect to address port 22: Operation timed out
>> ssh: connect to host jothost.com port 22: Operation timed out

Use tcpdump, you should see if your rdr/map rules work as expected. 
Also, pfctl -ss and similar.

Can you ssh from the host system to the jail?

> anyone?

If nobody replies, maybe try to rephrase your question, investigate 
further and provide additional information rather than just repost.

BR, Erik

More information about the freebsd-questions mailing list