ipnat.conf - map and rdr won't work!

alexus alexus at gmail.com
Mon Jul 19 14:46:14 UTC 2010

On Sat, Jul 17, 2010 at 7:51 AM, Erik Norgaard <norgaard at locolomo.org> wrote:
> On 16/07/10 02.56, alexus wrote:
>>>>> su-3.2# cat /etc/ipnat.rules
>>>>> map fxp0 lama ->    0/32
>>>>> rdr fxp0 port ssh ->    lama port ssh tcp
>>> What's that first rule supposed to do?
>> provides a NAT within jail
> Just guessing, try to put the rdr rule first. Another thing, the
> firewall/nat may be loaded before starting the jail and thus unaware of
> interfaces etc assigned to the jail.

tried switching rules - didn't help
tried restarting ipnat after everything is started it

>>>>> su-3.2# ifconfig
>>>>>  metric
>>>>> 0 mtu 1500
>>>>>        inet netmask 0xffffffff broadcast
>>>>> fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST>    metric 0
>>>>> mtu
>>>>> 1500
>>>>>        inet netmask 0xffffffe0 broadcast
>>> Where is this? this "su-3.2" is a bit confusing, would be useful to set
>>> your
>>> hostname to "jail" within the jail...
>> su-3.2 is a host environment where jail is hosted
> And from within the jail, what do you see? From what I understand
> is the jail IP?

from host's rc.conf

su-3.2# grep ^jail /etc/rc.conf

this is within jail

-bash-3.2$ ifconfig
0 mtu 1500
	ether 00:19:5b:68:9b:01
	inet netmask 0xffffffff broadcast
	media: Ethernet autoselect (none)
	status: no carrier
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:0f:fe:aa:f4:61
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

>>> I think it is typical for jails to clone the loopback interface for this
>>> setup.
>> not sure what you mean by this...
>> if you referring this statement as if you though this is jail itself
>> then
>> this is not jail this is host environment (where jail is hosted)
>>> Use tcpdump, you should see if your rdr/map rules work as expected. Also,
>>> pfctl -ss and similar.
>> su-3.2# pfctl -ss
>> pfctl: /dev/pf: No such file or directory
>> su-3.2#
> Ah, you use ipfilter?

yes, i use ipfilter & ipnat

su-3.2# grep ^ip /etc/rc.conf

>> i don't know how to use tcpdump, can you provide exact syntax so i can run
>> it?
> The man-page is excelent.

tried that, unfortunately not really sure what am i doing.. still

>>> anyone?
>>> If nobody replies, maybe try to rephrase your question, investigate
>>> further
>>> and provide additional information rather than just repost.
>> i was under impression that i pretty much covered all basis, or at
>> least i thought i so ... apparently not...
> Honestly, I don't have a clear picture of what works and what doesn't or
> where. You haven't posted your jail config from rc.conf and you could help
> by making it clear when running any command that this is in the jail, jail#
> this is on the hosting system hostname# and this is the client client#
> etc...
> BR, Erik

lama is a jail environment (see rc.conf output from earlier)
su-3.2 is a host environment

any other questions? please just ask i'll provide you with whatever
information is needed
thanks again


More information about the freebsd-questions mailing list