natd in a jail

Morgan Reed morgan.s.reed at
Sat Nov 24 10:17:08 UTC 2012

On Sat, Nov 24, 2012 at 7:26 PM, Ian Smith <smithi at> wrote:
> Unless you needed to include FIREWALL_FORWARD, you really didn't need to
> build ipfw into the kernel, it's all loadable by module.  No harm, but.

The ipfw_nat module was causing an instant panic at load and I was
going to have to rebuild my kernel to debug that anyway, went with the
sledgehammer approach and built it in, this box won't be doing
anything else so it's no problem.

> And with ipfw nat you won't be needing ipdivert.  Again, no harm.

Yeah, I didn't think it should be necessary but something was trying
to load it from within the jails and throwing an error, probably the
natd startup script, not sure why, I might do some digging if I get
bored at some point.

> If the address of the tunX interface is fixed in the jail, you can
> specify it by IP instead of the interface in the nat setup, like:
>         ipfw nat 1 config ip $address same_ports deny_in
>         ipfw add 500 nat 1 ip from any to any via $address
> Your use of 'reset' in nat config makes me wonder if it's a variable
> address though?  If IP varies you will need to specify the interface.

Dynamically assigned IP address, I don't control the remote end of the
tunnel, IP changes each time the tunnel connects.

More information about the freebsd-stable mailing list