From nobody Fri Jul 23 18:22:51 2021 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0F067127EF5D for ; Fri, 23 Jul 2021 18:23:01 +0000 (UTC) (envelope-from freebsd@grem.de) Received: from mail.evolve.de (mail.evolve.de [213.239.217.29]) (using TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail.evolve.de", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4GWd3S4l9Dz3rkk; Fri, 23 Jul 2021 18:23:00 +0000 (UTC) (envelope-from freebsd@grem.de) Received: by mail.evolve.de (OpenSMTPD) with ESMTP id 8691f2eb; Fri, 23 Jul 2021 18:22:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=grem.de; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=20180501; bh=MG5F6Cpz 8S/+9xrPh7ScTAnoYTE=; b=jSka6fovgpOSeyFkHxlbTIn9JmOATG9pgBGgaSHJ 9gh04HbhD22tz4hD8iYYsL7+PwzMOiI3+tCx71aaHCYowv1wYLz4F8KKd3xlNGUA PTU6dYQoc+WZyYUdhw00mfY+4W6MMBEGGeE9uZFxHYVxRkkflQATt6/ih+CWzUqm UPGiRIhx8M0REaQ0Fpsf5bRGvcwzyhTSvJuikDk+hvSaR6q8xWUNOrwKTrGobue+ skIU2ClnazlcG2O6i4eYVtdE2DZJS3vcLgliDfbdei6NDRUrGNFGHJEoRlTaly1c 31b43A2U2krEXdub2P4MDPWsl5gmqV6RlxHZ+R14Ofpaww== DomainKey-Signature: a=rsa-sha1; c=nofws; d=grem.de; h=date:from:to:cc :subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; q=dns; s=20180501; b=HS tWZ0JUx96cD0+87g5e83lQBVuNxKomr2MEXxbi2RlUec5dSzaptGX31tc0seWsS5 De7x0F0uuLURM7kOVbYfF/Rsq3K82yw7CTwp6JnGMtOSu9SztW2ghHEmJMbE5GOR cwAnVVXx9gDdLjlGj+UbI1vhaKuPpmgL2CXe5VFmGH9flRBRZ5TJr6CqEUHOSA/a uRY/bPD9gAyFxkL4V0Jj0b5h7RYOWgh4ksqpS50Xq64xJ/Z9f/83V8KfzXuqNQAE 2M4hxPMRQD8snyCLsxWdzcJV7pWEPgOfTrGjbMB4S6gquVkM6lcDvWVPa0IafPjk 61dCYkHMMbBkJ7vG0p8w== Received: by mail.evolve.de (OpenSMTPD) with ESMTPSA id d1799bd4 (TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256:NO); Fri, 23 Jul 2021 18:22:53 +0000 (UTC) Date: Fri, 23 Jul 2021 20:22:51 +0200 From: Michael Gmelin To: Jacques Foucry Cc: Michael Gmelin , freebsd-questions@freebsd.org, freebsd-jail@freebsd.org Subject: Re: iocage, vnet jail does not go outside Message-ID: <20210723202251.708ac906@bsd64.grem.de> In-Reply-To: References: <20210723195142.77b668f1@bsd64.grem.de> X-Face: $wrgCtfdVw_H9WAY?S&9+/F"!41z'L$uo*WzT8miX?kZ~W~Lr5W7v?j0Sde\mwB&/ypo^}> +a'4xMc^^KroE~+v^&^#[B">soBo1y6(TW6#UZiC]o>C6`ej+i Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWJBwe5BQDl LASZU0/LTEWEfHbyj0Txi32+sKrp1Mv944X8/fm1rS+cAAAACXBIWXMAAAsTAAAL EwEAmpwYAAAAB3RJTUUH3wESCxwC7OBhbgAAACFpVFh0Q29tbWVudAAAAAAAQ3Jl YXRlZCB3aXRoIFRoZSBHSU1QbbCXAAAAAghJREFUOMu11DFvEzEUAGCfEhBVFzuq AKkLd0O6VrIQsLXVSZXoWE5N1K3DobBBA9fQpRWc8OkWouaIjedWKiyREOKs+3PY fvalCNjgLVHeF7/3bMtBzV8C/VsQ8tecEgCcDgrzjekwKZ7TwsJZd/ywEKwwP+ZM 8P3drTsAwWn2mpWuDDuYiK1bFs6De0KUUFw0tWxm+D4AIhuuvZqtyWYeO7jQ4Aea 7jUqI+ixhQoHex4WshEvSXdood7stlv4oSuFOC4tqGcr0NjEqXgV4mMJO38nld4+ xKNxRDon7khyKVqY7YR4d+Cg0OMrkWXZOM7YDkEfKiilCn1qYv4mighZiynuHHOA Wq9QJq+BIES7lMFUtcikMnkDGHUoncA+uHgrP0ctIEqfwLHzeSo+eUA66AqzwN6n 2ZHJhw6Qh/PoyC/QENyEyC/AyNjq74Bs+3UH0xYwzDUC4B97HgLocg1QLYgDDO1v f3UX9Y307Ew4AHh67YAFFsxEpkXwpXY3eIgMhAAE3R19L919nNnuD2wlPcDE3UeT L2ytEICQib9BXgS2fU8PrD82ToYO1OEmMSnYTjSqSv9wdC0tPYC+rQRQD9ESnldF CyqfmiYW+tlALt8gH2xrMdC/youbjzPXEun+/ReXsMCDyve3dZc09fn2Oas8oXGc Jj6/fOeK5UmSMPmf/jL+GD8BEj0k/Fn6IO4AAAAASUVORK5CYII= List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4GWd3S4l9Dz3rkk X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_RCPT(0.00)[freebsd]; REPLY(-4.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N On Fri, 23 Jul 2021 20:04:41 +0200 Jacques Foucry wrote: > Le vendredi 23 juil. 2021 =C3=A0 19:51:42 (+0200), Michael Gmelin =C3=A0 = =C3=A9crit: >=20 > Hello Michael, >=20 > > You need to enable some sort of NAT at your end, e.g. using pf. > > Traffic is leaving your host on a private IP. =20 >=20 >=20 > I forgot to post the part of my pf.conf your right. I enabled a NAT > (may be in a wroing way): >=20 > ext_if =3D em0 > int_if =3D "{lo0 lo1}" > bridge_if =3D bridge0 >=20 > icmp_types=3D"{ echoreq, unreach }" >=20 > # ok loopback > set skip on lo0 > set skip on lo1 > #set skip on bridge0 >=20 > # define jails > jails_net =3D "{192.168.12.0/24 10.0.10.0/24 2a01:4f9:4a:1fd8::/64}" >=20 > =E2=80=A6 >=20 > # nat > nat on $ext_if from $jails_net to any -> $ext_if >=20 > =E2=80=A6 >=20 > # ExampleJail > rdr on $ext_if inet proto tcp from any to $ext_if port > $examplejail_ports -> $examplejail_v4 rdr on $ext_if inet6 proto tcp > from any to $ext_if port $examplejail_ports -> $examplejail_v6 >=20 > =E2=80=A6 >=20 > pass in log quick on $ext_if proto tcp from any to $examplejail_v4 > port $examplejail_ports flags S/SA keep state pass in log quick on > $ext_if proto tcp from any to $examplejail_v6 port $examplejail_ports >=20 > =E2=80=A6 >=20 > # Allow icmp > pass in inet proto icmp all icmp-type $icmp_types > #IPv6 - pass in/out all IPv6 ICMP traffic > pass in quick proto icmp6 Allow >=20 >=20 >=20 > Is there something wrong of missing? I was guessing that the NAT is > correct because I can connect from outside (IPv4 and IPv6) to this > jail. >=20 >=20 > Thanks again for your time. There's one thing on your bridge that looks wrong: > bridge0: flags=3D8843 metric 0 > mtu 1500 description: jails-bridge > ether 58:9c:fc:10:ed:66 > inet 10.0.10.1 netmask 0xffffff00 broadcast 10.0.10.255 > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 > member: vnet0.655 flags=3D143 > ifmaxaddr 0 port 6 priority 128 path cost 2000 > member: em0 flags=3D143 > ifmaxaddr 0 port 1 priority 128 path cost 20000 > groups: bridge > nd6 options=3D9 > em0 shouldn't be part of the bridge, as you don't want to bridge with your uplink, but NAT to it. So try ifconfig bridge0 deletem em0 Once done, you might need to enable ip forwarding (if it isn't enabled already). service gateway enable sysctl net.inet.ip.forwarding=3D1 -m --=20 Michael Gmelin