jails & ipfw + nat

[Mario Freitas]

Hi,
I recently configured a jail on a FreeBSD gateway doing nat for the
interface alias (the jail address, say 192.168.J.J). I tried with natd
and ipnat too.
However there are some problems I still do not understand. First
when I added "nameserver 192.168.X.X" (the nameserver running outside
the jail environment) to the jail, every query to the name server is
made via the loopback interface instead of the internal interface, or
$intif (where I have 192.168.X.X plus 192.168.J.J). Shouldn't the packet
travel(virtually) via the $intif interface (as if the request was coming
from any machine on the LAN)? Also, the packets are travelling through
the loopback interface, where bind _is not_ listening :) (another weird
behaviour?)
Second, I've tried using, unsuccessfully, many ipfw rules so any user
inside the jail environment can establish statefully any tcp connection
to the internet. What I do not understand is why the request does not
(virtually) come through $intif (192.168.J.J). Inside the jail, after
executing telnet www.google.com 80, tcpdump -i $intif(outside the jail)
shows nothing, but tcpdump -i $extif(also outside) shows packets coming
from www.google.com:80 to $extip, both in natd and ipnat cases: ipfw
logs the packet being denied tcp from www.google.com:80 to $extip in via
$extif (keep-state is not triggered).

Any clarification would be appreciated.

Sincerely,
-- 
Mário Freitas (sub_0 at netcabo.pt)
Núcleo Português de FreeBSD (NPF)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20030921/c6c430dd/attachment.bin