trouble getting Jail with IPFW+NAT to work

Thu Aug 5 21:49:01 UTC 2010

On 05/08/2010 07:12, Ian Smith wrote:
>
> First checking your assumptions: you want the jail, ie packets from
> $jail_ip, to be able to communicate to the outside only on UDP, and only
> to address $dns? (or dns="$address 53")?

No no :) It was just exempt from my ruleset. I'm a great believer in 
least privilege principle and fine-grained filtering so I am using rules 
like that:

$cmd 66 add nat 1 udp from $jail $ports_range_bc to $dns 53 out xmit 
$if_ext jail $jail_jid uid $user_jail

But it only makes things complicated so let's start from scratch with a 
simplified ruleset:

cmd="/sbin/ipfw -q add"
cmd_nat="/sbin/ipfw -q"
jail="127.127.127.1"

/sbin/ipfw -q -f flush

$cmd 10 allow all from 127.0.0.1 to 127.0.0.1 via lo0
$cmd_nat nat 1 config reset if wlan0 log same_ports
$cmd_nat 21 add nat 1 udp from $jail to any out xmit wlan0 jail 1
$cmd_nat 22 add nat 1 udp from any to any in recv wlan0

$cmd 31 allow udp from me to any out via wlan0 jail 1
$cmd 32 allow udp from any to $jail in via wlan0 jail 1
$cmd 41 allow udp from me to any out via wlan0
$cmd 42 allow udp from any to me in via wlan0
$cmd 51 allow tcp from me to any out via wlan0
$cmd 52 allow tcp from any to me in via wlan0

The purpose of which is to allow both host and jailed system to perform 
a DNS lookup. They seem to be good but rule 22 causes big problems.

> Basically, using NAT you have to pass all inbound ip4 packets received
> on your external interface to NAT (unless you're receiving packets for

I was not aware of that, as you see my understanding of networks is not 
too deep. Thanks for your explanation. I guess I was confused by pf 
rules where I had to specify only one NAT rule - for outgoing traffic.

Ok so I'm making a DNS lookup from the host system. It goes out via rule 
41. Replies goes into NAT and that is why counters on rule 22 go up. 
Then it goes to rule number 42 and everything works fine.

I have a big problem with this kind of catch-all NAT rule - the ruleset 
above doesn't work for changing IP address on wlan0.
Let's say it was loaded while DHCP server was down and wlan0 had no IP 
address assigned yet. After a while DHCP server became available and 
wlan0 got it's address.

When I do the same lookup from the host system it goes out via rule 
number 41. Then again it falls into NAT rule 22. Now after that it 
simply gets blocked by default rule and never gets into rule 42.
The same applies for any UDP traffic that is catched by incoming NAT 
rule. TCP connections (rule 51 and 52) that are not NATed are working fine.

Manually reloading my ruleset fixes the problem but it's not a solution.

Any ideas what is going on?
Michael