12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf
Ernie Luzar
luzar722 at gmail.com
Fri Nov 9 18:14:59 UTC 2018
Hello lists;
testing 12.0-beta3 vnet jail that is using pf firewall.
net.inet.ip.forwarding =1 for the vnet jail.
Host is running ipfilter firewall.
The kldload pf.ko pflog.ko command has been issued.
10.0.10.30 is the ip address assigned to the vnet jail in the jail.conf.
Using this nat rule
nat on epair2b from 10.0.0.30/24 to any -> (vge0)
vge0 is the hosts interface facing the public internet and a member of
bridge2 along with member epair2a.
When I do a ping 8.8.8.8 from the vnet jail console I get message
"Time to live exceeded"
The vnet jail pflog shows in and out on epair2b 10.0.10.30 > 8.8.8.8
Thinking the NAT rule is incorrect because the pflog doesn't show the
nated ip address assigned by the isp. OR maybe the nat rule is not
functional in a vnet jail because I found a bug.
Am I missing something here? Help please.
More information about the freebsd-jail
mailing list