12.0-beta3 pf firewall NAT rule syntax for vnet jail using pf
Kristof Provost
kristof at sigsegv.be
Mon Nov 12 09:19:40 UTC 2018
On 2018-11-11 12:00:49 (-0500), Ernie Luzar <luzar722 at gmail.com> wrote:
> Kristof Provost wrote:
> >
> > If so, how can the jail see the vge0 interface?
>
> Through the bridge? I don't really know. Just guessing.
>
Think of vnet jails as separate machines. There's no mechanism for pf
hosts to exchange that sort of information between machines, so there's
no mechanism for them to exchange that between host and vnet jail.
In this case your nat rule simply won't do anything, because the vge0
interface does not exist in the jail.
> I added pass to the pf nat rule so inbound packets that match entry in
> state table get passed automatically.
>
> Now using this pf nat rule
> nat pass on epair2b from 10.0.0.30/24 to any -> (epair2b)
>
> This is the ifconfig -a on the host after the vnet jail is started.
>
Your bridge doesn't have an IP address. How do you expect to route
traffic arriving on that interface?
To be frank, you seem to be very confused on general networking
concepts. I'd advise you to study those first, because you're going to
keep struggling until you grasp the fundamentals of how IP works.
Best regards,
Kristof
More information about the freebsd-jail
mailing list