natd in a jail

Ian Smith smithi at nimnet.asn.au
Sat Nov 24 08:26:47 UTC 2012 

On Sat, 24 Nov 2012 17:44:30 +1100, Morgan Reed wrote:
 > On Fri, Nov 23, 2012 at 5:16 PM, Morgan Reed <morgan.s.reed at gmail.com> wrote:
 > > So it turns out I'd not bought bpf into the jails, however even with
 > > that and raw_sockets enabled I'm still having no joy with natd.
 > >
 > > I've been looking at ipfw a bit today but I've run into an issue,
 > > loading ipfw_nat causes my kernel to instantly panic, I need to
 > > recompile with KDB and DDB turned on so I can actually catch the trace
 > > though... Might look at netgraph before going too far down that path.
 > 
 > Rebuilt the kernel with option IPFIREWALL and friends turned on
 > (including IPFILTER_DEFAULT_TO_ACCEPT or whatever it is).

Unless you needed to include FIREWALL_FORWARD, you really didn't need to 
build ipfw into the kernel, it's all loadable by module.  No harm, but.

 > Throw ipfw_nat_load="YES" and ipdivert_load="YES" into
 > /boot/loader.conf so the modules are available for the jails.

And with ipfw nat you won't be needing ipdivert.  Again, no harm.

 > Run a quick and dirty ipfw script (running out of an 'up' script I
 > wrote into the OpenVPN config);
 > ipfw nat 1 config if tun0 reset same_ports deny_in
 > ipfw add 500 nat 1 ip from any to any via tun0
 > 
 > Works like a charm, just one last thing I'd like to get squared away
 > here though, currently OpenVPN is using a dynamically created tun
 > device, I'd like to have a static /dev/tun0 exist prior to the
 > /etc/rc.d/natd start launching (because as it is I have to restart
 > natd after the openvpn tunnel comes up), not sure what the best way to
 > achieve this is in a jailed environment though.

If the address of the tunX interface is fixed in the jail, you can 
specify it by IP instead of the interface in the nat setup, like:

	ipfw nat 1 config ip $address same_ports deny_in
	ipfw add 500 nat 1 ip from any to any via $address

Your use of 'reset' in nat config makes me wonder if it's a variable
address though?  If IP varies you will need to specify the interface.

 > The next trick will be migrating from my spaghetti script into rc
 > launched jails...

cheers, Ian

More information about the freebsd-stable mailing list