Nat – FreeBSD jail with IPFW with loopback – unable to connect loopback interface

I am trying to configure a one IP jail with loopback interface, but I am unsure how to configure the IPFW rules to allow traffic to pass between the jail and the network card on the server.

I have followed http://blog.burghardt.pl/2009/01/multiple-freebsd-jails-sharing-one-ip-address/ and https://forums.freebsd.org/viewtopic.php?&t=30063

but without success, here is what i have in my ipfw.rules

# vim /usr/local/etc/ipfw.rules

ext_if="igb0"
jail_if="lo666"
IP_PUB="192.168.0.2"
IP_JAIL_WWW="10.6.6.6"
NET_JAIL="10.6.6.0/24"

IPF="ipfw -q add"
ipfw -q -f flush
#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag
# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any
# open port ftp (20,21), ssh (22), mail (25)
# ssh (22), , dns (53) etc
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out

# HTTP
$IPF 300 skipto 63000 tcp from any to me http,https setup keep-state
$IPF 300 skipto 63000 tcp from any to me http,https setup keep-state
# deny and log everything
$IPF 500 deny log all from any to any
# NAT
$IPF 63000 divert natd ip from any to any via $jail_if out
$IPF 63000 divert natd ip from any to any via $jail_if in

but when i create a jail as:

# ezjail-admin create -f continental -c zfs node 10.6.6.7
/usr/jails/node/.
/usr/jails/node/./etc
/usr/jails/node/./etc/resolv.conf
/usr/jails/node/./etc/ezjail.flavour.continental
/usr/jails/node/./etc/rc.d
/usr/jails/node/./etc/rc.conf
4 blocks
find: /usr/jails/node/pkg/: No such file or directory
Warning: IP 10.6.6.7 not configured on a local interface.
Warning: Some services already seem to be listening on all IP, (including 10.6.6.7)
  This may cause some confusion, here they are:
root     syslogd    1203  6  udp6   *:514                 *:*
root     syslogd    1203  7  udp4   *:514                 *:*

i get these warning and then when i go into the jail environment, i am unable to install any ports.

any advice much appreciated.

Best Answer

The guides you linked to both use the pf firewall instead of ipfw in their examples so it might be easier to troubleshoot if you were to also use pf. I myself am only familiar with configuring pf but I can suggest a few things that you might try.

Make sure that the external and loopback interfaces you are using are actually active by using the ifconfig command.
In your /etc/rc.conf make sure that the following lines exist:

cloned_interfaces="lo666"

ifconfig_lo666_alias0="inet 10.6.6.6 netmask 255.255.255.255"

gateway_enable="YES"

Should you decide to use pf instead of ipfw I can try to be of further assistance.

Best Answer

Related Solutions

Firewall – FreeBSD ipfw firewall_type

FreeBSD Traffic Shaping

Related Topic