Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Problem with ipfw, in-kernel NAT and port redirection to jails
184 views
Skip to first unread message
Alexey Roslyakov via freebsd-net
Feb 6, 2016, 3:07:29 AM2/6/16
to
Hello.
I have same problem when I'm trying redirect incoming traffic into the
jailed web server.
I repeated my installation few times on different releases - problem
with redirected ports was here all time (except 9.3 - there was random
result).
As a temporary solution am using pf nat for redirect ports.
My test configuration:
/etc/rc.conf:
ifconfig_vtnet0="inet 192.168.1.18/24"
defaultrouter="192.168.1.1"
cloned_interfaces="lo1"
/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
j1 {
path = /home/jail1;
mount.devfs;
host.hostname = j1;
interface = "lo1";
ip4.addr = 10.8.0.1;
persist;
}
rc.firewall:
ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ipfw add allow ip from any to any
pf.conf:
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 ->
10.8.0.1 port 80
In jail I'm try nginx, apache24 and nc as source for redirection. Test
file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
On 10.1 and 10.2 there is no big differences, when using ipfw nat we can
get only part of file (I'm using curl on different machine: curl
http://192.168.1.18/tmp.raw > /dev/null):
with nginx: Received = 33045
with apache: Received = 33092
with nc: Received = 16384
and result seems to be very stable in numbers.
On 9.3:
nginx: random bytes received, has no successful downloads
apache: random bytes received, sometimes download entire file
nc: entire file received
My virtual environment is proxmox 3.
Maybe it's related to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not
properly configured ipfw nat?
_______________________________________________
freeb...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"
I have same problem when I'm trying redirect incoming traffic into the
jailed web server.
I repeated my installation few times on different releases - problem
with redirected ports was here all time (except 9.3 - there was random
result).
As a temporary solution am using pf nat for redirect ports.
My test configuration:
/etc/rc.conf:
ifconfig_vtnet0="inet 192.168.1.18/24"
defaultrouter="192.168.1.1"
cloned_interfaces="lo1"
/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
j1 {
path = /home/jail1;
mount.devfs;
host.hostname = j1;
interface = "lo1";
ip4.addr = 10.8.0.1;
persist;
}
rc.firewall:
ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ipfw add allow ip from any to any
pf.conf:
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network
nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 ->
10.8.0.1 port 80
In jail I'm try nginx, apache24 and nc as source for redirection. Test
file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
On 10.1 and 10.2 there is no big differences, when using ipfw nat we can
get only part of file (I'm using curl on different machine: curl
http://192.168.1.18/tmp.raw > /dev/null):
with nginx: Received = 33045
with apache: Received = 33092
with nc: Received = 16384
and result seems to be very stable in numbers.
On 9.3:
nginx: random bytes received, has no successful downloads
apache: random bytes received, sometimes download entire file
nc: entire file received
My virtual environment is proxmox 3.
Maybe it's related to
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not
properly configured ipfw nat?
_______________________________________________
freeb...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"
Alexey Roslyakov via freebsd-net
Feb 8, 2016, 8:27:45 AM2/8/16
to
08.02.2016 12:30, Kiryanov Vassily пишет:
> Hello Alexey,
>
> Thank you for this information, I have thoughts about using pf nat as
> an alternative way and your example will be useful for me.
>
> But Eugene Grosbein adviced me to turn off tso4 on network card
> underlaying my VLANs and it was enough to solve problem with port
> redirection. Without turning tso4 off ipfw + in-kernel NAT works
> fine but port redirection fails.
>
> Hello Alexey,
>
> Thank you for this information, I have thoughts about using pf nat as
> an alternative way and your example will be useful for me.
>
> But Eugene Grosbein adviced me to turn off tso4 on network card
> underlaying my VLANs and it was enough to solve problem with port
> redirection. Without turning tso4 off ipfw + in-kernel NAT works
> fine but port redirection fails.
>
Thank you. It's my mistake - was confused by home gateway, where
redirect_port worked perfectly (NIC without TSO support), and there is a
notice in section BUGS of ipfw(8) about incompatible libalias and TSO.
Julian Elischer
Feb 8, 2016, 10:12:03 AM2/8/16
to
On 8/02/2016 9:27 PM, Alexey Roslyakov via freebsd-net wrote:
> 08.02.2016 12:30, Kiryanov Vassily пишет:
>> Hello Alexey,
>>
>> Thank you for this information, I have thoughts about using pf nat as
>> an alternative way and your example will be useful for me.
>>
>> But Eugene Grosbein adviced me to turn off tso4 on network card
>> underlaying my VLANs and it was enough to solve problem with port
>> redirection. Without turning tso4 off ipfw + in-kernel NAT works
>> fine but port redirection fails.
>>
>
> Thank you. It's my mistake - was confused by home gateway, where
> redirect_port worked perfectly (NIC without TSO support), and there
> is a notice in section BUGS of ipfw(8) about incompatible libalias
> and TSO.
> 08.02.2016 12:30, Kiryanov Vassily пишет:
>> Hello Alexey,
>>
>> Thank you for this information, I have thoughts about using pf nat as
>> an alternative way and your example will be useful for me.
>>
>> But Eugene Grosbein adviced me to turn off tso4 on network card
>> underlaying my VLANs and it was enough to solve problem with port
>> redirection. Without turning tso4 off ipfw + in-kernel NAT works
>> fine but port redirection fails.
>>
>
> Thank you. It's my mistake - was confused by home gateway, where
> redirect_port worked perfectly (NIC without TSO support), and there
> is a notice in section BUGS of ipfw(8) about incompatible libalias
> and TSO.
so why are you using libalias?
I may have misread what you are doing but IP masquerading might work
better. (ipfw fwd rule with local destination)
Kiryanov Vassily
Feb 8, 2016, 7:43:24 PM2/8/16
to
Hello Alexey,
Thank you for this information, I have thoughts about using pf nat as
an alternative way and your example will be useful for me.
But Eugene Grosbein adviced me to turn off tso4 on network card
underlaying my VLANs and it was enough to solve problem with port
redirection. Without turning tso4 off ipfw + in-kernel NAT works
fine but port redirection fails.
Saturday, February 6, 2016, 1:57:47 PM, you wrote:
Thank you for this information, I have thoughts about using pf nat as
an alternative way and your example will be useful for me.
But Eugene Grosbein adviced me to turn off tso4 on network card
underlaying my VLANs and it was enough to solve problem with port
redirection. Without turning tso4 off ipfw + in-kernel NAT works
fine but port redirection fails.
ARvfn> Hello.
ARvfn> I have same problem when I'm trying redirect incoming traffic into the
ARvfn> jailed web server.
ARvfn> I repeated my installation few times on different releases - problem
ARvfn> with redirected ports was here all time (except 9.3 - there was random
ARvfn> result).
ARvfn> As a temporary solution am using pf nat for redirect ports.
ARvfn> My test configuration:
ARvfn> /etc/rc.conf:
ARvfn> ifconfig_vtnet0="inet 192.168.1.18/24"
ARvfn> defaultrouter="192.168.1.1"
ARvfn> cloned_interfaces="lo1"
ARvfn> /etc/jail.conf:
ARvfn> exec.start = "/bin/sh /etc/rc";
ARvfn> exec.stop = "/bin/sh /etc/rc.shutdown";
ARvfn> exec.clean;
ARvfn> j1 {
ARvfn> path = /home/jail1;
ARvfn> mount.devfs;
ARvfn> host.hostname = j1;
ARvfn> interface = "lo1";
ARvfn> ip4.addr = 10.8.0.1;
ARvfn> persist;
ARvfn> }
ARvfn> rc.firewall:
ARvfn> ipfw nat 1 config if vtnet0 redirect_port tcp 10.8.0.1:80 80
ARvfn> ipfw add 500 nat 1 ip from any to 192.168.1.18 in via vtnet0
ARvfn> ipfw add 600 nat 1 ip from 10.8.0.1 to any out via vtnet0
ARvfn> ipfw add allow ip from any to any
ARvfn> pf.conf:
ARvfn> ext_if = "vtnet0"
ARvfn> int_if = "lo1"
ARvfn> jail_net = $int_if:network
ARvfn> nat on $ext_if from $jail_net to any -> ($ext_if)
ARvfn> rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port 80 ->
ARvfn> 10.8.0.1 port 80
ARvfn> In jail I'm try nginx, apache24 and nc as source for redirection. Test
ARvfn> file was generated: dd if/dev/random of=tmp.raw bs=1M count=2
ARvfn> On 10.1 and 10.2 there is no big differences, when using ipfw nat we can
ARvfn> get only part of file (I'm using curl on different machine: curl
ARvfn> http://192.168.1.18/tmp.raw > /dev/null):
ARvfn> with nginx: Received = 33045
ARvfn> with apache: Received = 33092
ARvfn> with nc: Received = 16384
ARvfn> and result seems to be very stable in numbers.
ARvfn> On 9.3:
ARvfn> nginx: random bytes received, has no successful downloads
ARvfn> apache: random bytes received, sometimes download entire file
ARvfn> nc: entire file received
ARvfn> My virtual environment is proxmox 3.
ARvfn> Maybe it's related to
ARvfn> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=137346 or just not
ARvfn> properly configured ipfw nat?
ARvfn> _______________________________________________
ARvfn> freeb...@freebsd.org mailing list
ARvfn> https://lists.freebsd.org/mailman/listinfo/freebsd-net
ARvfn> To unsubscribe, send any mail to "freebsd-net...@freebsd.org"
--
Best regards,
Kiryanov mailto:kv...@bf.pstu.ru
0 new messages