Unable to resolve FQDN jails

thegolum35 · #1 November 9th, 2012, 10:49

Hello, I'm trying to get my jails working but I have a problem. Indeed, only ICMP connections work, I can't stat the problem.

Here is my pf.conf

Code:

#Macro

int_if = "fxp0"

# Tables

table <flood> persist
table <*beep**beep**beep**beep*er> persist

# Rules

set skip on lo0
set skip on lo1

scrub in all

nat on $int_if from lo1 to any -> ($int_if)

antispoof for fxp0 inet
block log all # Drop all

pass quick log on $int_if proto { icmp icmp6 } # Allow ping
pass out log on $int_if all

pass in quick on $int_if proto tcp from 192.168.1.29 to 192.168.1.40 port ssh
#pass in log on $int_if inet proto tcp from any to 192.168.1.40 port 30000 synproxy state (max-src-conn-rate 3/20, overload <flood> flush global)

#pass in quick log on $int_if proto tcp from 192.168.1.0/24 to 192.168.1.40 port 9050
#pass in log on $int_if proto tcp from {!192.168.1.0/24, 10.0.0.0/24} to 192.168.1.40 port 9001

pass in quick log on $int_if from 192.168.50.2 to any

#block quick on $int_if from <flood>
#block quick on $int_if from <*beep**beep**beep**beep*er>

Commented lines are useless for fixing the problem. 192.168.50.2 is the ip of my jail; 192.168.1.0/24 is my network.

Thank you.

**SirDice** · #2 November 9th, 2012, 10:53

What exactly is the problem? You can't resolve your jail hostnames or you can't resolve anything inside a jail?

thegolum35 · #3 November 9th, 2012, 11:01

Sorry, I can ping everything but resolving google.fr for example times out.

**SirDice** · #4 November 9th, 2012, 11:06

Ah, so it's resolving inside the jail that's the issue. Is /etc/resolv.conf set up properly in the jail?

There are also no rules allowing TCP/UDP port 53 out for DNS.

thegolum35 · #5 November 9th, 2012, 11:21

Code:

cat /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4

And I can see the DNS query pass and the answer too but that one isn't forwarded to the jail.

Quote:

There are also no rules allowing TCP/UDP port 53 out for DNS.

I think that rule does so, am I wrong ?

Code:

pass out log on $int_if all

Beeblebrox:

I told that ICMP connections worked, and I had to allow raw sockets for debugging

**SirDice** · #6 November 9th, 2012, 11:29

Quote:

Originally Posted by thegolum35

I think that rule does so, am I wrong ?

Code:

pass out log on $int_if all

It depends, that allows queries back into your network. But you are using Google's DNS servers, so they are external. Somewhere on your network they need a way out.

thegolum35 · #7 November 9th, 2012, 11:37

I only have one interface on my server.

**SirDice** · #8 November 9th, 2012, 11:39

Have a look with tcpdump(1). Pay close attention to the source addresses of the queries (the NAT might not work properly).

# tcpdump -nvvi fxp0 port 53

thegolum35 · #9 November 9th, 2012, 11:45

Code:

tcpdump -nvvi fxp0 port 53

Quote:

192.168.1.40.55512 > 8.8.8.8.53: [udp sum ok] 23567+ A? apple.com. (27)
11:44:25.362315 IP (tos 0x0, ttl 45, id 14424, offset 0, flags [none], proto UDP (17), length 87)
8.8.8.8.53 > 192.168.1.40.55512: [udp sum ok] 23567 q: A? apple.com. 2/0/0 apple.com. A 17.149.160.49, apple.com. A 17.172.224.47 (59)
11:44:26.287199 IP (tos 0x0, ttl 64, id 5568, offset 0, flags [none], proto UDP (17), length 55)

It seems to work ...

So the problem is that the server doesn't forward the query to jail. How may I fix this ?

**SirDice** · #10 November 9th, 2012, 12:13

Is the jail bound to lo1? And what IP address does it have?

thegolum35 · #11 November 9th, 2012, 12:33

No, she is not. I was looking for this, how do I do so ?
Its ip is 192.168.1.52(/24)

**SirDice** · #12 November 9th, 2012, 13:26

If the jail has 192.168.1.52 then why are the DNS queries coming from 192.168.1.40?

thegolum35 · #13 November 9th, 2012, 13:34

Because of the nat rule. I know it's not compulsory but I'd like doing that way.

**SirDice** · #14 November 9th, 2012, 13:37

And it's probably what's causing the issues. Remove it. As you don't have anything bound to lo1 anyway it's rather useless.

thegolum35 · #15 November 9th, 2012, 14:24

But it might work with nat, no ?

**SirDice** · #16 November 9th, 2012, 14:37

You don't need NAT.

matoatlantis · #17 November 9th, 2012, 18:59

Please can you share the exact network range for fpx0 lo1 ? As I understood it your jail IP is behind lo1 interface.
Also share the output from:

# netstat -nrfinet

This is just my opinion, but it's better to call your external interface "ext_if" rather than "int_if" (short for external/internal). Also if you start to use macros use them throughout the whole configuration (e.g. line 10 vs line 11 /not counting spaces/).

There's more way to do it, but as you started creating custom interfaces you must pay attention to what is visible and what not to external network. One way is to put all IPs to fxp0 and setup the jail. You don't need NAT for that.

Or you can setup the custom interface with private range and NAT it through IP on fxp0.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
can not access own web server from within own box with FQDN	MNIHKLOM	General	6	October 25th, 2012 10:13
How to resolve this problem?	enhhn17	Userland Programming & Scripting	6	March 1st, 2012 13:15
Jails: Host should ignore IPs of Jails	Thorny	Networking	12	February 22nd, 2012 09:15
Unable to resolve LAN, can resolve internet	v0idE	Networking	6	April 28th, 2010 15:46
[Solved] Unable to mount nullfs for Jails on ZFS	volatilevoid	General	6	January 21st, 2010 17:12