Solved Fetch: protocol not supported

Hi,

I don't understand why I can't use fetch from inside my jail.

Code:
# fetch http://www.yahoo.com
fetch: http://www.yahoo.com: Protocol not supported

Name resolution works:

Code:
# host -t A yahoo.com                                   
yahoo.com has address 98.139.183.24
yahoo.com has address 206.190.36.45
yahoo.com has address 98.138.253.109

The host is the name server for the jails. So I guess the jail can access the host via lo1 (the cloned interface for the jails), but has no access to the internet.
I don't understand why.

Here's my pf.conf

Code:
tcp_internet_out="{53, 80, 443, 123}"
udp_internet_out="{53}"
ext_if=em0
anchor jailrules
load anchor jailrules from "/usr/local/etc/jails-pf.conf"
block in log (all)
block out log (all)
pass in quick on lo0
pass out quick on lo0
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 444 # custom ssh
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port $tcp_internet_out
pass out quick on $ext_if inet proto udp from ($ext_if) to any port $udp_internet_out
pass in quick on $ext_if inet proto icmp from any to ($ext_if) icmp-type echoreq

And the /usr/local/etc/jails-pf.conf file:

Code:
nat on em0 inet from 192.168.0.3 to any -> (em0)
pass quick on lo1 inet from 192.168.0.3 to any
pass quick on lo1 inet from (lo1) to 192.168.0.3

Code:
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
   ether 00:22:4d:ca:41:ac
   inet 37.18.22.97 netmask 0xffffff00 broadcast 37.18.22.255
   inet6 fe80::222:xxxx:xxxx:xxxx%em0 prefixlen 64 scopeid 0x1
   inet6 2001:xxxx:x:xxxx::x prefixlen 128
   nd6 options=8063<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL,NO_RADR,DEFAULTIF>
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
   inet 127.0.0.1 netmask 0xff000000
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   groups: lo

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
   groups: pflog

lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 192.168.0.1 netmask 0xffffff00
   inet 192.168.0.3 netmask 0xffffff00
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   groups: lo

Code:
#sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

I don't see what I'm missing.
 
Last edited:
Don't do this:
Code:
pass in quick on lo0
pass out quick on lo0
The keep state is implied and this would cause a huge number of unnecessary states to be created. Use this instead:
Code:
set skip on lo0
 
For testing purposes, I simplified my conf files. Here are two scenarios. One in which the jail has internet connectivity, and one in which it doesn't.

Scenario that does not work

/etc/pf.conf:
Code:
anchor jailrules
load anchor jailrules from "/usr/local/etc/jails-pf.conf"
set skip on lo0
pass on lo1
pass on em0

/usr/local/etc/jails-pf.conf:
Code:
nat on em0 inet from 192.168.0.3 to any -> (em0)

I think # pfctl -F all -f /etc/pf.conf should be all that's needed to reload the pf configuration. But I also tried adding # pfctl -F all -f /usr/local/etc/jails-pf.conf -a jailrules just in case.

In this situation, fetch http://55.55.55.55 hangs forever (where 55.55.55.55 is actually an IP with a server that responds to requests).


Scenario that works

/etc/pf.conf:
Code:
nat on em0 inet from 192.168.0.3 to any -> (em0)
set skip on lo0
pass on lo1
pass on em0

To reload the conf:
# pfctl -F all -f /etc/pf.conf

in this situation, fetch http://55.55.55.55 works fine and the jail can fetch the http response from the server at 55.55.55.55.


The only difference is that I use an anchor in the scenario that does not work.
I don't understand why it matters that my nat rule is loaded via an anchor.
 
Ok. It works when replacing the anchor keyword with nat-anchor.
The anchor keyword only inserts the filter rules from the set. So it was ignoring the nat rule completely.
 
Back
Top