dvl@
Developer
I'm using FreeBSD 9.1. The host system gets a DHCP address on em0.
My goal is several jails, each of which you can ssh from the outside. I'll do this by redirecting port 100 to port 22 for the first jail, port 101 to 22 on the second jail, etc.
I'm using pf(4) to redirect and nat. But I'm doing it wrong. I'm missing something...
I've created a cloned interface, lo1. This has all the jail IP addresses. From /etc/rc.conf:
From the host system, I can ssh to the jail:
From my laptop, I can ssh to the host:
I cannot ssh to the jail from my laptop:
Here is /etc/pf.conf from the host system
Here is some
My goal is several jails, each of which you can ssh from the outside. I'll do this by redirecting port 100 to port 22 for the first jail, port 101 to 22 on the second jail, etc.
I'm using pf(4) to redirect and nat. But I'm doing it wrong. I'm missing something...
I've created a cloned interface, lo1. This has all the jail IP addresses. From /etc/rc.conf:
Code:
ifconfig_em0="DHCP"
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.99.0.100/32"
ifconfig_lo1_alias1="inet 10.99.0.101/32"
ifconfig_lo1_alias2="inet 10.99.0.102/32"
etc
From the host system, I can ssh to the jail:
Code:
ssh -A dan@10.99.0.100
From my laptop, I can ssh to the host:
Code:
ssh -A 192.168.2.17
I cannot ssh to the jail from my laptop:
Code:
$ ssh -p 100 -A 192.168.2.17
ssh: connect to host 192.168.2.17 port 100: Connection refused
Here is /etc/pf.conf from the host system
Code:
ext_if="em0"
int_if="lo1"
internal_net="10.99.0.0/24"
set skip on lo0
set skip on lo1
set skip on em0
scrub in all
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 100 -> 10.99.0.100 port 22
pass in all
pass out all
Here is some
pfctl -sa
output:
Code:
# pfctl -s a
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
nat on em0 inet from 10.99.0.0/24 to any -> (em0) round-robin
rdr on em0 inet proto tcp from any to (em0) port = newacct -> 10.99.0.100 port 22
FILTER RULES:
scrub in all fragment reassemble
pass in all flags S/SA keep state
pass out all flags S/SA keep state
INFO:
Status: Enabled for 0 days 01:12:29 Debug: Urgent
... rest snipped