# Unable to resolve FQDN jails



## thegolum35 (Nov 9, 2012)

Hello, I'm trying to get my jails working but I have a problem. Indeed, only ICMP connections work, I can't stat the problem.

Here is my pf.conf

```
#Macro

int_if = "fxp0"

# Tables

table <flood> persist
table <*beep**beep**beep**beep*er> persist

# Rules

set skip on lo0
set skip on lo1

scrub in all

nat on $int_if from lo1 to any -> ($int_if)

antispoof for fxp0 inet
block log all # Drop all

pass quick log on $int_if proto { icmp icmp6 } # Allow ping
pass out log on $int_if all

pass in quick on $int_if proto tcp from 192.168.1.29 to 192.168.1.40 port ssh
#pass in log on $int_if inet proto tcp from any to 192.168.1.40 port 30000 synproxy state (max-src-conn-rate 3/20, overload <flood> flush global)

#pass in quick log on $int_if proto tcp from 192.168.1.0/24 to 192.168.1.40 port 9050
#pass in log on $int_if proto tcp from {!192.168.1.0/24, 10.0.0.0/24} to 192.168.1.40 port 9001

pass in quick log on $int_if from 192.168.50.2 to any

#block quick on $int_if from <flood>
#block quick on $int_if from <*beep**beep**beep**beep*er>
```

Commented lines are useless for fixing the problem. 192.168.50.2 is the ip of my jail; 192.168.1.0/24 is my network.

Thank you.


----------



## SirDice (Nov 9, 2012)

What exactly is the problem? You can't resolve your jail hostnames or you can't resolve anything inside a jail?


----------



## thegolum35 (Nov 9, 2012)

Sorry, I can ping everything but resolving google.fr for example times out.


----------



## SirDice (Nov 9, 2012)

Ah, so it's resolving inside the jail that's the issue. Is /etc/resolv.conf set up properly in the jail?

There are also no rules allowing TCP/UDP port 53 out for DNS.


----------



## thegolum35 (Nov 9, 2012)

```
cat /etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.4.4
```

And I can see the DNS query pass and the answer too but that one isn't forwarded to the jail.



> There are also no rules allowing TCP/UDP port 53 out for DNS.


I think that rule does so, am I wrong ? 
	
	



```
pass out log on $int_if all
```

Beeblebrox:

I told that ICMP connections worked, and I had to allow raw sockets for debugging


----------



## SirDice (Nov 9, 2012)

thegolum35 said:
			
		

> I think that rule does so, am I wrong ?
> 
> 
> 
> ...


It depends, that allows queries back into your network. But you are using Google's DNS servers, so they are external. Somewhere on your network they need a way out.


----------



## thegolum35 (Nov 9, 2012)

I only have one interface on my server.


----------



## SirDice (Nov 9, 2012)

Have a look with tcpdump(1). Pay close attention to the source addresses of the queries (the NAT might not work properly).

`# tcpdump -nvvi fxp0 port 53`


----------



## thegolum35 (Nov 9, 2012)

```
tcpdump -nvvi fxp0 port 53
```



> 192.168.1.40.55512 > 8.8.8.8.53: [udp sum ok] 23567+ A? apple.com. (27)
> 11:44:25.362315 IP (tos 0x0, ttl 45, id 14424, offset 0, flags [none], proto UDP (17), length 87)
> 8.8.8.8.53 > 192.168.1.40.55512: [udp sum ok] 23567 q: A? apple.com. 2/0/0 apple.com. A 17.149.160.49, apple.com. A 17.172.224.47 (59)
> 11:44:26.287199 IP (tos 0x0, ttl 64, id 5568, offset 0, flags [none], proto UDP (17), length 55)



It seems to work ...

So the problem is that the server doesn't forward the query to jail. How may I fix this ?


----------



## SirDice (Nov 9, 2012)

Is the jail bound to lo1? And what IP address does it have?


----------



## thegolum35 (Nov 9, 2012)

No, she is not. I was looking for this, how do I do so ?
Its ip is 192.168.1.52(/24)


----------



## SirDice (Nov 9, 2012)

If the jail has 192.168.1.52 then why are the DNS queries coming from 192.168.1.40?


----------



## thegolum35 (Nov 9, 2012)

Because of the nat rule. I know it's not compulsory but I'd like doing that way.


----------



## SirDice (Nov 9, 2012)

And it's probably what's causing the issues. Remove it. As you don't have anything bound to lo1 anyway it's rather useless.


----------



## thegolum35 (Nov 9, 2012)

But it might work with nat, no ?


----------



## SirDice (Nov 9, 2012)

You don't need NAT.


----------



## _martin (Nov 9, 2012)

Please can you share the exact network range for fpx0 lo1 ? As I understood it your jail IP is behind lo1 interface. 
Also share the output from: 

`# netstat -nrfinet`

This is just my opinion, but it's better to call your external interface "ext_if" rather than "int_if" (short for external/internal). Also if you start to use macros use them throughout the whole configuration (e.g. line 10 vs line 11 /not counting spaces/).

There's more way to do it, but as you started creating custom interfaces you must pay attention to what is visible and what not to external network. One way is to put all IPs to fxp0 and setup the jail. You don't need NAT for that. 

Or you can setup the custom interface with private range and NAT it through IP on fxp0.


----------

