# Jail networking problem after boot



## neal (Oct 24, 2014)

Hi.

I have a new system running 10.1-RC2 that contains a jail created using ezjail. I am using IPFW to forward some ports to the jail.

The problem I have is that after reboot the networking to the jail does not work. For some reason I'm getting no data through. If I then manually reload the firewall rules, all works perfectly. I have checked the rules and they are exactly the same before and after the reload.

Initially I let ezjail create the network aliases, but I added them to rc.conf myself, but alas this does not fix the problem.

Is there something obvious I've missed here?


----------



## fred974 (Oct 24, 2014)

Hi neal,

I don't know IPFW but it would be a good idea to share the content of your /etc/rc.conf file and IPFW. So we can see if you missed anything obvious.


----------



## neal (Oct 24, 2014)

The configuration of my system is very simple, as it just runs two jails and almost nothing else. IPFW is used to redirect some ports, but it's a very simple setup. I'm using a similar IPFW configuration on my firewall machine with great success. The only difference is that there are no jails are involved and all interfaces are real, no aliases.


----------



## wblock@ (Oct 24, 2014)

Sometimes this is caused by Ethernet interfaces not being up by the time the firewall is started.  For PF, the interface name can be put in parentheses, and it will be used when available.  For IPFW, I don't know.  Maybe use netwait (`man rc.conf | less -p netwait`) to delay the startup until networking is ready.


----------



## neal (Oct 27, 2014)

I've tried all the obvious stuff, so I think it's time to abandon this strategy. It occurred to me this morning that while I was looking for a simple plug in replacement for my old network server, I had already split the services into four different jails, which tells me that maybe I should be treating them as different servers and let the upstream firewall do the port redirection, which it is already doing quite happily anyway. The annoying thing is that the redirection I've been trying to do does work, just not after boot until I reload the firewall, which suggests a problem to me.

Here's a random question: I've been using IPFW for over ten years quite happily now, but I notice that PF seems to be quite popular these days. Is there a compelling technical reason for its popularity, or is it the same just different?


----------



## ShelLuser (Oct 27, 2014)

neal said:


> Here's a random question: I've been using IPFW for over ten years quite happily now, but I notice that PF seems to be quite popular these days. Is there a compelling technical reason for it's popularity, or is it the same just different?


I'm also happily using IPFW, but that has more to do with my Solaris roots. That and my "_If it isn't broke don't fix it_" mentality of course.

I've also asked this question a few times and from what I could tell the most compelling reason was that PF was more actively maintained/developed than IPFW. So basically more new features can find their way into PF in comparison to IPFW, at least that's what I came to conclude.


----------



## wblock@ (Oct 27, 2014)

PF is, in my opinion, easier to configure.  NAT is integrated, the rules make more sense to me, and the PF commands seem to be more powerful than those in IPFW.  Technically, I think it's similar to the situation with Sendmail and Postfix.  Both can do the job.


----------

