# RPi3+, Jail, IPFW and NAT



## tatools (Mar 7, 2019)

I have a RPi3 + here. On this a Jail is to run with NAT. IPFW should be used here (Yes, I know, there is also PF. But IPFW is the company's default)

Gateway: 192.168.2.1

RPi3+: 192.168.2.35 / 255.255.255.0
Jail: 10.0.0.2 ( /usr/jails/jail2icinga )

/etc/rc.conf:


```
hostname="raspberrypi3"
ifconfig_ue0="inet 192.168.2.35 netmask 255.255.255.0"
defaultrouter="192.168.2.1"

sshd_enable="YES"

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

growfs_enable="YES"

#JAILS
jail_enable="YES"

#IPFW
firewall_enable="YES"
firewall_type="open"

#NAT
cloned_interfaces="lo1"
ifconfig_lo1_alias0="inet 10.0.0.2 netmask 255.255.255.0"
gateway_enable="YES"
```

/etc/jail.conf:

```
exec.start="/bin/sh /etc/rc";

exec.stop="/bin/sh /etc/rc.shutdown";

exec.clean;

mount.devfs;

# Netzwerkkarte
interface="lo1";

jail2icinga {
 host.hostname = "jail2icinga.local";
 path = /usr/jails/jail2icinga;
 ip4.addr = "10.0.0.2";
 allow.raw_sockets=1;
 allow.chflags;
 allow.mount.procfs;
 allow.mount.devfs;
}
```

/etc/sysctl.conf:

```
# ALLOW JAIL RAW SOCKETS
security.jail.allow_raw_sockets=1

# ALLOW UPGRADES IN JAIL
security.jail.chflags_allowed=1

security.jail.sysvipc_allowed=1
net.inet.ip.forwarding=1
```

ifconfig:

```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
   inet6 ::1 prefixlen 128 
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
   inet 127.0.0.1 netmask 0xff000000 
   groups: lo 
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 10.0.0.2 netmask 0xffffffff 
   groups: lo 
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
   ether b8:27:eb:b5:d1:a3
   inet 192.168.2.35 netmask 0xffffff00 broadcast 192.168.2.255 
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

Since I have chosen the profile "open" in IPFW, no extra config should be needed here.

```
% uname -a
FreeBSD raspberrypi3 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  arm64
```
Problem: The jail can not establish a network communication (pinging on IP and FQDN does not work), this is not a problem from mainhost. Where is the error?


----------



## hukadan (Mar 7, 2019)

tatools said:


> Jail is to run with NAT


Where is the NAT part of your config ?


----------



## SirDice (Mar 7, 2019)

There's no NAT happening. So your packets go out but the responses are sent elsewhere. This can work without NAT but your network needs to have a route for 10.0.0.0/24.


----------



## hukadan (Mar 7, 2019)

You should have a look to https://www.freebsd.org/doc/handbook/firewalls-ipfw.html#network-natd.


----------



## malavon (Mar 7, 2019)

I'm wondering why the handbook talks about `natd` when IPFW has a built-in NAT rule.
I don't  have natd enabled on my router, but instead I have these in my firewall rules:

```
ipfw nat 1 config if $pif log unreg_only

#################################################################
# No restrictions on Inside Lan Interface for private network
#################################################################
ipfw add 005 allow all from any to any via $iif

#################################################################
# No restrictions on Loopback Interface
#################################################################
ipfw add 010 allow all from any to any via lo0

#################################################################
# Wait for fragments to be reassembled before going through
#################################################################
ipfw add 011 reass all from any to any in

#################################################################
# check if packet is inbound and nat address if it is
#################################################################
ipfw add 014 nat 1  ip from any to any via $pif in

# here go the rest of my rules, e.g. allowing access to DNS/DHCP and whatever I want to allow out/in
```
$pif is my public interface, $iif is my internal interface

I am not an expert on IPFW though, I cobbled my firewall config together from multiple configs I found on the internet. If someone thinks what I did isn't good, please correct me.


----------

