From owner-freebsd-questions@freebsd.org Thu May 31 19:02:04 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A2FCFC9721 for ; Thu, 31 May 2018 19:02:04 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from inet08.hamilton.harte-lyne.ca (inet08.hamilton.harte-lyne.ca [216.185.71.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "inet08.hamilton.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0FEBB78615 for ; Thu, 31 May 2018 19:02:03 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id DCAF7625F1; Thu, 31 May 2018 15:02:01 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SuemAz3xHjIB; Thu, 31 May 2018 15:01:59 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id 1E3C5625E9; Thu, 31 May 2018 15:01:59 -0400 (EDT) Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Thu, 31 May 2018 15:01:59 -0400 Message-ID: <63611c4aa30f84022b570685135a14dc.squirrel@webmail.harte-lyne.ca> In-Reply-To: References: <3f375650dfee47082e77cba953961a3f.squirrel@webmail.harte-lyne.ca> Date: Thu, 31 May 2018 15:01:59 -0400 Subject: Re: What have I neglected to do in order to get networking in a jail? From: "James B. Byrne" To: "Arthur Chance" Cc: freebsd-questions@freebsd.org Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-5.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2018 19:02:04 -0000 On Thu, May 31, 2018 10:29, Arthur Chance wrote: > On 31/05/2018 15:21, James B. Byrne wrote: >> >> On Thu, May 31, 2018 09:40, Arthur Chance wrote: >> >>> >>> I've just taken another look at your original mail. I think the key >>> might be in this >>> >>>> [root@host:~]# jls >>>> JID IP Address Hostname Path >>>> 1 127.0.31.1 mx31 >>>> /usr/jails/mx31 >>> >>> Note address ^^^^^ >>> >> >> The command jls reports the loopback address for all of the jails I >> have defined on other hosts. For example: >> >> [root@vhost02 ~]# jls >> JID IP Address Hostname Path >> 2 127.0.34.1 hlldns04 /usr/jails/hlldns04 >> 3 127.0.150.1 hllmx150 /usr/jails/hllmx150 >> > > Addresses in 127/8 must not appear on the network anywhere > (https://tools.ietf.org/html/rfc5735#page-3), and FreeBSD has specific > checks in the networking code to prevent this. If any jail with such > an > address is contacting the network then there must be some form of NAT > involved. I can only suggest you check for differences between the > jails > that can get out and the one that can't *and* look for NAT on the > host(s) with jails that can get out. > The 127.0.x.1 addresses are used by the cloned loopback interfaces that the jails require. Traffic on those addresses is going nowhere but back to the jail that owns them. I have several hosts with multiple jails and on every one of them the jls command displays the loopback address assigned to the jail. [root@vhost04 ~ (master #)]# jls JID IP Address Hostname Path 1 127.0.124.1 hll124 /usr/jails/hll124 [root@vhost02 ~]# jls JID IP Address Hostname Path 1 127.0.150.1 hllmx150 /usr/jails/hllmx150 2 127.0.34.1 hlldns04 /usr/jails/hlldns04 [root@vhost03 ~]# jls JID IP Address Hostname Path 1 127.0.151.1 hllmx04 /usr/jails/hllmx04 2 127.0.33.1 hlldns02 /usr/jails/hlldns02 I can go on but I believe that the point is made. Each of these jails can reach the internet. Some hosts are on the same LAN segment as the host with the jail I am having problems with. NAT is not involved as the IP address assigned to the jail's virtual interface is public. I have discovered my error. It is a typo in the IP address assigned to the jail. I wrote 218.185.71.31 when it should have been 216.185.71.31. I must have looked at that line in the jail configuration file a dozen times or more and missed it. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3