From owner-freebsd-questions@FreeBSD.ORG Fri Aug 30 00:02:12 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6AF9F328 for ; Fri, 30 Aug 2013 00:02:12 +0000 (UTC) (envelope-from aimass@yabarana.com) Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2F8C6246C for ; Fri, 30 Aug 2013 00:02:11 +0000 (UTC) Received: by mail-ob0-f169.google.com with SMTP id es8so1269871obc.14 for ; Thu, 29 Aug 2013 17:02:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=1FeBZYOGMu6Bi8fcjn3bNEAEZ7RuoxE6jtvkZBDtVDI=; b=OUn9Fr8vx/51Y98uCo4nOhxj46fyX1/KST2AnpF59IBDcoYeJv6foAjIxFVKzeAPNb 4bG5uuZfGgJKOJ43kObDaWD5khUyzvRUXAYJH4gXAX9VVJVryfVMqmYz5LwKS4gfQ0eO DvSFmAcCL1euw9lkINT2C7dX1KJ//G+Re40HsPeZBBe+Zz4laAUrQNJtSwQiOwAbMo2I gbOkN5MOOKKVVaajOxRKliaiSQBhPfCNpz8pFlX4SxTSwmaqWQo5aNCCrsVB+enJVyQH VmxYi0ztew8fVs6v3h2gYL8WGgVZMKfoZ5JIX6wfB1bCEI1l7mwZyoxe0oJ68COGk/dZ kBqg== X-Gm-Message-State: ALoCoQkvrN3mI1m/QghLGaRn5skR6X0US+715mi7dx2e7Nu4imubkzp7VhUTT2wWAwvFeNjN9syN MIME-Version: 1.0 X-Received: by 10.182.158.104 with SMTP id wt8mr4461491obb.95.1377820435524; Thu, 29 Aug 2013 16:53:55 -0700 (PDT) Received: by 10.182.148.164 with HTTP; Thu, 29 Aug 2013 16:53:55 -0700 (PDT) In-Reply-To: References: <521DC5EC.1010701@fjl.co.uk> <521E5976.8000605@fjl.co.uk> <521F0BD6.7040306@fjl.co.uk> <521F0E6B.8020507@fjl.co.uk> Date: Thu, 29 Aug 2013 19:53:55 -0400 Message-ID: Subject: Re: Jail with public IP alias From: Alejandro Imass To: Patrick Content-Type: text/plain; charset=ISO-8859-1 Cc: Frank Leonhardt , FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Aug 2013 00:02:12 -0000 On Thu, Aug 29, 2013 at 5:07 PM, Patrick wrote: > On Thu, Aug 29, 2013 at 12:07 PM, Alejandro Imass wrote: >> On Thu, Aug 29, 2013 at 5:03 AM, Frank Leonhardt wrote: >>> On 29/08/2013 09:52, Frank Leonhardt wrote: >>>> >> [...] > Aliases should have a netmask of 255.255.255.255. What you seeing is > not typical behaviour on FreeBSD. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-virtual-hosts.html > > Patrick Thanks for pointing this out, the manual is effectively very clear on this. So, I changed the masks for ALL the aliases on that server to /32. It alone has more than 30 aliases on lo0 and 4 public IPs. I tested and still has the same problem. So I rebooted just in case and the problem still persists: $ ifconfig em0 em0: flags=8843 metric 0 mtu 1500 options=209b ether 00:30:48:bd:b9:1a inet xxx.yyy.52.74 netmask 0xffffff80 broadcast xxx.yyy.52.127 inet xxx.yyy.52.70 netmask 0xffffffff broadcast xxx.yyy.52.70 inet xxx.yyy.52.71 netmask 0xffffffff broadcast xxx.yyy.52.71 inet xxx.yyy.52.73 netmask 0xffffffff broadcast xxx.yyy.52.73 media: Ethernet autoselect (1000baseT ) status: active $ ssh -b xxx.yyy.52.70 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.71 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n $ ssh -b xxx.yyy.52.73 foo@bar Password: 7:58PM up 131 days, 3:14, 1 user, load averages: 0.02, 0.01, 0.00 USER TTY FROM LOGIN@ IDLE WHAT foo pts/14 xxx.yyy.52.74 7:58PM - w -n I don't understand why I get different results than yours and Frank's. We run a pretty standard set-up so why is this not working for us. Could it be because we turned off TCO on the NIC ? One of you asked about NAT. We are using natd to nat some public ports to other ports on the private IPs that are aliases of lo0. This is for the jails that don't have public IPs we just forward some ports to the jail's ports like this: For example: redirect_port tcp 192.168.101.123:22 12322 redirect_port tcp 192.168.101.123:80 12380 Could this have an effect on OUTBOUND connections?? Seems unlikely to me but I think one of you asked about NAT I suspect for a good reason. I'll turn off the natting temporarily and test. Best, -- Alejandro Imass