Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 23 Mar 2018 17:14:14 +0100
From:      Joerg Surmann <joerg_surmann@elektropost.org>
To:        Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail <freebsd-jail@FreeBSD.org>
Cc:        freebsd-current@freebsd.org
Subject:   Re: two NIC's in a jail
Message-ID:  <78112343-662e-7890-f5ee-668fda23b834@elektropost.org>
In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz>
References:  <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <bb02401b-e43b-7800-5a15-025636a2971f@elektropost.org> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP
Content-Type: multipart/mixed; boundary="FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp";
 protected-headers="v1"
From: Joerg Surmann <joerg_surmann@elektropost.org>
To: Miroslav Lachman <000.fbsd@quip.cz>,
 FreeBSD-Jail <freebsd-jail@FreeBSD.org>
Cc: freebsd-current@freebsd.org
Message-ID: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org>
Subject: Re: two NIC's in a jail
References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org>
 <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
 <bb02401b-e43b-7800-5a15-025636a2971f@elektropost.org>
 <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz>
In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz>

--FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

tail -f /var/log/httpd-access.log
192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 -=

192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 -=

213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209
213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209

tail -f /var/log/httpd-error.log
[Fri Mar 23 12:08:18.142835 2018] [mpm_prefork:notice] [pid 18904]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 12:08:18.142925 2018] [core:notice] [pid 18904] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Fri Mar 23 12:30:19.005654 2018] [mpm_prefork:notice] [pid 18904]
AH00169: caught SIGTERM, shutting down
[Fri Mar 23 12:31:11.111900 2018] [ssl:warn] [pid 2542] AH01873: Init:
Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 23 12:31:11.847515 2018] [mpm_prefork:notice] [pid 2542]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 12:31:11.847589 2018] [core:notice] [pid 2542] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Fri Mar 23 15:32:08.238227 2018] [mpm_prefork:notice] [pid 2542]
AH00169: caught SIGTERM, shutting down
[Fri Mar 23 15:32:08.414689 2018] [ssl:warn] [pid 40920] AH01873: Init:
Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 23 15:32:08.716943 2018] [mpm_prefork:notice] [pid 40920]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 15:32:08.717018 2018] [core:notice] [pid 40920] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT

jls -v
=C2=A0=C2=A0 JID=C2=A0 Hostname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0 Path
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Name=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 State
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CPUSetID
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 IP Address(es)
=C2=A0=C2=A0=C2=A0=C2=A0
=C2=A0=C2=A0=C2=A0=C2=A0 2=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 /usr/jails/apache24
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 ACTIVE
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 192.168.100.2
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 213.70.80.92


jls -s

devfs_ruleset=3D0 enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=3Ddisab=
le jid=3D2
name=3Dapache24 osreldate=3D1101001 osrelease=3D11.1-RELEASE
path=3D/usr/jails/apache24 nopersist securelevel=3D-1 sysvmsg=3Ddisable
sysvsem=3Ddisable sysvshm=3Ddisable allow.nochflags allow.mount
allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs
allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs
allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets
allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=3D0
host.domainname=3D"" host.hostid=3D0 host.hostname=3Dapache24
host.hostuuid=3D00000000-0000-0000-0000-000000000000

Am 23.03.2018 um 16:58 schrieb Miroslav Lachman:
> Joerg Surmann wrote on 2018/03/23 16:45:
>> Thanks for replay.
>>
>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>> say:
>> netstat: kvm not available: /dev/mem No such file or directory <- is
>> inside a jail.
>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2=
=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=
 LISTEN
>>
>> grep -i Listen /usr/local/etc/apache24/httpd.conf
>>
>> Listen 80
>> Listen 443
>>
>> =C2=A0From the internal IP is no Problem.
>> You are right. I'm not sure on wich IP's Apache is listening.
>>
>> I have change the Listen directive to the external IP in httpd.conf
>> Listen 213.70.80.92:80
>>
>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>> now say:
>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 =
213.70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0=
 =C2=A0=C2=A0=C2=A0 LISTEN
>>
>> But apache is not availble from Internet.
>> =C2=A0From Intranet... no Problem.
>>
>> When i use tcpdump on Host i can see Traffic.
>>
>> Whats wrong?
>
> That's strange.
>
> Listen 80 and Listen 443 is OK, it is the same as
> =C2=A0 Listen *:80
> =C2=A0 Listen *:443
> and as you see with netstat, Apache was listening on both IPs:
> =C2=A0*.80=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 LISTEN
>
> Do you have something listening on port 80 in the Host?
>
> What netstat shows in the host?
>
> Also check Apache log files. If you didn't configure virtual host,
> then you have just these two log files:
> /var/log/httpd-access.log
> /var/log/httpd-error.log
>
> Use tail and then try to access your website from the internet
>
> # tail -f /var/log/httpd-*.log
>
> Please send what "jls -v" in the Host will show you. (there should be
> 2 IPs for your jail) or "jls -s"=C2=A0 (replace any sensitive informati=
ons
> if you want)
>
> And move this discussion to proper mailing list:
> =C2=A0freebsd-jail@FreeBSD.org
>
> Miroslav Lachman
>
>
>> Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
>>> Joerg Surmann wrote on 2018/03/23 13:49:
>>>> Hi all,
>>>>
>>>> I have a Problem to understund how to manage 2 Networks inside a Jai=
l.
>>>>
>>>> i have create a jail (using ezjail) with a alias IP.
>>>> in rc.conf (on Host):
>>>>
>>>> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0"
>>>> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2=
=A0 <-
>>>> this
>>>> is the jail ip
>>>>
>>>> Inside the jail running apachhe24.
>>>>
>>>> Now i add a new NIC to the System.
>>>> in rc.conf (on Host):
>>>> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0"
>>>>
>>>> in /usr/local/etc/ezjail/myjail.conf:
>>>> i add the new ip
>>>> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92"
>>>>
>>>> Restart the jail and ifconfig looks fine.
>>>> vmx0 -> inet 192.168.100.2
>>>> em0=C2=A0 -> inet 213.70.80.92
>>>>
>>>> Apache Listen on all NIC's (<VirtualHost *:80>)
>>>> But i can see my Website only via 192.168.100.2 from intern Network.=

>>>>
>>>> The Host is behind a Firewall.
>>>> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic.
>>>>
>>>> When i give the Hostname in a Browser i become "connection Timeout".=

>>>>
>>>> What is to do that the Host is accessable from Inet?
>>>
>>> Are you sure Apache is listening on both IPs?
>>>
>>> What netstat says?
>>>
>>> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>
>>> Also check what you have in httpd.conf for Listen directive
>>>
>>> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>>>
>>> I am not using ezjail, I am using jail.conf
>>>
>>> costa {
>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2=
=A0 =3D "costa.example.com";
>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD;
>>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 +=3D 192.168.222.57;
>>> }
>>>
>>> Real IP was replaced with AA.BB.CCC.DDD
>>>
>>> And it works. Services inside jail must be listening on both IPs or
>>> wildcard * (0.0.0.0)
>>>
>>> And be sure to disable hosts services to listen on IPs and ports you
>>> want to be served from jail.


--FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp--

--DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1J9YACgkQGHz25TAa
4suq3Q//WS/az9y5SEcMrPW/UNVQg5azDu8VnFWG/2imKX1blBUsybedo6SQWvuc
eOyAy23ppyS0gFFtn0rStYl49Y5K/ZnZqgQEf4U9gvQCjUl5Ei3i4E1hAKac4v83
mwY9DUSdbgL+vZsvCfdEkUovGNzQRWuppq/h5Ieek96gF1kD3tkDTZTLAP/aYsH3
wzMGFy0UlUoboLHCdkgFbIpspfFjvqjlOqArCkKvt/wA196UARKpdLe1LGxvT+BM
/Gl31CSubsgJHCXUHPlwKjWEfSEzOjOPp7KtKxlcLUauvqjO1ppVTNz1nrLJzKY/
N6DdkzQOWtm0gNSivfphMtviygJ90HIR+B1frOeJtHRp1z4HmVEbGgmKYe1SfVk4
BHYz0VDrTeqyd0DY8oRiR0gtHxsCVxCelrHJGK/jh2ZSH+jA5LUj5F4+kvEDpxZC
PdwKdCfXIzQSOXoGzUFy7OOq3zrnNvdZertxT9Y2Rc74fBLLmym/WqqC/ZpCVy6m
+SrGoiG0jqnkYb2taagE3+fgRlWm3b/HP/47xAMi3FDgxhC6m6yVahCMS1+9ZxO1
rs6f6G5R2Bnsjmhtgyqi0ULbkCH81MnOLf7aK6cBtmZ/OkkNpHhBF0OFki+XzOFB
9NCEHg7TWTWNP00YFMeRlZLqKvVj42Cn9cffQz+wsVDAO4Cb2lc=
=iJnj
-----END PGP SIGNATURE-----

--DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?78112343-662e-7890-f5ee-668fda23b834>