From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 18:24:55 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 58D771065673 for ; Wed, 11 Aug 2010 18:24:55 +0000 (UTC) (envelope-from berrandonea@yahoo.fr) Received: from n23.bullet.mail.ukl.yahoo.com (n23.bullet.mail.ukl.yahoo.com [87.248.110.140]) by mx1.freebsd.org (Postfix) with SMTP id 8FB428FC2B for ; Wed, 11 Aug 2010 18:24:54 +0000 (UTC) Received: from [217.146.182.179] by n23.bullet.mail.ukl.yahoo.com with NNFMP; 11 Aug 2010 18:24:53 -0000 Received: from [87.248.110.117] by t5.bullet.ukl.yahoo.com with NNFMP; 11 Aug 2010 18:24:53 -0000 Received: from [127.0.0.1] by omp222.mail.ukl.yahoo.com with NNFMP; 11 Aug 2010 18:24:53 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 462850.98078.bm@omp222.mail.ukl.yahoo.com Received: (qmail 86933 invoked by uid 60001); 11 Aug 2010 18:24:53 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s1024; t=1281551093; bh=iugVRqE3upm/2NKUmg/zlF9NqZr88x8Pdp9yOg5s9JA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=QSjN+jKVae2SYuF/H9bsvettpR6sWPlIACMYvPv8/9iWLz0XnCuEqNcYWriurDkYyP2UwrK62nhWMk2XBH2abDLnttKK6YA18YvKQxIX+bFKW3T0Rh8k9ZbnjIyGbW9NthVbILbQRH+8ifHuNlllcCX///+qJ9BIHcgpBrEohGI= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.fr; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=FH8np347XhDGZhBpSwJhVOciyngNSBBd1teO3HoSaVm+vsBvHk5o6cmSXOKoU1I4HOyrVecqVN+QtY3WDp+XvPdrkjo2ZJfvJdWSDnv9BH6kklkVUkuho+lyGPy79FyzxJfTD6pnW+I1T1qYRTfD9w5Isx7VmesVNbNYHxpTB1E=; Message-ID: <263335.86236.qm@web24604.mail.ird.yahoo.com> X-YMail-OSG: QNN0PvMVM1l6fKM9QDVw9_6Mgy6_uAzCjgYY2HImoPZGBfW o3lrlOfqXbHE6l0l2.jWzHDUwrTxViy8Emq5BHyoC5uP8Jw3OC5GZvonad1K t52E2ZV9LWJnYAn2WYt1xW8RiEl_Sl8FGb18zOMLKX.otB1qxd0hUtC736ag b8e9auxSQg_lBM38pTWWClrxu0zlhIJ6RqoAuRRnGXX6xwnqNKdRVeE10itm ZL1j4d8Z2blBmIbgUiCRQLngLiGdUic.T_5EAydF.N3mfTo8_E9LCLEOrgCl RGo2KIdRyDPEDEkoP4Cut Received: from [93.0.168.242] by web24604.mail.ird.yahoo.com via HTTP; Wed, 11 Aug 2010 18:24:53 GMT X-Mailer: YahooMailRC/459 YahooMailWebService/0.8.105.279950 Date: Wed, 11 Aug 2010 18:24:53 +0000 (GMT) From: Brice ERRANDONEA To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 18:24:55 -0000 Thank you very much for your answer. It helped me understand some elements.= But =0Aportsnap still doesn't work.=0A=0A>> So, I can't contact DNS server= s able to translate www.freebsd.org to=0A>> its ip. Since I know this ip, = I tried : "ping 69.147.83.33". This=0A>> time, the error message is :=0A>>= =0A>> ping: socket: Operation not permitted=0A=0A>ping(1) uses raw sockets = in order to be able to send and=0A>receive ICMP packets. By default, raw s= opckets or disallowed=0A>in jails. To change that, use this command on the= host:=0A=0A>sysctl security.jail.allow_raw_sockets=3D1=0A=0A>Add an entry= to /etc/sysctl.conf so the setting will survive=0A>reboots.=0A=0AI did it = but ping still doesn't work.=0A=0A>> 192.168.1.38 is the host's ip so I use= 127.0.0.1 for the jail.=0A=0A>Well, localnet addresses are not routed. If= you give your=0A>jail a localnet address, it won't be able to access the= =0A>network outside of the host. (Unless you take measures=0A>to rewrite/t= ranslate the addresses and forward them.)=0A>That's why DNS and portsnap do= n't work.=0A=0A>I suggest using the address 192.168.1.38 for the jail,=0A>a= t least during installation. Make sure that the file=0A>/etc/resolv.conf i= nside the jail is correct, so DNS will=0A>work. Copying it from the host s= hould be sufficient.=0A=0AIsn't 192.168.1.38 a localnet address too ? Do yo= u mean I should use the public =0Aip of my computer here ?=0A=0A> By the w= ay, you don't have to build ports inside the jail.=0A> Of course you *can* = do that, but there are other ways, too.=0A> For example, you could build pa= ckages (apache etc.) on=0A> the host, or in a different jail, or even on a = different=0A> machine, and then use pkg_add(8) inside your jail to=0A> inst= all them.=0A=0AI prefer doing that way. I will use apache later so I will h= ave to connect the =0Ajail to internet anyway.=0A=0A>> And also how the com= puter knows which data is for the jail and which=0A>> one is for the loopba= ck.=0A=0A>Services (such as apache) listen on certain ports for=0A>connecti= ons. For example, the default port for the HTTP=0A>protocol is 80. So, wh= en someone is trying to open a=0A>connection to your IP address on port 80,= your kernel=0A>looks it up in its table of listening TCP sockets and=0A>fi= nd the apache process which is running inside the jail.=0A>So the connecti= on is handed to the jail.=0A=0A>(This is a bit oversimplifying, but basical= ly that's how=0A>it works.)=0A=0AOK. This is clear. And it explains how mul= tiple jails can share the same =0Aaddress.=0A=0A>> Despite the sshd_enable= =3D"YES" line, I can't ssh from the host to the=0A>> jail. Well, I can... T= he first time I did it, I was asked if I wanted=0A>> to add the jail to the= list of known hosts. I did it. No problem=0A>> there. But, immediatly afte= r that, instead of displaying "login :",=0A>> the system displayed "passwd = :".=0A=0A>That's normal. ssh never asks for the login. You can use the -l= =0A>option if you need to specify a different user name (or put it in your= =0A>~/.ssh/config).=0A=0AOf course. I'm loosing my mind with all that jail = trouble. It works perfectly =0Awell with le -l option.=0A=0A> Some paranoid= people have a special "login jail". They=0A> ssh into the login jail, th= en log into the host or into=0A> other jails from there. The host accepts = ssh only from=0A> localhost. But please forget this immediately; we don't= =0A> want to make things more complicated than necessary.=0A=0AI thought it= was intended to be impossible to access the host from the jail. But =0Ayou= 're right : I'll forget that.=0A=0ASo, we're progressing. But the problem i= s not over yet. Any other idea ?=0A=0AHave a good evening, anyway.=0A=0ABri= ce=0A=0A=0A=0A