From owner-freebsd-questions@freebsd.org Sun Dec 4 00:51:47 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73280C57B4E for ; Sun, 4 Dec 2016 00:51:47 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 43D4E1A2C for ; Sun, 4 Dec 2016 00:51:47 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pg0-x233.google.com with SMTP id x23so122085609pgx.1 for ; Sat, 03 Dec 2016 16:51:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=DPa/fFMXh06M+FvYTUJ0tHIiSeWAEfBNQeruVF1UEsI=; b=AnwtF8Hh8FDmtuvc0yJOyypWqD+k4OcpU3tr2ibK9fV9T3X0AgW3nJAHgrbKQpgzRr mMQm23NmM15hn4KGyhtOxgw96m7Isn2axlRqXmMqhoFQwsXtyZnj+j5GLJdBonZ5fHBa 89k9dSfc6yIb+yO8+Fgf4VH+CGuyahgmAbAI5eQ4nm7yMcB3c8q34IGhqUlj//O1B636 edL+x6Dsb9mqSed00vkodkwiK5DAjPFW3M4Ampsw5xxjIRhPeKIQN3q+pt2hxI6458N5 6s9NiiZo3rggmVXS+zWw39MjJUXd62YsMpNreqkZp2jjvwG4Fiw9TtCQU/UNkkjVdOm2 9qZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=DPa/fFMXh06M+FvYTUJ0tHIiSeWAEfBNQeruVF1UEsI=; b=h1HOhJbi/VVjAnObmL1RGyoae/RsdsW/DoZhdq+REgPI9Z75iucvZfykyStOMr/yu0 ZzNKA4zwlQE0PE6haLIYapx1lyg31X/d8zhxEeIYgAHquio+OjSniCPIEuS3bkcR0CaP VaPRB/EDOvZ7+5GbmuM1tgbEMEYNMLRT9On6Aygjfq1sfkVYMhgRqgLWzFZ02d65OSPh hy3ApxVUpBjQomeSxuTQjdXZVVUI/TOTuJUAbAzSNt1d3AKZ0wZdf3gFXaSP1wwBKihj 4ich94uh8HmJpCnqsSmJZwiLb1hyrYVy8ypPXFtk+DDLMvJlNAXhONK/5Rpo4LvB1XU8 8nVw== X-Gm-Message-State: AKaTC02dmcrvHs3StVh7GKqdCrkGoPU5QezghNdm/hndVQ/9irBy2R37SFiM4yhyJKJM4w== X-Received: by 10.99.153.26 with SMTP id d26mr92227497pge.44.1480812706810; Sat, 03 Dec 2016 16:51:46 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.121]) by smtp.googlemail.com with ESMTPSA id i11sm17367800pgn.17.2016.12.03.16.51.45 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 03 Dec 2016 16:51:46 -0800 (PST) Message-ID: <584368A1.5080206@gmail.com> Date: Sun, 04 Dec 2016 08:51:45 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: doug@safeport.com CC: freebsd-questions@FreeBSD.org Subject: Re: Can't ping in jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 00:51:47 -0000 doug wrote: > On Sat, 3 Dec 2016, doug wrote: > >> This is a 9.3-RELEASE-p49 system. In the jail: >> >> gaia:~> sysctl security.jail.allow_raw_sockets >> security.jail.allow_raw_sockets: 1 >> >> gaia:~> ifconfig >> em0: flags=8843 metric 0 mtu 1500 >> >> options=4219b >> >> ether c8:9c:dc:eb:ab:fb >> inet 192.168.2.110 netmask 0xffffffff broadcast 192.168.2.110 >> media: Ethernet autoselect (100baseTX ) >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> >> and as root >> >> gaia:/home/doug# ping -c 2 192.168.2.102 >> PING 192.168.2.102 (192.168.2.102): 56 data bytes >> ping: sendto: Can't assign requested address >> ping: sendto: Can't assign requested address >> ^C >> --- 192.168.2.102 ping statistics --- >> 2 packets transmitted, 0 packets received, 100.0% packet loss >> >> ctrl-c is required to end the command. This is without a loopback >> defined. If I define the loopback I can ping 127.0.0.1 but nothing >> else. What am I missing? > > Okay after lots of reading: handbook, man pages, wiki's, and google (I > did RTFM) I an pretty sure I have a routing issue and that > security.jail.allow_raw_sockets works. That said, I give up. The host > was getting its IP via DHCP so I changed that, defined the host as a > gateway, did what I know how to so with netmasks and set all the > sysctl's that seemed remotely related to this in the host. At the end of > the day virtually all combinations of the aforementioned allow the jail > to ping its own IP and localhost. Now moving on to stuff that pays the > rent. Any thoughts welcomed though. Hello Doug. Your asking for help, but providing a very small amount of information about how you created your jails and the network surrounding your host. Are your jails defined using the legacy method with definition statements in /etc/rc.conf or the modern way using /etc/jail.conf? Is this a single host with isp assigned dynamic ip addresses? Is there a LAN behind the host with real computers attached, or are you using an second NIC just to address the jails? Do you have a firewall doing NAT for the jail's [non public routeable ip address]? How did you create your jail directory tree? Are you using nullfs? Did you use any of the port utilities for creating your jail environment? The above will give you plenty to think about. ****************************************************************** First off 9.3 reaches EOL [end of life] next month. There has been a lot of changes to jail(8) between 9.3 and 11.0. You should have moved to 11.0 already. Your not going to get jail support for an EOL system. I strongly suggest you install the package named jail-primer it will go a long way filling in the background info you seem to be lacking about jails in general. Once your on 11.0 then install the package named qjail It automates jail management in a very user friendly manner automatically doing all the little details for you. First you have to get the host communicating with the public network before you start playing with jails. As a general rule there is no need to be using any sysctl nibs. At a bare minimum you need this in rc.conf hostname="doughost.com" gateway_enable="YES" ifconfig_em0="DHCP" After doing your homework and having played with qjail, if you need help then post here again but give greater details about your environment. Good Luck.