From owner-freebsd-jail@freebsd.org Sun Aug 9 20:30:07 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3E02F3BCC1A for ; Sun, 9 Aug 2020 20:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4BPrLl0qRRz4MCF for ; Sun, 9 Aug 2020 20:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 1C5043BCC19; Sun, 9 Aug 2020 20:30:07 +0000 (UTC) Delivered-To: jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C1913BCA9E for ; Sun, 9 Aug 2020 20:30:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BPrLk74GYz4M5w for ; Sun, 9 Aug 2020 20:30:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D6C371ECB5 for ; Sun, 9 Aug 2020 20:30:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 079KU6fj031284 for ; Sun, 9 Aug 2020 20:30:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 079KU68m031283 for jail@FreeBSD.org; Sun, 9 Aug 2020 20:30:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 238326] Kernel crash on jail stop (VIMAGE/VNET) Date: Sun, 09 Aug 2020 20:30:02 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mason@blisses.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Aug 2020 20:30:07 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238326 --- Comment #16 from Mason Loring Bliss --- Markus Stoff wrote: > Running 'ifconfig ${epair}b -vnet ${jid}' before removing the jail avoids= =20 > the kernel panic. However, I would prefer to shut my jails down in a=20 > clean way rather than just pulling the (network) plug. While it's a little awkward-looking, you can do something like this to make sure you've cleanly shut down and detached: exec.prestop =3D "/usr/sbin/jexec ${name} /bin/sh /etc/rc.shutdown"; exec.prestop +=3D "/sbin/ifconfig epair${ep}b -vnet ${name}"; exec.poststop =3D "ifconfig $bridge deletem epair${ep}a"; exec.poststop +=3D "ifconfig epair${ep}a destroy"; The notable thing is that exec.prestop and exec.poststop run in system=20 context, not jail context, so you need the jexec to execute the clean=20 shutdown - but it works. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Fri Aug 14 12:08:13 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 90CDB3BE44F; Fri, 14 Aug 2020 12:08:13 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BShzH2p5bz4dwt; Fri, 14 Aug 2020 12:08:11 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qt1-x836.google.com with SMTP id w9so6684253qts.6; Fri, 14 Aug 2020 05:08:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:subject :content-transfer-encoding; bh=mVjOTSEbnv0047r+dfSGGllgLdcHR9TrgyQdZszzaNM=; b=cfazFmt1ZDqEvmmvFP3zJsBdxtoxgGDcCxjfhGwRxH3Nwc8IF+XJ9QeJHhu/Mnbjhe B0B72Xna97U6xC8+WrkABuEzwuLBmCa50E42GUK7dsaozEVB/7DcyT/MzPmhyhXAajQ3 Z0MMgqcgtSLhb+xGsjPafmX9RDic7xfFMTm4BSG7R9dZHwBU5W2cqugASEtKL9fmoJO7 K4sXSi/6Dd/NL4w4Gi2a4gI3H+rp6qIlSRovMNrTOCCktDBRuW067qlsENfcPWmgznsu OW/hUUUgiFPM5vz14SlSVOueBuPVSi2YRgpSIToNyTHNmXbg6Gc6CEi7H7Wjaptx49hQ yhiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-transfer-encoding; bh=mVjOTSEbnv0047r+dfSGGllgLdcHR9TrgyQdZszzaNM=; b=uVDAhRWNQAyi48lq+AG6Rx6/Hs5JkC6tQfyZnNT3h/z9kAtxCQ8a2GlI+BSNkZ4yEi telSvYocYoNSpRBFOp3Z7U9Ndsrt1Y/fhnxaoulJY/Uu/VE6DlNbP2XHpta4/q68mS1X WwOOzBepXH41rkx4ZLUvemZvQDJ6zpiUneVdskg9bISWA5PsRya1tnv7iNv/qDH98gq9 apnJk7yyJjxtXSbuxzYX6EZGxms0XTVQ8hDkbpiNLFttmePn3TC51NXmAw75AkoPWrjj eaSnEm6z7y5NyNvx+HWPcgyb4YWIkLupLmW7Dkfxon0qfymlAWIrosuamWsKhMWo6rC/ dWpQ== X-Gm-Message-State: AOAM531ty90ubfNkKyg1f3pn8Vr5fuV0Iw5n+WSkGxvYBW9NQ6rAFzAu EDA/98Zx3VTP+PWxJf5lVGJ5OnflvEw= X-Google-Smtp-Source: ABdhPJwNcm3FBjm2IBpuo4gMv4km57BbClrV0P01FSHJkzivK7MKtb8OfOczdJbspS0I4rv3Gr0d0g== X-Received: by 2002:ac8:60d4:: with SMTP id i20mr1697648qtm.69.1597406890354; Fri, 14 Aug 2020 05:08:10 -0700 (PDT) Received: from [10.0.10.8] ([65.25.51.0]) by smtp.googlemail.com with ESMTPSA id x57sm10168777qtc.61.2020.08.14.05.08.09 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 14 Aug 2020 05:08:09 -0700 (PDT) Message-ID: <5F367EA9.20809@gmail.com> Date: Fri, 14 Aug 2020 08:08:09 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: How to steer public traffic to a jail Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4BShzH2p5bz4dwt X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=cfazFmt1; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::836 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-3.40 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.01)[-1.006]; RCVD_COUNT_THREE(0.00)[3]; NEURAL_HAM_MEDIUM(-0.96)[-0.955]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::836:from]; TO_DN_EQ_ADDR_ALL(0.00)[]; NEURAL_HAM_SHORT(-0.43)[-0.435]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 12:08:13 -0000 I have 4 registered domain names, one for each jail. How do I get [ALL] public traffic to a domain name directed to the desired jail? From owner-freebsd-jail@freebsd.org Fri Aug 14 14:04:47 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 200853C0A83; Fri, 14 Aug 2020 14:04:47 +0000 (UTC) (envelope-from carbaecker@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSlYn27h4z3Vdw; Fri, 14 Aug 2020 14:04:45 +0000 (UTC) (envelope-from carbaecker@gmx.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1597413883; bh=jMDPDVXpadFTURuBepn6rDmWyaX2cJab2M4r9d0UZO8=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=BFaJ+QgX0d2K1UiYaXFuDrsQX7NCaBFZUaIksrRVIadR7wSbkd6cqcVzNzFAGseEW y05Fma+kSgiI06gX34OizNTW2UQSlkaK1nL03d83QOVJanEALEqky+qK8cFLfp/YGx 5b9WQCZE7u19jKZpLtMF1WOYD9xCOYkMNGPqjJcs= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.21] ([87.145.1.222]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MGhuK-1jsr3w4AsM-00DlPt; Fri, 14 Aug 2020 16:04:43 +0200 Subject: Re: How to steer public traffic to a jail To: Ernie Luzar , "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" References: <5F367EA9.20809@gmail.com> From: =?UTF-8?Q?Carsten_B=c3=a4cker?= Message-ID: <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> Date: Fri, 14 Aug 2020 16:04:40 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <5F367EA9.20809@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: de-DE X-Provags-ID: V03:K1:oX//CNUCY08YdFmriYpowAXTgxXoDvCA+onkHu0vHW5Z8Pyoavm QtoqOAF6k4TKvtVHqqu+CnOt2GAc/gTAYzqIHKzGcB8xagR+MEZSTzybTR4PJZhm81+7hZA zsafUyyMEiPWX7wT2ONnJBf1U7GzRMm3/YHNmPtSuJvN4AlpZtgrqb7iO9nJok+io6T4Yge ZmJXZHS1VwuB2K49nSFFA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:QbYxcGtX+NM=:epReuiN2i5Cboprr41XmLl BblCYY4CpqC35rGwpd0lmZ3gWM2xDwrmaiFLZu1SsmYh6DSdvDdDQrLCqbKwzlQxEY+WTTuBz 8NhiT115PsvTXyDtP+QC3T+fEw4i2jf809TXnYdIUUt1VgG25d2z7F1GqpSy8hp2uAV45V2g6 K0fUW/ZIZIZwdAM4q/k4fyyMGIJkikaMUiBrmvpPXZqFI1YmxfpFkCc9sF3x+VDWvKWhMn+ul FS6ACq2vsd5Dy1HehCDulf8gJcSRoCsEZifHoF4I7bzDPqrCDHBM5aXwN0JVLxb2oa/uzEEJX BaZ5lelooAzTYB19e3ihm/kk1jgG1hjdkw8a6YJIj+e/EjC4AQ0eM9PRKegfkxLtTi7IMAY73 00gTDvPrHLEzXLkDrLvkfYbTE6vPmYy7v+QURfxDXNSG/xO9yqW+4Wvja9tnRsLByLwRqs+p2 sO9xWZ5vByxL6qUG5NomknfQ2sEYuGS0PEM9T6cjwehu9VU+xJ6jIfuKJma4KBFF+O4a2UR0R mSNUk2v6nDW9HqFTHznT79/ADzEzrkk90IAXUyhr5IJgNo28Z14LtCgoFrTnwTv4EYGgG1Gju rsfhQ9luN8o91aBvLe3gq/QKtGsRsWStmIG9UhyDbIYTQauwkz0UBvfH/idnQdaoRu5prQnBc 1L+6CtLlH6NnBVkd/DeK+Q5lZow2f0Oox/vK2O9Yn1hkYQg4RIhXfdwj8qD67HB8hdRaHGh8I HzK246dFEoSVDuY03r+fpx34ezYlvLKG8ghsE7xT2/6NkjiMEvP2f/HAu4xo8NS2FMnSSwHlc Tw8U56cF/KXmwbKZovCtCniJHtJNwKmstn4CBSSya9S8KrjNYw23PtkchRDB2Y8c2CVpLyULo Hy3qjHqisV1LOO/1Hm2wY7by6HKucB1/jXbnpOI6J4Fef5/gbjvIH8MoB0jwD/KAhhQa1pcds fEMMc0SABk07xfeJ2llwHccGEGm/0/yOPdoQCf22PlUYCNOj01IGpMa7GR+9OWgyOevDhTf+g DyVqN43j4g1yCeLklOPFVjThU/SrmGJKxPrrV5ghlbuVzsAWR7hBMIgjsmIu4QpYnAdwm3JOf tNgnklt4RJZczaB0aVB8FNzgVD2xuMOkFLK7hM/X8XXi0HEq6iZKUumBJKXlV06sq5udbrCg6 c35VnBaXt6YUZngKkZgd2PVc1gN1zaWg5B8j+Ru6+PgQ8i0wOHXrUVFcjbUw7GMxVKGtlodoq wQkoeGeHsbP3lTQ1lT46VIGXrUHovQFDFwI+RXw== X-Rspamd-Queue-Id: 4BSlYn27h4z3Vdw X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=BFaJ+QgX; dmarc=none; spf=pass (mx1.freebsd.org: domain of carbaecker@gmx.de designates 212.227.15.18 as permitted sender) smtp.mailfrom=carbaecker@gmx.de X-Spamd-Result: default: False [-2.92 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmx.de]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-0.28)[-0.278]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; RECEIVED_SPAMHAUS_PBL(0.00)[87.145.1.222:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.029]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.01)[-1.008]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.de]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 14:04:47 -0000 Hi, you may want to have a look into reverse proxying, e.g. using nginx on your jail-host. Really basic example: |http { server { listen 80; server_name your.1st.domain.com; location / { proxy_pass http://127.0.1.2; } } server { listen 80; server_name your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }| || ||Good look! Carsten Am 14.08.2020 um 14:08 schrieb Ernie Luzar: > I have 4 registered domain names, one for each jail. How do I get > [ALL] public traffic to a domain name directed to the desired jail? > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@freebsd.org Fri Aug 14 14:58:05 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C7B483C16F8; Fri, 14 Aug 2020 14:58:05 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSmlJ2Z2Kz3YGw; Fri, 14 Aug 2020 14:58:04 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-qk1-x729.google.com with SMTP id l64so8563596qkb.8; Fri, 14 Aug 2020 07:58:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=9JLYkLOw8KLRHmp2KJi8l6ry2YarCOScBps7yvpl/m8=; b=L9l5QOb4veJvmnzTNMJUtBPKq0BOpxgZwFpHWzwl8ZZM+CJT9+8NpZaT7759Hw31g0 rMk828cwcWdqTngYZHCd3OnzB0/ALxQgPKbQPAho1frOjkFvBkSd8lRXDFb/NkTZiTYQ mlC2FhTNfwE6DVB7DqQ+PvqE1s79TRG4iG7hjL6+FUjlHTrETYFxL0KbxXgPsT1tgGJo synm5aSQxq9Jr0dzOxYpspl7M/k7VgbgRZj3CUAvjqQX2ohTP0WY0lpmuGxiHYBAg0Ec 7miwDWTwqbTgca8TgFVgg4IMVn/pyO/PuGAVMntpE2TGl2m3oZqNdiIfcBXwFJNgYJ1l Co+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=9JLYkLOw8KLRHmp2KJi8l6ry2YarCOScBps7yvpl/m8=; b=KsoMMUEfsmNw+Lx5tmwCC3virWXHNW6Q8UEt0zK66/Jr9X2pk7ngvyx9tS1gsrdDKl lR5V+qR7WvfbuHj4IFXWQ2OcVM461SKqDVx5JEmMHafiujNB4fR9vGEKt2gInvOqdgrc 0j83yfIUl5O7O2AO65WDtxf2diklwVwmmf2upv5a2HMJfCx3NwaTev/8VwoEy6jnHQzt UEbskIuLnClFzeGci4KSQc5eAuwwYfh4fq2iduiNBZxfswqsl1U6W4lv8BN5WSS797qp 6PXDNFh1XAjHSB+pHzkk/WI4V8pVwjeKNubCP8qSlLJeAw0rmVOh3MqOq0Ja6pTU+wd9 SR0g== X-Gm-Message-State: AOAM532GfWQg+unW57RE7dTmhjM627cGS00LE7FVEVXmKPsfIyGz7mcO puHwQmTT+vZq0HuN6FQugJo= X-Google-Smtp-Source: ABdhPJwgg7lrxMW+gJpBVMQglQ2XX6+KVIDo5E7Ijp3iZQflbAqm/1nPIbk7Y3tThSVlhEUqqNCA7Q== X-Received: by 2002:a37:7dc2:: with SMTP id y185mr2346608qkc.381.1597417083140; Fri, 14 Aug 2020 07:58:03 -0700 (PDT) Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0]) by smtp.googlemail.com with ESMTPSA id s4sm10090703qtn.34.2020.08.14.07.58.02 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 14 Aug 2020 07:58:02 -0700 (PDT) Message-ID: <5F36A67B.1040408@gmail.com> Date: Fri, 14 Aug 2020 10:58:03 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Carsten_B=E4cker?= CC: "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: Re: How to steer public traffic to a jail References: <5F367EA9.20809@gmail.com> <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> In-Reply-To: <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4BSmlJ2Z2Kz3YGw X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=L9l5QOb4; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates 2607:f8b0:4864:20::729 as permitted sender) smtp.mailfrom=luzar722@gmail.com X-Spamd-Result: default: False [-3.39 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-0.35)[-0.353]; FREEMAIL_TO(0.00)[gmx.de]; RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.033]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::729:from]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 14:58:05 -0000 Carsten Bäcker wrote: > Hi, > > you may want to have a look into reverse proxying, e.g. using nginx on > your jail-host. > Really basic example: > > |http { server { listen 80; server_name your.1st.domain.com; location / > { proxy_pass http://127.0.1.2; } } server { listen 80; server_name > your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }| > This looks interesting. When does nginx see the packet, before the firewall or after the firewall passes it through? Employing this concept each unique domain name is the element used to target the jails private ip address. Would need a server clause for each port number/domain name targeting each jail. This would work for port 21, 22, 23, 25 From owner-freebsd-jail@freebsd.org Fri Aug 14 15:17:36 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 64C093C1FC3 for ; Fri, 14 Aug 2020 15:17:36 +0000 (UTC) (envelope-from 4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com) Received: from s1-b0c6.socketlabs.email-od.com (s1-b0c6.socketlabs.email-od.com [142.0.176.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSn9r1FrWz3Z99 for ; Fri, 14 Aug 2020 15:17:36 +0000 (UTC) (envelope-from 4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com) DKIM-Signature: v=1; a=rsa-sha256; d=email-od.com;i=@email-od.com;s=dkim; c=relaxed/relaxed; q=dns/txt; t=1597418256; x=1600010256; h=content-transfer-encoding:content-type:mime-version:references:in-reply-to:message-id:subject:cc:to:from:date:x-thread-info; bh=v+Pwp94kn5eqCNLWeW0zJo6rKSqcfFfYfe7aQRb7YvE=; b=CJyqOSseL+SBrIieGAeG+C4CpiQ4Af0HnbVPvyP0dep+YWmaYyTqp1h4MMAvNQb7fcWyQQq8E9Du27Sw6h7vDdejq1lol48JdSUuAHE3pl4BEwm9jA1vfBSVK4k9y7TRQHxLFkrdq62sBBPyoNl+ShLR1W0jvIMHXNFQf2HYK6g= X-Thread-Info: NDI1MC45Mi4xZDRjMjAwMDg3NjY0OGQuZnJlZWJzZC1qYWlsPWZyZWVic2Qub3Jn Received: from r2.us-east-1.aws.in.socketlabs.com (r2.us-east-1.aws.in.socketlabs.com [142.0.191.2]) by mxsg2.email-od.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Fri, 14 Aug 2020 11:17:29 -0400 Received: from smtp.lan.sohara.org (EMTPY [185.202.17.215]) by r2.us-east-1.aws.in.socketlabs.com with ESMTP(version=Tls12 cipher=Aes256 bits=256); Fri, 14 Aug 2020 11:17:27 -0400 Received: from [192.168.63.1] (helo=steve.lan.sohara.org) by smtp.lan.sohara.org with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1k6bSQ-0009kB-Ao; Fri, 14 Aug 2020 16:17:26 +0100 Date: Fri, 14 Aug 2020 16:17:26 +0100 From: Steve O'Hara-Smith To: Ernie Luzar Cc: Carsten =?UTF-8?B?QsOkY2tlcg==?= , "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" Subject: Re: How to steer public traffic to a jail Message-Id: <20200814161726.972dcb71499c7129fe672836@sohara.org> In-Reply-To: <5F36A67B.1040408@gmail.com> References: <5F367EA9.20809@gmail.com> <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> <5F36A67B.1040408@gmail.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; amd64-portbld-freebsd12.0) X-Clacks-Overhead: "GNU Terry Pratchett" Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4BSn9r1FrWz3Z99 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=email-od.com header.s=dkim header.b=CJyqOSse; dmarc=none; spf=pass (mx1.freebsd.org: domain of 4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com designates 142.0.176.198 as permitted sender) smtp.mailfrom=4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com X-Spamd-Result: default: False [-2.47 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:142.0.176.0/20:c]; MV_CASE(0.50)[]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[email-od.com:+]; NEURAL_HAM_SHORT(-0.72)[-0.718]; FREEMAIL_TO(0.00)[gmail.com]; FORGED_SENDER(0.30)[steve@sohara.org,4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:7381, ipnet:142.0.176.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[steve@sohara.org,4250.82.1d4c2000876648d.bd0b0747f890a5aa9c8f95959715cf78@email-od.com]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.06)[-1.065]; R_DKIM_ALLOW(-0.20)[email-od.com:s=dkim]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-0.99)[-0.989]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[sohara.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[142.0.176.198:from]; RWL_MAILSPIKE_VERYGOOD(0.00)[142.0.176.198:from]; FREEMAIL_CC(0.00)[gmx.de,freebsd.org] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 15:17:36 -0000 On Fri, 14 Aug 2020 10:58:03 -0400 Ernie Luzar wrote: > Carsten Bäcker wrote: > > Hi, > > > > you may want to have a look into reverse proxying, e.g. using nginx on > > your jail-host. > > Really basic example: > > > > |http { server { listen 80; server_name your.1st.domain.com; location / > > { proxy_pass http://127.0.1.2; } } server { listen 80; server_name > > your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }| > > > > This looks interesting. Think again - this is HTTP proxying only. It's great for that but useless for anything else. I use a similar mechanism to serve multiple domains from one http server. > Employing this concept each unique domain name is the element used to > target the jails private ip address. Yes but it only works because there is an HTTP header with the hostname in it and nginx knows how to read HTTP. > Would need a server clause for each port number/domain name targeting > each jail. > > This would work for port 21, 22, 23, 25 No only 80 and then only if the protocol is HTTP and if the clients send the necessary HTTP header (I haven't seen one that didn't in decades). -- Steve O'Hara-Smith From owner-freebsd-jail@freebsd.org Fri Aug 14 17:47:38 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 49C3C3C49B5; Fri, 14 Aug 2020 17:47:38 +0000 (UTC) (envelope-from carbaecker@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSrVw2TNpz3yTf; Fri, 14 Aug 2020 17:47:35 +0000 (UTC) (envelope-from carbaecker@gmx.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1597427252; bh=JgTqqjWcLz2J2wzLvhYGcZVv37Zfj+Ic6QEYb4L5OG4=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=hCeDEE6YfyNGBqQ1BrxVUwoZgp7+FdQNEgZOVA4lwrwISPNvqbKf6Bvnz2C5/yC8p NNc3v/cRlN0SuOczkHpNcZIEC1WxNwnvZr8tRHeBQtmFrQ8o023V+fNWT8On60M2PM 3768J7Ml7G1xzVrp/MOHfcp8PAiau5Ya3XLEpN1M= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.21] ([87.145.1.222]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MY6Cl-1kCO2D2XGf-00YRdD; Fri, 14 Aug 2020 19:47:32 +0200 Subject: Re: How to steer public traffic to a jail To: Steve O'Hara-Smith , Ernie Luzar Cc: "freebsd-questions@freebsd.org" , "freebsd-jail@freebsd.org" References: <5F367EA9.20809@gmail.com> <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> <5F36A67B.1040408@gmail.com> <20200814161726.972dcb71499c7129fe672836@sohara.org> From: =?UTF-8?Q?Carsten_B=c3=a4cker?= Message-ID: Date: Fri, 14 Aug 2020 19:47:30 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: <20200814161726.972dcb71499c7129fe672836@sohara.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: de-DE X-Provags-ID: V03:K1:H+mX+5PlNigQ+T4q3FfiQ9KvCFkdb/eG2RL8DUiKgT+rtoyJJK3 EHRUN5CnVRfkKupNOCZGzFZ3ezyoYgFxWLhojc22UzN++MY3eziPIZMk+SJgJsAZ4EjZbl3 9KdEoFxGFY3Ics+m2S2N/3LHvwzShsc3pDukJBefPu3Sf1Io0m7VTk2V6RkYiJrdmmkvtfF csDnzXurtUJFQgIcrCrBQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:fxzy/nBQQh4=:K+rZnJrSWYJpsCfQzXXmrF WDrKt0G9FebQXNF1MwYSMHTsNXWVwpc8sxBAJpVVcOm6ta55fbppn+8mX2BdbRj/f5wXfoLco wD8nDQJxvZzGJoy6+sPukd6rnOoZS2vKIGOaAvieYiEy1lXQjthmoWkLbtSd1rKROrrTRkCM4 rPVUFkXgOJTkioTlNwXoXZrdwM7OrOLbonh8c+8fkw6a4zs3XDdD0lbU8Cr+HF8RaCin8e15H RgI5ILznciEPQxTRU5r3XNR6/+UU/Vda8mOsPcEj3lbcWlCej0EMQRRppJQgIZZLrTPdXMXSY fvJ+l/znTTq+QcuZ0CeFITOaERVrBAbxIY62NSyEGGo/KXyV91qUmAUKOk/QcrscVrUFMOhqc uz0FOjEkHV1Wod9o8g7CqH7Asls9Otf+eiE+e/9jWzN0o5DzjDjwFIIJl0owSny/4mH+poRGF hmyYur86aS+Q9ho0wBXW4v8PxsOsc7Wg8BG3K9GAIwxPPS5Yu1Y6fItzce8UH7MioUo7RwKVk aSzd61xdOS9ZKr/dX50YJwckhCuZwDKplQFTTK4cPZJwDuSuuz1CamiWWOvXBxxnPemX6Bc+U g4ej7CPoQdYydLdhYhqIu4pC+sHoDhJk5QVtiGnwP/0hRINIKmS9zk7PQRAaFUzRXbwRcBzc2 D0FLRWLmbluxemlHYJaGfmjvupIfzOJiGwepVAvWwmpqUcg4XXnbKXetDFZR0DRttC/Ts4oX4 amNHO1l+kB3bUiitcHnxTiu/m8xKvwy7nJ0v3a93hEAFrE8W1b9ZQ+EqXJx78B5fFumVSbAvF CvNXcvtdMApkhTVzzxYj4pPniOXT8n/WB9L+bKzBaDjvEUfIKN3i2iwfjV9hFwWKBTAYHWxpD rXErJKGop28JyM90dH4Jmqz7p8gSWxwnD1cR1Y3KZu4CUuNXkUx/BK5Tc9izQ/iK/IrawPsgK NnTwlTN1UgKfuBCiSzdXbr9cVxrvQigLfTM7ZdtsjJ3spD1fgQle9ibt1BdO6BMRxB0AKLxpF BJwQETpgZLFTx3BXhDKum035JdbitKwkBEo4H/vHV2liX0Xi9ZFZKgD9iGU0SC0yqXPYbSYQj /vR0YsEVqCyxSYbgupFuANVHOxO+DvyVL/E7YtVmSCB6DUWUd0Mx7yp1QIQnkRorVqsbs5gAO 0Ozv06tppDn6NWEFtvCtoTkJN+J3Pdj3VbgMyRTbdgnZcnxa69R9nH3BJ+EWT91xHWTC6Hzhc JjFsEzmdFpDYi09RC X-Rspamd-Queue-Id: 4BSrVw2TNpz3yTf X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=hCeDEE6Y; dmarc=none; spf=pass (mx1.freebsd.org: domain of carbaecker@gmx.de designates 212.227.15.15 as permitted sender) smtp.mailfrom=carbaecker@gmx.de X-Spamd-Result: default: False [-2.96 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmx.de]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-0.33)[-0.328]; FREEMAIL_TO(0.00)[sohara.org,gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[87.145.1.222:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.030]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.15:from]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.01)[-1.007]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.de]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.15:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 17:47:38 -0000 Hi, nginx will only see packets that passed the firewall, so you need to allow incoming traffic to port(s) 80, 443 to whereever your reverse-proxy is running. Domain-Names are HTTP-specific. No ssh, nor telnet or ftp know anything about that. Personally i wouln't even thing about using telnet or ftp. :-) If you need ssh-access to the jails you may use (public) ports other than 22 and forward them to the corresponding jail. This will - additionally - allow sftp. Regards Carsten Am 14.08.2020 um 17:17 schrieb Steve O'Hara-Smith: > On Fri, 14 Aug 2020 10:58:03 -0400 > Ernie Luzar wrote: > >> Carsten B=C3=A4cker wrote: >>> Hi, >>> >>> you may want to have a look into reverse proxying, e.g. using nginx on >>> your jail-host. >>> Really basic example: >>> >>> |http { server { listen 80; server_name your.1st.domain.com; location = / >>> { proxy_pass http://127.0.1.2; } } server { listen 80; server_name >>> your.2nd.domain.com; location / { proxy_pass http://127.0.1.3; } } }| >>> >> This looks interesting. > Think again - this is HTTP proxying only. It's great for that but > useless for anything else. I use a similar mechanism to serve multiple > domains from one http server. > >> Employing this concept each unique domain name is the element used to >> target the jails private ip address. > Yes but it only works because there is an HTTP header with the > hostname in it and nginx knows how to read HTTP. > >> Would need a server clause for each port number/domain name targeting >> each jail. >> >> This would work for port 21, 22, 23, 25 > No only 80 and then only if the protocol is HTTP and if the clients > send the necessary HTTP header (I haven't seen one that didn't in decade= s). > From owner-freebsd-jail@freebsd.org Fri Aug 14 17:57:38 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BE5F03C4F4B for ; Fri, 14 Aug 2020 17:57:38 +0000 (UTC) (envelope-from carbaecker@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BSrkT3mL3z40F9 for ; Fri, 14 Aug 2020 17:57:37 +0000 (UTC) (envelope-from carbaecker@gmx.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1597427854; bh=NSFTQ3nOlTnyX8367VQaXjjB4nFGWoN6oVfPaPUyQyM=; h=X-UI-Sender-Class:Subject:From:To:Cc:References:Date:In-Reply-To; b=SNg+mMxxuxaRySRHP+7TV3//3Yr8d7eLxWDktqobZHFkUL8IL+4tJHx2LH29TB3MU IyMtUzdGwaosV2OsrsCAGCvwMiZB/OKrwIGiAMOm1T+FSYXhpUsGLSTa9RQvAybz/o WmswIE5ebY/CPVyO18JNGbOUR8n7GITaVWoRh3rI= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [192.168.178.21] ([87.145.1.222]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1M8ykW-1k0aDY1tTy-0068hR; Fri, 14 Aug 2020 19:57:34 +0200 Subject: Re: How to steer public traffic to a jail From: =?UTF-8?Q?Carsten_B=c3=a4cker?= To: Steve O'Hara-Smith , Ernie Luzar Cc: "freebsd-jail@freebsd.org" References: <5F367EA9.20809@gmail.com> <8984b35b-7c48-32ee-5bd0-e29c9439c890@gmx.de> <5F36A67B.1040408@gmail.com> <20200814161726.972dcb71499c7129fe672836@sohara.org> Message-ID: <82b74ead-2abf-dc39-12e1-26087ed68db9@gmx.de> Date: Fri, 14 Aug 2020 19:57:32 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: de-DE X-Provags-ID: V03:K1:rL49xkKOdHaONVTCnpXggtT/6X+uz61nNlkB5bqnFSd2pKvY6x+ sgarLA3wXzYlYQUs9C75YyoJv36UfUK15i+p1AmO7RQGmVgQUvltFnbAY4V316Bt2htKKa3 rkO+ccfNNStwMJwY6yqBPP/sFm1GoTGkOnWLwLu5/g6Jb6xXR13K9oj1LzmJV0KeDS1YFrJ Z1viIOsGEDM7j8GMyrDBA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:if4X+JdLMSo=:br2YT+skuBy9dIPQGGcGwP GA/heBO+c2nK3WgLWnXzZIpYJVAVgZsdmOJe/UvIbIAwA51DWU53+IEkebPVZIUAC9XTetpha i1P66yhyQW7SJ8hJ5TqbkmU6Pc0/Gs4uKPhAXNRftUH3iev0oem9kBFIv+I1N6BFz43pxZFRE r5Qe4cQ0RHZbj+RjM3puUKMEKUneXY/yIAT0PI1LNKq/v69ZyysrVpBZVFMgNH/OHSP0wf7zG hKyRqKktINtJjA201HIJtJW+5uTCaAn15J/jmmsruCJ8wbmI/6CvQmvRWNeTeWUPgB/GxUpwn 61fjnUbihxAs+X7d8HwV0Rf9c3gQ+JGvMtCbx1urr8rFysZgpeCjbpm1BIopOyvCRLwhCtho7 KIUaBWUTyvWswjXIDqbxaGpToFyeEBPBuT+zTreuZOy3hlHqWgtTqc7whNiwo4n5AjsDsogNc NJlsCzQ9HyOq03RQb9I+p1fwKSz/0J7l4P7kgOXAk2tzOPHcr5R/kNGFJIECOx4urMKKAgRXC BqYns96qnbphvs5aNHZ+zqh4g4pSouExRHAUb0B5ttNz5fex7YgMVe0Vb63lczv/RtdPBjcAl ur2nvW6AeiiJgBavTeQCcGK8R3jlCFaxwvT3SB9DatmuHRvkH0awft1qKIow/TgqN1NOAgMHb WXuScjkf6wn7q+X/dySBguMEudGHfrlesroBX9SB8EipNkYH/BBw1PN+iD3wquinpheaExJS0 hnfnxjas8eZuGzq1wnXCXyjCOnvPbphjG2vSsSIp2XNklqoE0nxD1qjpxMT53y+uMCaXHsr1A HDyBlKo6OqWWpexBKj7AC/1IbfnSpmyLWXkAD1Q+VFxYOfsGojZS3EFPbw8ipjLyDbqLM5Qq8 BXDeHckShYuwOipKJK9eFJrAi4uXLK5CU/LD2cNPPOLG8+xw7A6kjEz2QSMABLGQdxvJiz2WN 3O/gUC//Geuk8pWrFXZaoswK2+aQ+TrY7VRrENMQEOrVLhpzFh8urwZjpQi9O6k/oiyVOhC06 Oxg9JP3GyRHsG8if6i4dwZRB44IDZIFMhGhBT3y8Fg6TfwslG3SRQOwE6n1bpO9KUBcSk+UA1 TbRT59XGFpWvxvn6lms/q9ZclAxIWwr7Tl3V34Souo7d7h7+28qSdyTsFGMjLQl66ygd/7Sv9 9R4KLe6fUUJ87hE0ZkZCpiAOOB2AF7lg/oM6/A9Af7iG/pET9owtonpTLz2oV2/QQ1WF333sh 7EBDYv3elYEbw7mY6GoJp1f3XYldsKuQw3ZQNtg== X-Rspamd-Queue-Id: 4BSrkT3mL3z40F9 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=SNg+mMxx; dmarc=none; spf=pass (mx1.freebsd.org: domain of carbaecker@gmx.de designates 212.227.15.19 as permitted sender) smtp.mailfrom=carbaecker@gmx.de X-Spamd-Result: default: False [-2.92 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmx.de]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25]; DKIM_TRACE(0.00)[gmx.net:+]; NEURAL_HAM_SHORT(-0.28)[-0.284]; FREEMAIL_TO(0.00)[sohara.org,gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[87.145.1.222:received]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmx.de]; MID_RHS_MATCH_FROM(0.00)[]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.026]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.19:from]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.01)[-1.011]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gmx.de]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.19:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Aug 2020 17:57:38 -0000 Am 14.08.2020 um 19:47 schrieb Carsten B=C3=A4cker: > Domain-Names are HTTP-specific. No ssh, nor telnet or ftp know anything > about that. Hmm. Forget about that... It's basically an issue related to firewall / port-forwarding. From owner-freebsd-jail@freebsd.org Sat Aug 15 02:24:10 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 19A6F3A8D14 for ; Sat, 15 Aug 2020 02:24:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4BT3yx72CDz4QCm for ; Sat, 15 Aug 2020 02:24:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id F163B3A88CC; Sat, 15 Aug 2020 02:24:09 +0000 (UTC) Delivered-To: jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F12C03A8D9B for ; Sat, 15 Aug 2020 02:24:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BT3yx6C5dz4Ptd for ; Sat, 15 Aug 2020 02:24:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B9BCB17E71 for ; Sat, 15 Aug 2020 02:24:09 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 07F2O9mA076332 for ; Sat, 15 Aug 2020 02:24:09 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 07F2O9Rv076331 for jail@FreeBSD.org; Sat, 15 Aug 2020 02:24:09 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 248444] /usr/sbin/jail crashes when parsing certain configuration files Date: Sat, 15 Aug 2020 02:24:09 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2020 02:24:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248444 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |jail@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sat Aug 15 17:49:47 2020 Return-Path: Delivered-To: freebsd-jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C25BE37909C for ; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4BTSVz4s6kz4WnC for ; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id A6998378761; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) Delivered-To: jail@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A6624378760 for ; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BTSVz40Ldz4X4P for ; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6861622A7B for ; Sat, 15 Aug 2020 17:49:47 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 07FHnl63056442 for ; Sat, 15 Aug 2020 17:49:47 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 07FHnlxH056441 for jail@FreeBSD.org; Sat, 15 Aug 2020 17:49:47 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 248444] /usr/sbin/jail crashes when parsing certain configuration files Date: Sat, 15 Aug 2020 17:49:47 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: akos.somfai@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2020 17:49:47 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D248444 Akos Somfai changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |akos.somfai@gmail.com --- Comment #1 from Akos Somfai --- Created attachment 217233 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D217233&action= =3Dedit proposed patch for jail The issue is seen every time when the defined variable ("$interface" in the= bug report) is the same as one of the built-in jail.conf parameters excluding t= he leading "$". The crash is a use-after-free as variable data is free-ed at a point but referenced later from intparams. Having a variable with the same name as a built-in one is problematic anywa= ys -- the fix eliminates the crash and treats such entries as pure variables as expected by the leading "$". This is also according to the jail.conf description that says that "variables are only used for substitution, while parameters are used both for substitution and for passing to the kernel." --=20 You are receiving this mail because: You are the assignee for the bug.=