From owner-freebsd-jail@freebsd.org Sun Jul 16 12:48:17 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 765C9BFEDF7; Sun, 16 Jul 2017 12:48:17 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1759F7CE85; Sun, 16 Jul 2017 12:48:15 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [10.70.7.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id v6GCmDeB004662 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sun, 16 Jul 2017 12:48:14 GMT (envelope-from list1@gjunka.com) To: freebsd-net@freebsd.org, freebsd-jail@freebsd.org From: Grzegorz Junka Subject: A web server behind two gateways? Message-ID: Date: Sun, 16 Jul 2017 12:48:13 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 12:48:17 -0000 Hello, I have a jail running a web server in LAN. There are two routers/WANs that can connect LAN to the internet. I enabled NAT and port forwarding to the web server on both routers. The problem is that the web server responds to requests only from one router at a time depending on the default gateway set on the jail's host. If the default gateway is set as router 1 then the web page can be opened only through WAN1 and vice versa. Can I configure either router/host/jail so that the web server sends the response back to the IP that sent the request packet rather than to the default gateway? And a bonus question, how can I configure two jails so that each jail sends packets to a different gateway (which may or may not be the same as the jails' host's default gateway)? Thanks Grzegorz From owner-freebsd-jail@freebsd.org Sun Jul 16 13:23:35 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85B90BFF4C8 for ; Sun, 16 Jul 2017 13:23:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6CCD07DBAC for ; Sun, 16 Jul 2017 13:23:35 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GDNZkU020664 for ; Sun, 16 Jul 2017 13:23:35 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 220759] jail -i / -q is not acting as described Date: Sun, 16 Jul 2017 13:23:35 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 13:23:35 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220759 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-jail@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sun Jul 16 14:33:19 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49786C08540 for ; Sun, 16 Jul 2017 14:33:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 273A57F846 for ; Sun, 16 Jul 2017 14:33:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GEXIjx021920 for ; Sun, 16 Jul 2017 14:33:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 213896] when starting vimage jails the kernel crashes Date: Sun, 16 Jul 2017 14:33:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: heinz@project-fifo.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 14:33:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213896 Heinz N. Gies changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |heinz@project-fifo.net --- Comment #6 from Heinz N. Gies --- I'm having the same problem and can reliably reproduce it. I noticed it when testing vmadm (https://github.com/project-fifo/r-vmadm) a= nd starting and stopping a jail a few times. The basic steps for start are: rctl -a jail:d0f4fea3-e368-4346-b44c-50cfbcffa287:memoryuse:deny=3D1024M jail:d0f4fea3-e368-4346-b44c-50cfbcffa287:memorylocked:deny=3D1024M jail:d0f4fea3-e368-4346-b44c-50cfbcffa287:shmsize:deny=3D1024M jail:d0f4fea3-e368-4346-b44c-50cfbcffa287:pcpu:deny=3D100 jail:d0f4fea3-e368-4346-b44c-50cfbcffa287:maxproc:deny=3D2000 mount -t devfs devfs /zroot/jails/d0f4fea3-e368-4346-b44c-50cfbcffa287/root/dev mount -t devfs devfs /zroot/jails/d0f4fea3-e368-4346-b44c-50cfbcffa287/root/jail/dev jail -i -c persist name=3Dd0f4fea3-e368-4346-b44c-50cfbcffa287 path=3D/zroot/jails/d0f4fea3-e368-4346-b44c-50cfbcffa287/root host.hostuuid=3Dd0f4fea3-e368-4346-b44c-50cfbcffa287 host.hostname=3Dtest devfs_ruleset=3D4 securelevel=3D2 sysvmsg=3Dnew sysvsem=3Dnew sysvshm=3Dnew allow.raw_sockets children.max=3D1 vnet=3Dnew vnet.interface=3Depair0b exec.start=3D"/sbin/ifconfig epair0b name net0p; /sbin/ifconfig net0p.5 cre= ate vlan 5 vlandev net0p; /sbin/ifconfig net0p.5 name net0; /sbin/ifconfig net0 inet 192.168.1.234 255.255.255.0; /sbin/route add default -gateway 192.168.= 1.1; /sbin/ifconfig lo0 127.0.0.1 up; jail -c persist name=3Dd0f4fea3-e368-4346-b44c-50cfbcffa287 host.hostname=3Dtest path=3D/ja= il ip4=3Dinherit devfs_ruleset=3D4 securelevel=3D2 sysvmsg=3Dnew sysvsem=3Dnew= sysvshm=3Dnew allow.raw_sockets exec.start=3D'sh /etc/rc'" ifconfig epair0a name j1:net0 and destroying the jail the same way in reverse (stop, unmount, remove rctl entries dstrouy j1:net0) kernel is FreeBSD fifo-bsd 11.0-RELEASE-p1 with=20 which is the standard kenrel config plus nooptions SCTP # Stream Control Transmission Protocol options VIMAGE # VNET/Vimage support options RACCT # Resource containers options RCTL # same as above I've uploaded the kernel dump here https://www.dropbox.com/s/73mb8e64cb7zwbe/crash.tar.xz?dl=3D0 (it's too big= to attach) --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sun Jul 16 14:38:33 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AC75C085D7 for ; Sun, 16 Jul 2017 14:38:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E74FF7F8D5 for ; Sun, 16 Jul 2017 14:38:32 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GEcW5I030529 for ; Sun, 16 Jul 2017 14:38:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 213896] when starting vimage jails the kernel crashes Date: Sun, 16 Jul 2017 14:38:32 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: heinz@project-fifo.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 14:38:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213896 --- Comment #7 from Heinz N. Gies --- Created attachment 184394 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184394&action= =3Dedit core.txt from the kernel panic I'll attach the core.txt from one of those crashes directly. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sun Jul 16 15:03:41 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9301AC092CC for ; Sun, 16 Jul 2017 15:03:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 81A3A80AA3 for ; Sun, 16 Jul 2017 15:03:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GF3fP6052502 for ; Sun, 16 Jul 2017 15:03:41 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 213896] when starting vimage jails the kernel crashes Date: Sun, 16 Jul 2017 15:03:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: heinz@project-fifo.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 15:03:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213896 --- Comment #8 from Heinz N. Gies --- Adding more context, the bug seems to be the same as discussed here: http://mpc.lists.freebsd.current.narkive.com/Wotl1Q0o/panic-possibly-on-on-= bridge-member-removal --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Sun Jul 16 16:06:29 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06FADC0AA09 for ; Sun, 16 Jul 2017 16:06:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DDD3482642 for ; Sun, 16 Jul 2017 16:06:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6GG6S5k026461 for ; Sun, 16 Jul 2017 16:06:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 213896] when starting vimage jails the kernel crashes Date: Sun, 16 Jul 2017 16:06:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: heinz@project-fifo.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: attachments.created Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Jul 2017 16:06:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D213896 --- Comment #9 from Heinz N. Gies --- Created attachment 184403 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D184403&action= =3Dedit Test case to introduce this bug. Adding a test case, it works nearly 100% reliably for me when run as one of= the first commands on the system. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-jail@freebsd.org Mon Jul 17 11:34:04 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 21890D7D242; Mon, 17 Jul 2017 11:34:04 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B2F3481EAB; Mon, 17 Jul 2017 11:34:03 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HBXmr4078109 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 13:33:48 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: list1@gjunka.com Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id v6HBXduG054702; Mon, 17 Jul 2017 18:33:39 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Grzegorz Junka , freebsd-net@freebsd.org, freebsd-jail@freebsd.org References: From: Eugene Grosbein Message-ID: <596CA093.6020508@grosbein.net> Date: Mon, 17 Jul 2017 18:33:39 +0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=3.6 required=5.0 tests=BAYES_00, DATE_IN_FUTURE_96_Q, LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * 3.3 DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-Spam-Level: *** X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 11:34:04 -0000 On 16.07.2017 19:48, Grzegorz Junka wrote: > Hello, > > I have a jail running a web server in LAN. There are two routers/WANs > that can connect LAN to the internet. I enabled NAT and port forwarding > to the web server on both routers. > > The problem is that the web server responds to requests only from one > router at a time depending on the default gateway set on the jail's > host. If the default gateway is set as router 1 then the web page can be > opened only through WAN1 and vice versa. > > Can I configure either router/host/jail so that the web server sends the > response back to the IP that sent the request packet rather than to the > default gateway? This is the job of external NAT box to route translated replys to right WAN based on external source IP address produced during translation of the reply. The jail or internal NAT have nothing to do with the problem. So, the solution depends of kind of NAT you use. > And a bonus question, how can I configure two jails so that each jail > sends packets to a different gateway (which may or may not be the same > as the jails' host's default gateway)? Read "man jail" for "vnet" feature. From owner-freebsd-jail@freebsd.org Mon Jul 17 16:46:47 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AD0ED9A012; Mon, 17 Jul 2017 16:46:47 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DC6B267025; Mon, 17 Jul 2017 16:46:46 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-yw0-x229.google.com with SMTP id a12so49800597ywh.3; Mon, 17 Jul 2017 09:46:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=JCgInFuJPuaFkiDTkhZKAVaHvfRRnIu4qtwqPxGVd9E=; b=ELlzURjAmunsi+CtyS27kLl6QqJXFWLMpapxDL2BPnrxll2iLAqgIcT/+mAnA+nOTf GgHPtTianMJGUr0gMt81LUDWlZU323gD50EAODybd69eJL1UKYBdaSXKoK51k9G0aZLd jzSdLCODJ6Q6Toj9tLtTfqVIzbQUNNAbwadOq18mEroc2J9iXTPTaUk11o7kkAjMZZDM uWPdWBe0trSCwG0lCX9IWQLpcCG/caYM0JyAVSHSFDt/oxyaeQcaj41Rm16kqIahJY6J 1iZrhZLj4y9oSG+TAnWjNUuEXmOisbe89xAn+ubn/ak6jcZQ/Yz0tveW9VSOO9/73/HI Kp1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=JCgInFuJPuaFkiDTkhZKAVaHvfRRnIu4qtwqPxGVd9E=; b=KJ/pY00BGIEZSmeyscP+rUL6AC91cfgv5yEvTiVBQ+TkG0X5HmDzVuEVT6v3UrJggK LKhd1xo2U4m06mVYZjRimvfTr3D3UFjnmPcmLUNE+3wlVN/uoij1sMlPpJy5JyTz0Gh+ rlhZh4z6xBBapiVZU2E891916nHSva840y7c9mCpjzwyzbghbhimA6ziDNF1RdkIt2FP R7G1yv2NQGGjAmkRqPqNq2P8PQwCJD1OwN3DaC75EzQsWVa3iXLsUTUdQvVrgW4NA2Oa vrUDSj8jYWdeieqvu4Um8bdlaZwswkspOy7+5PInFDi64oxEOTI+U66qzpdjI8x96oX3 Kxnw== X-Gm-Message-State: AIVw110OJjjskUcu7RdykTAuA2onFcbfNgpfmtmZZ9LHHZ90OAE4ErDn uO3bsY8MXB+P8Rr3bkhOFzVG8ay/Glge X-Received: by 10.129.101.213 with SMTP id z204mr16702484ywb.144.1500310005884; Mon, 17 Jul 2017 09:46:45 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.13.243.135 with HTTP; Mon, 17 Jul 2017 09:46:45 -0700 (PDT) In-Reply-To: <596CA093.6020508@grosbein.net> References: <596CA093.6020508@grosbein.net> From: Alan Somers Date: Mon, 17 Jul 2017 10:46:45 -0600 X-Google-Sender-Auth: Bjhc47O_ZQ-8qRo9Af1H8JFRcp8 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: Grzegorz Junka , FreeBSD Net , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 16:46:47 -0000 On Mon, Jul 17, 2017 at 5:33 AM, Eugene Grosbein wrote: > On 16.07.2017 19:48, Grzegorz Junka wrote: >> Hello, >> >> I have a jail running a web server in LAN. There are two routers/WANs >> that can connect LAN to the internet. I enabled NAT and port forwarding >> to the web server on both routers. >> >> The problem is that the web server responds to requests only from one >> router at a time depending on the default gateway set on the jail's >> host. If the default gateway is set as router 1 then the web page can be >> opened only through WAN1 and vice versa. >> >> Can I configure either router/host/jail so that the web server sends the >> response back to the IP that sent the request packet rather than to the >> default gateway? > > This is the job of external NAT box to route translated replys to right WAN > based on external source IP address produced during translation of the reply. > The jail or internal NAT have nothing to do with the problem. > > So, the solution depends of kind of NAT you use. That's not 100% true. The web server is choosing which gateway to use. As Grzegorz said, it's only configured to use a single gateway at a time. To do what Grzegorz wants, he'll need to use multiple fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in /boot/loader.conf and reboot. You'll be able to configure a separate gateway for each fib. The hard part, though, is configuring your web server to use multiple fibs. I don't know if any common web server has that kind of support builtin. But your next guess was good. > >> And a bonus question, how can I configure two jails so that each jail >> sends packets to a different gateway (which may or may not be the same >> as the jails' host's default gateway)? > > Read "man jail" for "vnet" feature. This is definitely the path of least resistance. Basically, you'll assign each jail to a separate fib, so you'll still need the loader.conf settings I mentioned. Unfortunately, VNET/VIMAGE isn't in the standard kernel. If you're unable to run a custom kernel on this machine, you can still create two jails on separate fibs. The biggest downside compared to VNET/VIMAGE is that they'll share a single DNS resolver. Here's how to do it: * Make the loader.conf settings I mentioned earlier. * Create a separate static IP address for each jail, and associated each with a separate fib. Your rc.conf should contain something like this: ifconfig_igb1_alias0="inet 10.1.2.76/20 fib 0" ifconfig_igb1_alias1="inet 10.1.18.76/20 fib 1" * Add the default routes in /etc/rc.local like this: /sbin/route add default 10.1.0.1 -fib 0 /sbin/route add default 10.1.16.1 -fib 1 * Assign one address to one jail and the other address to the other jail * Ensure that in each jail, the web server starts with the correct fib. For example, if you're using apache24, I think you can put "apache24_fib=1" in /etc/rc.conf. Other web servers may require something different, depending on how their RC scripts are written. Happy hacking! -Alan From owner-freebsd-jail@freebsd.org Mon Jul 17 16:56:38 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97088D9A4C1; Mon, 17 Jul 2017 16:56:38 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 26E60675F1; Mon, 17 Jul 2017 16:56:38 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id b134so338909wma.0; Mon, 17 Jul 2017 09:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dL0PdReWCoyom0NJXpUBa1/Ctisjj9PWDOk+oS69xdw=; b=lGC/U6i7f1TYC85OzNmSU/nUWnPE7yrLM0RRuITEwbnZwu21fs6ou3j91w0bhI7lrA sNbirAiNM+JEjNvgJ8+VuXne6DXWXm8MreKATbJy6hUxg0wCgPWqk75795vc7dH2SVXt 94U64DWSJIjY76EQH4dlgjQffWFOqluKk37zMhFd2E1JbKs089Ja0yj9ttK+GM5oWRP2 BzlKl7yhBC+KpehnR/PY2lMSwWhqlbz28ZwjlCjXj7/ryWdWxXME/J42bKkkFy7Rjgmk clrJcbJSFr6QJ3MnFg9eHtxKQEvibCa/o3SckPP/ldlJPIEsImFt9+h9K2fIu/j0LLKH /UMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dL0PdReWCoyom0NJXpUBa1/Ctisjj9PWDOk+oS69xdw=; b=ZwZw4DDXMyue1BiMMoIN5/U9BFdlEhuJObwUWvjBtWrkGoiqsWZV/7evg9uFwRzaR7 0FlGgNR577cy8a60P+fVJ518FSPiggV0epNzGSC1HWLrMecS5mIzTbUAwwAD2x1A3Znb zryDDPE2RN47IzIH/+T6GBFtg6UrAgjTFwKPXQ/iYtfDcINXAuXiaPGjLNpJhz+0VRIs X4V7xQHMdVKDV78RCLMt9yFirYLb+EMViWY1GNCq88oasioeP1waIXm0ooon012ujt+Z AN1RYkF1QuyfIwxH08ekMCcuILwQhPpWARgmG6KUQhMGJy50NKStFog9CptCrTjOsOoI ne4g== X-Gm-Message-State: AIVw11164clML41lI94mziab45EEhC9qyMq6YsR0FLkpVHvjLj/mRUEp ye6i8z48vzP1Ssef7ijWforMpxie9A== X-Received: by 10.28.232.141 with SMTP id f13mr4732384wmi.59.1500310596207; Mon, 17 Jul 2017 09:56:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.157.14 with HTTP; Mon, 17 Jul 2017 09:56:35 -0700 (PDT) Received: by 10.223.157.14 with HTTP; Mon, 17 Jul 2017 09:56:35 -0700 (PDT) In-Reply-To: <596CA093.6020508@grosbein.net> References: <596CA093.6020508@grosbein.net> From: Sami Halabi Date: Mon, 17 Jul 2017 19:56:35 +0300 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: freebsd-net@freebsd.org, Grzegorz Junka , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 16:56:38 -0000 Hi, simple solution i can think about is: 1. launch 1st jail apache/nginx with db (mysql?) ve sure to use mysql address accesible vian jail2 (maybe epair), this jail will use default route, lets say wan1. 2. launch 2nd jail with vnet, default route wan2, mount the same data directories as jail1, and apache/nginx, since the ip of the db is the internal ip between jails it'll connect to the 1st db. this way you have 2 jails that share same data dir but service users vian different wans behind nat. Hope the idea helps. Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 17 =D7=91=D7=99=D7=95=D7=9C=D7=99 2017= 02:34 PM,=E2=80=8F "Eugene Grosbein" =D7=9B=D7=AA=D7= =91: > On 16.07.2017 19:48, Grzegorz Junka wrote: > > Hello, > > > > I have a jail running a web server in LAN. There are two routers/WANs > > that can connect LAN to the internet. I enabled NAT and port forwarding > > to the web server on both routers. > > > > The problem is that the web server responds to requests only from one > > router at a time depending on the default gateway set on the jail's > > host. If the default gateway is set as router 1 then the web page can b= e > > opened only through WAN1 and vice versa. > > > > Can I configure either router/host/jail so that the web server sends th= e > > response back to the IP that sent the request packet rather than to the > > default gateway? > > This is the job of external NAT box to route translated replys to right W= AN > based on external source IP address produced during translation of the > reply. > The jail or internal NAT have nothing to do with the problem. > > So, the solution depends of kind of NAT you use. > > > And a bonus question, how can I configure two jails so that each jail > > sends packets to a different gateway (which may or may not be the same > > as the jails' host's default gateway)? > > Read "man jail" for "vnet" feature. > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > From owner-freebsd-jail@freebsd.org Mon Jul 17 17:20:13 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CF9FD9AE12; Mon, 17 Jul 2017 17:20:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D77DD6830A; Mon, 17 Jul 2017 17:20:12 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HHK7D2080369 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 19:20:08 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HHJxtT056201 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 00:20:00 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596CF1BA.8050104@grosbein.net> Date: Tue, 18 Jul 2017 00:19:54 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:20:13 -0000 17.07.2017 23:46, Alan Somers wrote: >> So, the solution depends of kind of NAT you use. > > That's not 100% true. The web server is choosing which gateway to > use. As Grzegorz said, it's only configured to use a single gateway > at a time. To do what Grzegorz wants, he'll need to use multiple > fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in > /boot/loader.conf and reboot. This will work for a server directly connected to both external gateways but won't work for a server behind two NAT boxes. Eugene Grosbein From owner-freebsd-jail@freebsd.org Mon Jul 17 17:26:40 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E8F06D9B0FD; Mon, 17 Jul 2017 17:26:40 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from home.opsec.eu (home.opsec.eu [IPv6:2001:14f8:200::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B191168782; Mon, 17 Jul 2017 17:26:40 +0000 (UTC) (envelope-from lists@opsec.eu) Received: from pi by home.opsec.eu with local (Exim 4.89 (FreeBSD)) (envelope-from ) id 1dX9n9-0002DD-0i; Mon, 17 Jul 2017 19:26:43 +0200 Date: Mon, 17 Jul 2017 19:26:42 +0200 From: Kurt Jaeger To: Grzegorz Junka Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org Subject: Re: A web server behind two gateways? Message-ID: <20170717172642.GF39925@home.opsec.eu> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:26:41 -0000 Hi! > I have a jail running a web server in LAN. There are two routers/WANs > that can connect LAN to the internet. I enabled NAT and port forwarding > to the web server on both routers. [...] > Can I configure either router/host/jail so that the web server sends the > response back to the IP that sent the request packet rather than to the > default gateway? I have a vague idea: If you set a tag (or a keep-state :flowname) using a ipfw rule that matches the incoming gateway MAC and match that tag/check-state flowname and the connection (keep-state) to fwd the answer packet back to that gateway ? -- pi@opsec.eu +49 171 3101372 3 years to go ! From owner-freebsd-jail@freebsd.org Mon Jul 17 17:34:01 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EF07D9B560; Mon, 17 Jul 2017 17:34:01 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id DB3E968EC0; Mon, 17 Jul 2017 17:34:00 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HHXu58080463 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 19:33:57 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: lists@opsec.eu Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HHXqFM060610 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 00:33:52 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Kurt Jaeger , Grzegorz Junka References: <20170717172642.GF39925@home.opsec.eu> Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org From: Eugene Grosbein Message-ID: <596CF4FB.9070306@grosbein.net> Date: Tue, 18 Jul 2017 00:33:47 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <20170717172642.GF39925@home.opsec.eu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:34:01 -0000 18.07.2017 0:26, Kurt Jaeger wrote: > I have a vague idea: > > If you set a tag (or a keep-state :flowname) using a ipfw rule that matches > the incoming gateway MAC and match that tag/check-state flowname and > the connection (keep-state) to fwd the answer packet back to that gateway ? In fact, the NAT engine already keeps state track of packet flows and uses that to correctly translate answers back to public IP address. All you need is to forward translated outgoing answers to correct channel based on translated external source IP address (read: do policy based forwarding). From owner-freebsd-jail@freebsd.org Mon Jul 17 17:48:09 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46769D9BD56; Mon, 17 Jul 2017 17:48:09 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 040D769A69; Mon, 17 Jul 2017 17:48:09 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-yw0-x22b.google.com with SMTP id v193so50565807ywg.2; Mon, 17 Jul 2017 10:48:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=o46a/6uQHwKIb1dNCKCL4pW0ERVyJld81CtuktRCL8M=; b=D9oYqR9kY168KsIUjJ0Cn00DaYKpvZj1GxRiScmeW42cUnXSw6dO7WIJ03wZENolHP A9+xVZE65syGWfR1qKJrlZOs+9kJg8EhV6V9l1oML0+ctg3pSwGDhcCNCSKVGtL65wfe gwaQtymj/+IZ0XNrlQ1p3yfW726VjzhYl3XyI36pkzLh0/iHcHbLXN1Uvoyc/QTcuBQj 4YpZB9kRMaX5l1rkAKzXIEF6fLMMJf71Y0STA4mql50mvrCT4rbvylpIP14cULLfNKXh +M0CvXl0Y29HA1gHslNMbBSbQbRnnnVE0Oo+ISiGN7Rxnv8G/QhTQdAyPt7Gol27WUFi 303w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=o46a/6uQHwKIb1dNCKCL4pW0ERVyJld81CtuktRCL8M=; b=ITziQBBymhWwk6y8/IZFSFcwrs5r5R7RrvUXhR5bpCOgllnZ9bt1Covi3wICuMZwWS 3FTqvFPTp6TR0mnPXUMii1u5uYJhpT/9mV0trErUsmZhFRRA3izkzlGbzaeYKgUDH+eE wxHcjDtBPr5TJcRA0fyarqlZ3MeQLgf5933/3GvLCeO9FT9CCIWEZDHgwawkHV0jmwXB p0ozJklSNzWcKGA/UxtSmZAVmqDTEKa7qghGnoE0HRl2zd/i28bAj9X/mX1hR2+2yXvz sb/Eb+dzoN1vJG0Dl9FSQ9eoDcXNxNfaTuK6v4/B/6K/5uoh5g6tbpFNz9A/pWUTB4Gj DrSQ== X-Gm-Message-State: AIVw113tRlYSDDZu05LyQ30PxiD3JweDruXtTbzgSDs5NsDHCX7zs2f0 GIeij+rRJ1/RXbf0oO1qGvSnrR6vXQ== X-Received: by 10.129.112.148 with SMTP id l142mr16906244ywc.221.1500313688234; Mon, 17 Jul 2017 10:48:08 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.13.243.135 with HTTP; Mon, 17 Jul 2017 10:48:07 -0700 (PDT) In-Reply-To: <596CF1BA.8050104@grosbein.net> References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> From: Alan Somers Date: Mon, 17 Jul 2017 11:48:07 -0600 X-Google-Sender-Auth: rqoQRD544JcFTjYb3e8N739fTN8 Message-ID: Subject: Re: A web server behind two gateways? To: Eugene Grosbein Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka Content-Type: text/plain; charset="UTF-8" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 17:48:09 -0000 On Mon, Jul 17, 2017 at 11:19 AM, Eugene Grosbein wrote: > 17.07.2017 23:46, Alan Somers wrote: > >>> So, the solution depends of kind of NAT you use. >> >> That's not 100% true. The web server is choosing which gateway to >> use. As Grzegorz said, it's only configured to use a single gateway >> at a time. To do what Grzegorz wants, he'll need to use multiple >> fibs. Set "net.fibs=2" and "net.add_addr_allfibs=0" in >> /boot/loader.conf and reboot. > > This will work for a server directly connected to both external > gateways but won't work for a server behind two NAT boxes. > > Eugene Grosbein I think what you meant to say is "this will work for a server directly connected to two external gateways (whether or not NAT is involved), but won't work if the server is not on the same subnet as the gateways". That's true. But judging by the OP, I think they're all on the same subnet. -Alan From owner-freebsd-jail@freebsd.org Mon Jul 17 18:19:19 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6465D9CE31; Mon, 17 Jul 2017 18:19:19 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BE706AF37; Mon, 17 Jul 2017 18:19:18 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIJ9XR080790 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:19:10 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIJ56N073335 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:19:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596CFF94.2090506@grosbein.net> Date: Tue, 18 Jul 2017 01:19:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:19:20 -0000 18.07.2017 0:48, Alan Somers wrote: > I think what you meant to say is "this will work for a server directly > connected to two external gateways (whether or not NAT is involved), > but won't work if the server is not on the same subnet as the > gateways". That's true. But judging by the OP, I think they're all > on the same subnet. Yes. Anyway, as long as there is NAT involved, one already has stateful engine and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. It works no matter whether gateways are directly connecter or not and does not require multiple routing tables nor complex FIB or VNET configurations: # remove "default" NAT rule ipfw delete 50 # translate incoming traffic and create NAT states ipfw add 40 nat 123 ip from any to any in recv $iface1 ipfw add 50 nat 124 ip from any to any in recv $iface2 # insert normal filtering here ... # translate outgoing replies using existing NAT states ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 # translate new outgoing connections not having a state yet ipfw add 50040 nat 123 ip from any to any out xmit $iface1 ipfw add 50050 nat 124 ip from any to any out xmit $iface2 # perform Policy Based Routing for packets going to "wrong" route ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 # that's all, folks! This works no matter where default route points to ($gateway1 or $gateway2). All you need is working default route and net.inet.ip.fw.one_pass=0. This can be extended to any number of external channels/interfaces and optimized with ipfw tables but for two channels I prefer write it so for readability. I use this for many installations and it just works. From owner-freebsd-jail@freebsd.org Mon Jul 17 18:22:14 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BC0E5D9D188; Mon, 17 Jul 2017 18:22:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F5286B449; Mon, 17 Jul 2017 18:22:13 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HIM9sS080836 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jul 2017 20:22:09 +0200 (CEST) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HIM5OB074201 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 18 Jul 2017 01:22:05 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: A web server behind two gateways? To: Alan Somers References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> Cc: FreeBSD Net , freebsd-jail@freebsd.org, Grzegorz Junka From: Eugene Grosbein Message-ID: <596D0048.7040100@grosbein.net> Date: Tue, 18 Jul 2017 01:22:00 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <596CFF94.2090506@grosbein.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jul 2017 18:22:14 -0000 18.07.2017 1:19, Eugene Grosbein пишет: > 18.07.2017 0:48, Alan Somers wrote: > >> I think what you meant to say is "this will work for a server directly >> connected to two external gateways (whether or not NAT is involved), >> but won't work if the server is not on the same subnet as the >> gateways". That's true. But judging by the OP, I think they're all >> on the same subnet. > > Yes. Anyway, as long as there is NAT involved, one already has stateful engine > and simpliest and universal solution for this situation is PBR after NAT for outgoing packets. > > It works no matter whether gateways are directly connecter or not > and does not require multiple routing tables nor complex FIB or VNET configurations: > > # remove "default" NAT rule > ipfw delete 50 > > # translate incoming traffic and create NAT states > ipfw add 40 nat 123 ip from any to any in recv $iface1 > ipfw add 50 nat 124 ip from any to any in recv $iface2 > > # insert normal filtering here > ... > # translate outgoing replies using existing NAT states > ipfw add 50020 nat global ip from $LAN to any out xmit $iface1 > ipfw add 50030 nat global ip from $LAN to any out xmit $iface2 > > # translate new outgoing connections not having a state yet > ipfw add 50040 nat 123 ip from any to any out xmit $iface1 > ipfw add 50050 nat 124 ip from any to any out xmit $iface2 bugfix: ipfw add 50040 nat 123 ip from $LAN to any out xmit $iface1 ipfw add 50050 nat 124 ip from $LAN to any out xmit $iface2 > # perform Policy Based Routing for packets going to "wrong" route > ipfw add 50140 fwd $gateway2 ip from $extip2 to any out xmit $iface1 > ipfw add 50150 fwd $gateway1 ip from $extip1 to any out xmit $iface2 > > # that's all, folks! > > This works no matter where default route points to ($gateway1 or $gateway2). > All you need is working default route and net.inet.ip.fw.one_pass=0. > > This can be extended to any number of external channels/interfaces > and optimized with ipfw tables but for two channels I prefer write it so > for readability. I use this for many installations and it just works. From owner-freebsd-jail@freebsd.org Tue Jul 18 03:50:36 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00277C7BC6B; Tue, 18 Jul 2017 03:50:35 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 90971831C4; Tue, 18 Jul 2017 03:50:34 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7f0fc.dyn.telefonica.de [2.247.240.252]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id v6I3oNQt051809 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 18 Jul 2017 03:50:26 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7f0fc.dyn.telefonica.de [2.247.240.252] claimed to be ultrabook.yoonka.com Subject: Re: A web server behind two gateways? To: freebsd-net@freebsd.org, "freebsd-jail@freebsd.org" References: <596CA093.6020508@grosbein.net> <596CF1BA.8050104@grosbein.net> <596CFF94.2090506@grosbein.net> <596D0048.7040100@grosbein.net> From: Grzegorz Junka Message-ID: Date: Tue, 18 Jul 2017 03:50:18 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.0.1 MIME-Version: 1.0 In-Reply-To: <596D0048.7040100@grosbein.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2017 03:50:36 -0000 On 17/07/2017 18:22, Eugene Grosbein wrote: > 18.07.2017 1:19, Eugene Grosbein пишет: >> 18.07.2017 0:48, Alan Somers wrote: >> >> Not answering any particular email in this thread, many thanks for your help. That;s plenty of ideas to try so may take some time! Just one more question, since VNET was mentioned. Is it production ready now? I remember there used to be problems with memory leaks. And why isn't it the kernel, yet? Any plans for that? Grzegorz J From owner-freebsd-jail@freebsd.org Wed Jul 19 07:18:03 2017 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33ADFC08276 for ; Wed, 19 Jul 2017 07:18:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 21C4D6F344 for ; Wed, 19 Jul 2017 07:18:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v6J7I2Vc097768 for ; Wed, 19 Jul 2017 07:18:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-jail@FreeBSD.org Subject: [Bug 220712] Extended attributes within a jail cant be set Date: Wed, 19 Jul 2017 07:18:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dewayne@heuristicsystems.com.au X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-jail@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Jul 2017 07:18:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220712 --- Comment #2 from dewayne@heuristicsystems.com.au --- (In reply to Mark Millard from comment #1) Refer to short-term, unsafe (from the SAMBA developers' perspective) https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220844 Mark, as you've quoted, this was my reply, via the mailing-list to Konstant= in (who I have great respect for). "With the passage of 15 years other applications have come to use "system" namespace extended attributes, as though they were in the host system. Unfortunately if you have one physical box available to act as both an authentication server (Quasi Active Directory) and a fileserver, then using a jailed environment is the only solution. By design? I suppose its akin to saying, why would you want to use sysvipc from within a jail, with its global namespace (since FreeBSD V5.0) ; or perhaps the use of raw sockets (FreeBSDv6.0); or mount within a jail (FreeBSD V9.0); or...? Probably because sophisticated use of jails is one of the many outstanding features that sets FreeBSD apart from restrictive and antiquated environments. Not all features of a base system should be reflected in a jail, that would be silly; but where upstream applications use features, then the enhancement of a jail's configuration via way of, at least, an option - makes sense." Interestingly the absence of SYSTEM namespace within a jailed environment a= lso prohibits use of MAC BIBA|MLS|LOMAC. --=20 You are receiving this mail because: You are the assignee for the bug.=