Date: Thu, 12 Aug 2010 08:03:11 +0000 (GMT) From: Brice ERRANDONEA <berrandonea@yahoo.fr> To: freebsd-questions@FreeBSD.ORG, berrandonea@yahoo.fr Subject: Re : How to connect a jail to the web ? Message-ID: <201846.75612.qm@web24603.mail.ird.yahoo.com> In-Reply-To: <201008112055.o7BKtBP0053143@lurza.secnetix.de> References: <201008112055.o7BKtBP0053143@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the = =0Apublic one. I tried both as the jail's address. With the private one, ne= ither =0Aportsnap nor ping work at all.=0A=0AWith the public one, I get thi= s result :=0A=0A=0AFreeBSD# sysctl security.jail.allow_raw_sockets=3D1=0Ase= curity.jail.allow_raw_sockets: 0 -> 1=0AFreeBSD# /etc/rc.d/jail onestart se= rver=0AConfiguring jails:.=0AStarting jails: MaPrison.=0AFreeBSD# jexec 1 p= ortsnap fetch=0Ajexec: jail_attach(1): Invalid argument=0AFreeBSD# jls=0A = JID IP Address Hostname Path=0A 2 93.0.168= .242 MaPrison /usr/prison=0AFreeBSD# jexec 2 portsn= ap fetch=0ALooking up portsnap.FreeBSD.org mirrors... none found.=0AFetchin= g public key from portsnap.FreeBSD.org... failed.=0ANo mirrors remaining, g= iving up.=0AFreeBSD# jexec 2 ping www.yahoo.fr=0Aping: cannot resolve www.y= ahoo.fr: Host name lookup failure=0AFreeBSD# jexec 2 ping 69.147.83.33=0API= NG 69.147.83.33 (69.147.83.33): 56 data bytes=0A=0AThen, nothing during a f= ew minutes, so I used :=0A=0A^C =0A--- 69.147.83.33 ping statistics ---=0A= 32 packets transmitted, 0 packets received, 100.0% packet loss=0A=0AData ca= n be sent to the net now but it seems they can't come back.=0A=0AI also tri= ed after opening the jail the same way you do :=0A=0AFreeBSD# jail /usr/pri= son MaPrison 93.0.168.242 /bin/sh -E=0A# ping 69.147.83.33=0APING 69.147.83= .33 (69.147.83.33): 56 data bytes=0A^C=0A--- 69.147.83.33 ping statistics -= --=0A30 packets transmitted, 0 packets received, 100.0% packet loss=0A# por= tsnap fetch=0ALooking up portsnap.FreeBSD.org mirrors... none found.=0AFetc= hing public key from portsnap.FreeBSD.org... failed.=0ANo mirrors remaining= , giving up.=0A#=0A=0A=0A=0A=0A________________________________=0ADe : Oliv= er Fromme <olli@lurza.secnetix.de>=0A=C0 : freebsd-questions@FreeBSD.ORG; b= errandonea@yahoo.fr=0AEnvoy=E9 le : Mer 11 ao=FBt 2010, 22h 55min 11s=0AObj= et : Re: How to connect a jail to the web ?=0A=0ABrice ERRANDONEA <berrando= nea@yahoo.fr> wrote:=0A> Oliver Fromme wrote:=0A> > sysctl security.jail.al= low_raw_sockets=3D1=0A> =0A> I did it but ping still doesn't work.=0A=0AWhi= ch IP address are you using for the jail now?=0A=0AIf you're using 127.0.0.= 1, you can only ping the host's=0Aown IP addresses, because packets with a = localnet IP=0Anever leave a machine.=0A=0AIf you're using the "real" addres= s (192.168.1.38) for=0Athe jail, then you should be able to ping all addres= ses=0Athat you can ping from the host. I just did a quick=0Atest on my mac= hine; it has the IP address 172.20.0.2=0A(which is being translated with NA= T on my router, but=0Athat doesn't matter):=0A=0AHOST# sysctl security.jail= .allow_raw_sockets=3D1=0Asecurity.jail.allow_raw_sockets: 0 -> 1=0AHOST# ja= il / testjail 172.20.0.2 /bin/sh -E=0A# ping www.google.com=0APING www.l.go= ogle.com (66.102.13.105): 56 data bytes=0A64 bytes from 66.102.13.105: icmp= _seq=3D0 ttl=3D54 time=3D31.196 ms=0A64 bytes from 66.102.13.105: icmp_seq= =3D1 ttl=3D54 time=3D25.553 ms=0A64 bytes from 66.102.13.105: icmp_seq=3D2 = ttl=3D54 time=3D27.086 ms=0A=0A> > > 192.168.1.38 is the host's ip so I use= 127.0.0.1 for the jail.=0A> =0A> > Well, localnet addresses are not routed= . If you give your=0A> > jail a localnet address, it won't be able to acce= ss the=0A> > network outside of the host. (Unless you take measures=0A> > = to rewrite/translate the addresses and forward them.)=0A> > That's why DNS = and portsnap don't work.=0A> =0A> > I suggest using the address 192.168.1.3= 8 for the jail,=0A> > at least during installation. Make sure that the fil= e=0A> > /etc/resolv.conf inside the jail is correct, so DNS will=0A> > work= . Copying it from the host should be sufficient.=0A> =0A> Isn't 192.168.1.= 38 a localnet address too ?=0A=0AIt's a private address (RFC 1918). I assu= me that you've got=0Aa NAT router that translates it to a public IP address= .=0A=0A> Do you mean I should use the public ip of my computer here ?=0A= =0ADo you have one? So far you only mentioned 192.168.1.38.=0A=0A> I thoug= ht it was intended to be impossible to access the host from the jail.=0A=0A= It depends on what you want to do with the jail. Jails can=0Abe used for v= astly different purposes.=0A=0A> But you're right : I'll forget that.=0A=0A= Good. :-)=0A=0ABest regards=0A Oliver=0A=0A-- =0AOliver Fromme, secnetix= GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.=0AHandelsregister: Regis= tergericht Muenchen, HRA 74606, Gesch=E4ftsfuehrung:=0Asecnetix Verwaltung= sgesellsch. mbH, Handelsregister: Registergericht M=FCn-=0Achen, HRB 125758= , Gesch=E4ftsf=FChrer: Maik Bachmann, Olaf Erb, Ralf Gebhart=0A=0AFreeBSD-= Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd=0A=0A"Cle= ar perl code is better than unclear awk code; but NOTHING=0Acomes close to = unclear perl code" (taken from comp.lang.awk FAQ)=0A______________________= _________________________=0Afreebsd-questions@freebsd.org mailing list=0Aht= tp://lists.freebsd.org/mailman/listinfo/freebsd-questions=0ATo unsubscribe,= send any mail to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A=0A=0A =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201846.75612.qm>