From owner-freebsd-questions@freebsd.org Mon Sep 14 03:10:00 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE928A047A4 for ; Mon, 14 Sep 2015 03:10:00 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 576421B9C for ; Mon, 14 Sep 2015 03:10:00 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.15.2/8.15.2) with ESMTPS id t8E39tMx090004 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 13 Sep 2015 21:09:55 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.15.2/8.15.2/Submit) with ESMTP id t8E39tVE090001; Sun, 13 Sep 2015 21:09:55 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Sun, 13 Sep 2015 21:09:55 -0600 (MDT) From: Warren Block To: Cary cc: freebsd-questions@freebsd.org Subject: Re: dhclient(8) sets wrong interface netmask on boot up In-Reply-To: <55F624F9.2080202@flederma.us> Message-ID: References: <55F398CA.7050308@flederma.us> <55F46514.9020702@flederma.us> <55F624F9.2080202@flederma.us> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sun, 13 Sep 2015 21:09:55 -0600 (MDT) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Sep 2015 03:10:00 -0000 On Sun, 13 Sep 2015, Cary wrote: > On 09/12/2015 14:24, Warren Block wrote: >> On Sat, 12 Sep 2015, Cary wrote: >>> On 09/12/2015 10:45, Adam Vande More wrote: >>>>> >>>>> [/etc/rc.conf] >>>>> hostname="public.fbsd.local" >>>>> ifconfig_em0="DHCP" >>>>> cloned_interfaces="${cloned_interfaces} lo1" >>>>> >>>> >>>> previous line doesn't make much sense. >>>> >>> >>> That was copied from the FreeBSD handbook section on managing jails >>> (https://www.freebsd.org/doc/handbook/jails-ezjail.html). I didn't think >>> that the jails would mess with the base host network configuration. >> >> Well, they add aliases. The cloned_interfaces line lets the jails use a >> separate loopback interface from the host. >> >>> However, after re-looking at the jail config, I changed the config line >>> in /usr/local/etc/ezjail/www_local from: >>> >>> export jail_www_local_ip="lo1|127.0.1.1,em0|192.168.20.166" >>> to >>> export jail_www_local_ip="lo1|127.0.1.1" >> >> Wait, you were assigning the host's IP address to the jail? That's the >> problem. >> > > Thanks, Warren. The jails-ezjail.html page sets up the dnsjail example > using both the cloned loopback and the system IP (Procedure 14.1). I > guess in that case, the system IP was static and not DHCP-assigned? Cloned loopback is fine, "working as intended" as they say. Jails always use static IP addresses. If the ezjail example can be read as suggesting reusing the host's IP address, that needs to be fixed. Duplicating an IP address between jail and host evidently does not cause quite the same problem as it would on two physical systems, but it's still a problem. The jail code should check for a reused host IP address and refuse to start. This would make a good bug report. It's also possible that this is not checked because there is some way to actually use jails that share the host IP address. If so, the right way to do that should be documented in the Handbook. >> The current setup (not specifying an IP address for the jail) ends up >> using the host's IP address again. That also seems like a mistake, but >> maybe not. > > I don't know what the default should be, but I appreciate the help in > better understanding what is happening on the back-end. Give each jail a unique static IP address. If they need to respond to something on the host's IP address, redirect that port in a firewall.