From owner-freebsd-security@FreeBSD.ORG Tue Aug 5 03:35:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A39E637B401 for ; Tue, 5 Aug 2003 03:35:36 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 2166343F85 for ; Tue, 5 Aug 2003 03:35:35 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 24935 invoked from network); 5 Aug 2003 10:27:14 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 5 Aug 2003 10:27:13 -0000 Received: (qmail 15699 invoked by uid 1000); 5 Aug 2003 10:36:36 -0000 Date: Tue, 5 Aug 2003 13:36:36 +0300 From: Peter Pentchev To: stakys@punktas.lt Message-ID: <20030805103636.GU358@straylight.oblivion.bg> Mail-Followup-To: stakys@punktas.lt, freebsd-security@freebsd.org References: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="eWbcAUUbgrfSEG1c" Content-Disposition: inline In-Reply-To: <53210.81.7.109.95.1060089623.squirrel@mail.impress.lt> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: Problems with JAIL in 4.8R X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Aug 2003 10:35:36 -0000 --eWbcAUUbgrfSEG1c Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 01:20:23PM -0000, stakys@punktas.lt wrote: > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh = to > > jail'ed system from the main system (in which is created jail) the > > connection is successful, but when i try to connect to jailed system fr= om > > anywhere else i get this message: > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > What can be wrong here? How to solve this problem? >=20 > >>Are you running some sort of firewall on the main system? You might > >>have to add additional rules allowing SSH into the jailed one... >=20 > >>G'luck, > >>Peter >=20 > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > not firewall's fault, about connecting to jail'ed system from outside. > Here are the lines: > ipfw add 50 allow ip from any to any via lo0 > ipfw add 51 allow ip from any to any via rl0 If it would not be a great security risk, could you post the whole set of ipfw rules that you are using? Alternatively, could you add a 'log' clause to all the 'deny' rules, and then watch for denied packets in the syslog? As another alternative, you could 'ipfw -f' for the duration of the test... Sorry if I seem fixated on ipfw, but in my limited experience, it is the single most common reason for jail network connectivity problems :) Closely followed by missing /etc/resolv.conf files in jail/chroot filesystems, but that's another story... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it. --eWbcAUUbgrfSEG1c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4i07Ri2jRYZRVMRAmsFAKCEOZFUxXDrpO9xUBdml2ThTAzhLgCgrTo1 LP34wMzB493b7nXGrwED3RU= =sWL5 -----END PGP SIGNATURE----- --eWbcAUUbgrfSEG1c--