From owner-freebsd-questions@freebsd.org Sun Dec 4 01:59:37 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B837C6388C for ; Sun, 4 Dec 2016 01:59:37 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x243.google.com (mail-pf0-x243.google.com [IPv6:2607:f8b0:400e:c00::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2AE0E1B61 for ; Sun, 4 Dec 2016 01:59:37 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x243.google.com with SMTP id 144so15335008pfv.0 for ; Sat, 03 Dec 2016 17:59:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=ZMOv8Du1mcYrb7iqPvSWPG0ExP7vESlapqVrt0O+ZKk=; b=GoS0Ybl3lvOjrjihjcDa3+wviWIkEIcznESwWujBZ9O9I0OZ/VJkQ/MRKwv4CwlpdE aPngpF5KfXg/3IJyyZeJ10E8l/TAWVjtXQZ0FbF0ll3B26NFwysZJ3nvVNWZdqGZ4fKs u7LjyKyw8f5TWGuvytWQtDFH/JYCOPdif+Be9US7Bnh9UTMWMBtUHhC+0rU2Dnp7C3/F Yh7YsgSKRlhgDp50OLreLfdrplSf9PvFFXuD9mtUXjztl7ivC6DsGB12rAp1MP5RCNMN tSWW6mayNHwegw0cSjF4ZrlOVMHjUFgzNbYmelVYtbgLa+AiNodMnsFCF7uEMgpspGun 9BaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=ZMOv8Du1mcYrb7iqPvSWPG0ExP7vESlapqVrt0O+ZKk=; b=ASqVwMi9TsXAqq6iey7J9ktYMOhZFy2IWEMvfSihT6I3ISpYokpHf1PC3y56wdJzVu PkvGDZNbVR+TjhNAaPdUBZ2+qSNjxh+2n21rDpEKO9Y6yhfxs08q7x6xASlgfS6mdOIq V+7+puhU9YtDpwQVjeEVd0tYdoc/rlCGSGElrgZ7IpgrUFCf9VaTRVCQfl4yl79vyiQJ icFzFm2ujXc8xfFHagBFLWA0Du/JHPfRgSsfKO/kVHvlCBLtTArk/XmnrWSI9EYoEOxr EGlA4RBjDarD0dDxiqY+wfWsMNrpLd9W+ml2MaZFU0WDAVkQSuhdj//QWuHjf/TbJ5vx 5VRg== X-Gm-Message-State: AKaTC02gKccRIyXBsZ44azBkumZ1Y/m9K0iTv/iP0Md7uTe86V21dC2v0XrjsLtvKoIRGQ== X-Received: by 10.99.38.3 with SMTP id m3mr91167040pgm.113.1480816776653; Sat, 03 Dec 2016 17:59:36 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.121]) by smtp.googlemail.com with ESMTPSA id b64sm17354300pfc.74.2016.12.03.17.59.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 03 Dec 2016 17:59:36 -0800 (PST) Message-ID: <5843788A.2080902@gmail.com> Date: Sun, 04 Dec 2016 09:59:38 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: DTD CC: freebsd-questions@FreeBSD.org Subject: Re: Can't ping in jail References: <584368A1.5080206@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Dec 2016 01:59:37 -0000 DTD wrote: > On Sun, 4 Dec 2016, Ernie Luzar wrote: > >> doug wrote: >>> On Sat, 3 Dec 2016, doug wrote: >>> >>>> This is a 9.3-RELEASE-p49 system. In the jail: >>>> >>>> gaia:~> sysctl security.jail.allow_raw_sockets >>>> security.jail.allow_raw_sockets: 1 >>>> >>>> gaia:~> ifconfig >>>> em0: flags=8843 metric 0 mtu >>>> 1500 >>>> >>>> options=4219b >>>> >>>> ether c8:9c:dc:eb:ab:fb >>>> inet 192.168.2.110 netmask 0xffffffff broadcast 192.168.2.110 >>>> media: Ethernet autoselect (100baseTX ) >>>> status: active >>>> lo0: flags=8049 metric 0 mtu 16384 >>>> options=600003 >>>> >>>> and as root >>>> >>>> gaia:/home/doug# ping -c 2 192.168.2.102 >>>> PING 192.168.2.102 (192.168.2.102): 56 data bytes >>>> ping: sendto: Can't assign requested address >>>> ping: sendto: Can't assign requested address >>>> ^C >>>> --- 192.168.2.102 ping statistics --- >>>> 2 packets transmitted, 0 packets received, 100.0% packet loss >>>> >>>> ctrl-c is required to end the command. This is without a loopback >>>> defined. If I define the loopback I can ping 127.0.0.1 but nothing >>>> else. What am I missing? >>> >>> Okay after lots of reading: handbook, man pages, wiki's, and google >>> (I did RTFM) I an pretty sure I have a routing issue and that >>> security.jail.allow_raw_sockets works. That said, I give up. The host >>> was getting its IP via DHCP so I changed that, defined the host as a >>> gateway, did what I know how to so with netmasks and set all the >>> sysctl's that seemed remotely related to this in the host. At the end >>> of the day virtually all combinations of the aforementioned allow the >>> jail to ping its own IP and localhost. Now moving on to stuff that >>> pays the rent. Any thoughts welcomed though. >> >> >> Hello Doug. >> >> Your asking for help, but providing a very small amount of information >> about how you created your jails and the network surrounding your host. >> >> Are your jails defined using the legacy method with definition >> statements in /etc/rc.conf or the modern way using /etc/jail.conf? >> >> Is this a single host with isp assigned dynamic ip addresses? >> >> Is there a LAN behind the host with real computers attached, or are >> you using an second NIC just to address the jails? >> >> Do you have a firewall doing NAT for the jail's [non public routeable >> ip address]? >> >> How did you create your jail directory tree? >> >> Are you using nullfs? >> >> Did you use any of the port utilities for creating your jail environment? >> >> >> The above will give you plenty to think about. >> >> ****************************************************************** >> >> First off 9.3 reaches EOL [end of life] next month. There has been a >> lot of changes to jail(8) between 9.3 and 11.0. You should have moved >> to 11.0 already. Your not going to get jail support for an EOL system. >> >> I strongly suggest you install the package named jail-primer it >> will go a long way filling in the background info you seem to be >> lacking about jails in general. >> >> Once your on 11.0 then install the package named qjail >> It automates jail management in a very user friendly manner >> automatically doing all the little details for you. >> >> First you have to get the host communicating with the public network >> before you start playing with jails. >> >> As a general rule there is no need to be using any sysctl nibs. >> At a bare minimum you need this in rc.conf >> >> hostname="doughost.com" >> gateway_enable="YES" >> ifconfig_em0="DHCP" >> >> After doing your homework and having played with qjail, if you need >> help then post here again but give greater details about your >> environment. >> >> Good Luck. > > Thank you that was indeed a lot of stuff. I will ponder and check things > out. I am using ezjail which I like. I inferred from the handbook, man > jail and some reading on jails that if you could route TCP from the jail > then all you had to do to route ICMP was set > security.jail.allow_raw_sockets. I did not say but perhaps should have > said the host and the jails are on a LAN (192.168.2.0/24) behind a > firewall that connects to a router and out to the internet. The host and > the jails can use any TCP based protocol to connect to any server either > in the LAN or on the internet. I infer from all this that routing ICMP > from within a jail requires some additional support. The host has one > NIC shared by all the jails. The jails can do anything except ping. > > Thanks again for all the pointers > This post sheds a lot light on your problem. ezjail uses the legacy method with definition statements in /etc/rc.conf and qjail uses the modern way using /etc/jail.conf. qjail is a fork of ezjail so many things will feel the same moving to qjail. The ezjail and qjail directory tree is named differently and use different internal control files so you would have to build your qjail jails anew. qjail and ezjail can both run on the same host at the same time just using different jail ip addresses. Both methods have statements for enabling allow_raw_sockets on a jail by jail basis which is the way it should be done. The sysctl nib has to be issued on the host were the jails are, not the gateway host connected to the public network. ezjail requires manual starting and stopping of ip alias for the jail. qjail does all that for you without you having to take any actions. there is a qjail version for 9.x systems, but its out dated and at EOL.