From owner-freebsd-questions@FreeBSD.ORG Sat Aug 14 10:02:32 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF2AD1065673 for ; Sat, 14 Aug 2010 10:02:31 +0000 (UTC) (envelope-from berrandonea@yahoo.fr) Received: from n22.bullet.mail.ukl.yahoo.com (n22.bullet.mail.ukl.yahoo.com [87.248.110.139]) by mx1.freebsd.org (Postfix) with SMTP id 25D6F8FC14 for ; Sat, 14 Aug 2010 10:02:30 +0000 (UTC) Received: from [217.12.4.214] by n22.bullet.mail.ukl.yahoo.com with NNFMP; 14 Aug 2010 10:02:30 -0000 Received: from [87.248.110.198] by t1.bullet.ukl.yahoo.com with NNFMP; 14 Aug 2010 10:02:30 -0000 Received: from [127.0.0.1] by omp238.mail.ukl.yahoo.com with NNFMP; 14 Aug 2010 10:02:30 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 103144.46702.bm@omp238.mail.ukl.yahoo.com Received: (qmail 75414 invoked by uid 60001); 14 Aug 2010 10:02:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s1024; t=1281780149; bh=9yXheq+oUeXLA+t82zpvCSXD+91vXorfFYbbJ5A90lg=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=hnLcPvLvkZSmStG/w0XptpCVjdkxyxAIOaPotLzJMap6if/2BWBIBvV709URNqXQTHtiF7/z94qOWKVlbSEMfcAbLaJn2EgmHrY7UcmpoZP5ass+Zk3Ud27yDMD94KGvjew1pMtabTS0hQI+ZzfGhRt0i32gsysCyUbmxbYLjVk= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.fr; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=2OeQUzPOUCkg+arygH3+lkYYFpQAj4KZH6ib+Lac/7q5EiBYi5XK1Un/kqQ+Dml+PS3ll56f0eQp+wkbDxEU1yhOhn6eQFlFd/UUe0776MN62OnXr9ayAdfTOfOkcp2BlTfi1q19skSkgBqn2evZwlmiaiXuYmyhs5/l9qJeJoE=; Message-ID: <782917.75146.qm@web24605.mail.ird.yahoo.com> X-YMail-OSG: gj4UDBcVM1nSHJnJO1MyOv.kucpgxW1pBX.0gxMu11kVNJg 7zyXCEH3m9T6_aB5xX3MUp4NMHcqoZnnVQItQTrCnHLrhGjbb1Kb3f1PXKwl Smt9GS0qr4OSQT31BuRNu0OnZYyx9LDFHPp1Dbc56nZNmgqVIxHHesIslXyv 8sPLY8q3GU7nU1K3bkR4yEnhll7xQ5Fh28pdE6Z7UqPn6CM7EWJIJzLhPGmO h2Gesq58toYFADFPe11OTnVmSuOBZNGZd.nrrdAOOILnK7k0tFOZmLOfqfk7 9TMGAiEmuPxHkLVfNTEwmqO9GUxj7B9MpkEE- Received: from [93.0.168.242] by web24605.mail.ird.yahoo.com via HTTP; Sat, 14 Aug 2010 10:02:29 GMT X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950 References: <201008121552.o7CFqOIM097376@lurza.secnetix.de> Date: Sat, 14 Aug 2010 10:02:29 +0000 (GMT) From: Brice ERRANDONEA To: freebsd-questions@FreeBSD.ORG In-Reply-To: <201008121552.o7CFqOIM097376@lurza.secnetix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re : Re : Re : How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2010 10:02:32 -0000 =0A=0AI had a break with this yesterday. I've just tried your suggestions. = It still =0Adoesn't work but the error message has changed.=0A=0A>> On the = host when the jail is running :=0A>>=0A>> FreeBSD# jls=0A>> JID IP Addr= ess Hostname Path=0A>> 1 93.0.168.242 Ma= Prison /usr/prison=0A>> FreeBSD# ifconfig=0A>> rl0: fl= ags=3D8843 metric 0 mtu 1500=0A>> = options=3D8=0A>> ether 00:11:09:15:72:6a=0A>> = inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255=0A>> i= net 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242=0A>> medi= a: Ethernet autoselect (100baseTX )=0A=0A> Where did you get t= hat second IP address from? Did you just=0A> add it manually? Or is that = the address that your gateway=0A> (DSL router, whatever) got assigned from = your ISP?=0A=0AI added it manually in rc.conf (on the host) :=0A=0Ajail_ser= ver_rootdir=3D"/usr/prison"=0Ajail_server_hostname=3D"MaPrison"=0Ajail_serv= er_ip=3D"93.0.168.242" =0A=0AI choosed it because that's my computer's publ= ic ip, at least according to this =0Awebsite : http://whatismyipaddress.com= /=0A=0A> I assume that IP address is not really routed to your host,=0A> bu= t that NAT (Network Address Translation) is used on your=0A> router. So yo= u cannot use that address on the host.=0A> (If that's not true, please exla= in the structure of your=0A> network in more detail.)=0A=0AMy network is ve= ry simple. I've got a kind of modem provided by my phone =0Acompany. It's c= alled a "neufbox" and acts as a gateway. Its address is =0A192.168.1.1. Thi= s "neufbox" is connected to :=0A=0A- the phone network=0A- a phone=0A- the = FreeBSD computer through an ethernet wire=0A- two other computers via wifi= =0A=0AWhen I browse address 192.168.1.1 with firefox, I can see a page tell= ing this =0Athe neufbox, that internet and the phone are working, that the = tv is not =0Aconnected (that's true) and that it's public ip address is 93.= 0.168.242. It also =0Agives its MAC address and various other infos.=0A=0A>= So, if my assumptions are true, you must use the address=0A> 192.168.1.38 = for your jail. =0A=0AOK. In /etc/rc.conf, I changed this line (see above) := =0Ajail_server_ip=3D"198.168.1.38"=0A=0A> Make sure that DNS is working=0A= > inside the jail ... It should be sufficient to copy=0A> /etc/resolv.conf= from the host to /usr/prison/etc/resolv.conf=0A=0A/etc/resolv.conf only co= ntains this single line : nameserver 192.168.1.1=0A=0AI placed a copy of th= is file in the jail.=0A=0AAfter these changes and a complete reboot, I laun= ched the jail and tried a =0Aportsnap fetch :=0A=0AFreeBSD# /etc/rc.d/jail = onestart server=0AConfiguring jails:. =0AStarting jails: = MaPrison. =0AFreeBSD# jls =0A JID I= P Address Hostname Path=0A 1 192.168.1.38 = MaPrison /usr/prison=0AFreeBSD# jexec 1 portsnap fetc= h =0ALooking up portsnap.FreeBSD.org mirror= s... =0A/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:= 1699: =0Ainternal_send: 192.168.1.1#53: Invalid argument = =0A=0A/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c= :1699: =0Ainternal_send: 192.168.1.1#53: Invalid =0Aargument = =0A=0Anone =0Afound. = = =0A =0AFetching public key from portsnap.FreeBSD.org... =0Afailed. = =0A=0ANo mirrors remaining, giving =0Aup. = =0A=0AFreeBSD#=0A=0ATh= en, firefox (on the host) was no longer able to browse. I tried this on the= =0Ahost :=0A=0AFreeBSD# ping www.freebsd.org=0Aping: cannot resolve www.fr= eebsd.org: Host name lookup failure=0A=0AIn other words, it appeared that D= NS was no longer working, even on the host.=0A=0AI rebooted again. This tim= e, I didn't launch the jail. ping and Firefox worked =0Aperfectly well on t= he host as they had always did before.=0A=0A> If it still doesn't work: Ar= e you using any packet filter=0A> (ipfw, ipf, pf)? If so, please show the = complete list of=0A> rules.=0A=0ANo, I don't. You told me it was not necess= ary.=0A=0A> Otherwise, it might help to run tcpdump(1) on the host, so=0A> = you can see the actual packets that are transmitted and=0A> received.=0A=0A= Here's what tcpdump says when the jail is NOT running (but Firefox is) :=0A= =0AFreeBSD# tcpdump=0Atcpdump: verbose output suppressed, use -v or -vv for= full protocol decode=0Alistening on rl0, link-type EN10MB (Ethernet), capt= ure size 96 bytes=0A09:08:50.300910 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 263=0A09:08:50.301378 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 335=0A09:08:50.301822 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 331=0A09:08:50.302275 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 311=0A09:08:50.302933 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 343=0A09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 325=0A09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 327=0A09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900= : UDP, length 327=0A09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 2444= 5+ PTR? =0A250.255.255.239.in-addr.arpa. (46)=0A09:08:50.906882 IP neufbox.= domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103)=0A09:08:50.917164 IP Fre= eBSD.59750 > neufbox.domain: 24446+ PTR? =0A1.1.168.192.in-addr.arpa. (42)= =0A09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|dom= ain]=0A09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR? =0A38= .1.168.192.in-addr.arpa. (43)=0A09:08:51.918870 IP neufbox.domain > FreeBSD= .32837: 24447* 1/0/0 (64)=0A^C=0A14 packets captured=0A14 packets received = by filter=0A0 packets dropped by kernel=0AFreeBSD#=0A=0AThen, I started the= jail. Firefox immediatly stopped being able to browse =0Awebsites. I tried= a tcpdump on the host while running portsnap fetch in the jail =0A:=0A=0AF= reeBSD# tcpdump=0Atcpdump: verbose output suppressed, use -v or -vv for ful= l protocol decode=0Alistening on rl0, link-type EN10MB (Ethernet), capture = size 96 bytes=0A09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900= : UDP, length 263=0A09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.= 1900: UDP, length 335=0A09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.= 250.1900: UDP, length 331=0A09:43:50.334499 IP 192.168.1.1.32774 > 239.255.= 255.250.1900: UDP, length 311=0A09:43:50.334966 IP 192.168.1.1.32774 > 239.= 255.255.250.1900: UDP, length 343=0A09:43:50.335402 IP 192.168.1.1.32774 > = 239.255.255.250.1900: UDP, length 325=0A09:43:50.335944 IP 192.168.1.1.3277= 4 > 239.255.255.250.1900: UDP, length 327=0A09:43:50.336560 IP 192.168.1.1.= 32774 > 239.255.255.250.1900: UDP, length 327=0A09:44:20.333341 IP 192.168.= 1.1.32774 > 239.255.255.250.1900: UDP, length 263=0A09:44:20.333807 IP 192.= 168.1.1.32774 > 239.255.255.250.1900: UDP, length 335=0A09:44:20.334246 IP = 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331=0A09:44:20.334684= IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311=0A09:44:20.33= 5165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343=0A09:44:2= 0.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325=0A09:= 44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327= =0A09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length= 327=0A^C=0A16 packets captured=0A16 packets received by filter=0A0 packets= dropped by kernel=0AFreeBSD#=0A=0AIf you compare these two tcpdump, you ca= n see that the word "neufbox" is =0Areplaced by 192.168.1.1. It confirms th= at DNS is no longer running.=0A=0ANot easy...=0A=0ABrice=0A=0A=0A=0A_______= _________________________=0ADe : Oliver Fromme =0A= =C0 : freebsd-questions@FreeBSD.ORG; berrandonea@yahoo.fr=0AEnvoy=E9 le : J= eu 12 ao=FBt 2010, 17h 52min 24s=0AObjet : Re: Re : Re : How to connect a j= ail to the web ?=0A=0ABrice ERRANDONEA wrote:=0A> On= the host, when the jail is not running :=0A> =0A> %ifconfig=0A> rl0: flags= =3D8843 metric 0 mtu 1500=0A> = options=3D8=0A> ether 00:11:09:15:72:6a=0A> in= et 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255=0A> medi= a: Ethernet autoselect (100baseTX )=0A=0AOK, so 192.168.1.38 i= s the only (non-localnet) IP address that=0Ayou have. You should use that = one for your jail.=0A=0A> On the host when the jail is running :=0A> =0A> F= reeBSD# jls=0A> JID IP Address Hostname Path= =0A> 1 93.0.168.242 MaPrison /usr/prison=0A> = FreeBSD# ifconfig=0A> rl0: flags=3D8843 metric 0 mtu 1500=0A> options=3D8=0A> ether = 00:11:09:15:72:6a=0A> inet 192.168.1.38 netmask 0xffffff00 broadcas= t 192.168.1.255=0A> inet 93.0.168.242 netmask 0xffffffff broadcast = 93.0.168.242=0A> media: Ethernet autoselect (100baseTX )=0A=0AWhere did you get that second IP address from? Did you just=0Aadd = it manually? Or is that the address that your gateway=0A(DSL router, whate= ver) got assigned from your ISP?=0A=0AI assume that IP address is not reall= y routed to your host,=0Abut that NAT (Network Address Translation) is used= on your=0Arouter. So you cannot use that address on the host.=0A(If that'= s not true, please exlain the structure of your=0Anetwork in more detail.)= =0A=0ASo, if my assumptions are true, you must use the address=0A192.168.1.= 38 for your jail. Make sure that DNS is working=0Ainside the jail ... It = should be sufficient to copy=0A/etc/resolv.conf from the host to /usr/priso= n/etc/resolv.conf=0A=0AIf it still doesn't work: Are you using any packet = filter=0A(ipfw, ipf, pf)? If so, please show the complete list of=0Arules.= =0A=0AOtherwise, it might help to run tcpdump(1) on the host, so=0Ayou can = see the actual packets that are transmitted and=0Areceived.=0A=0ABest regar= ds=0A Oliver=0A=0A-- =0AOliver Fromme, secnetix GmbH & Co. KG, Marktplatz= 29, 85567 Grafing b. M.=0AHandelsregister: Registergericht Muenchen, HRA 7= 4606, Gesch=E4ftsfuehrung:=0Asecnetix Verwaltungsgesellsch. mbH, Handelsre= gister: Registergericht M=FCn-=0Achen, HRB 125758, Gesch=E4ftsf=FChrer: Ma= ik Bachmann, Olaf Erb, Ralf Gebhart=0A=0AFreeBSD-Dienstleistungen, -Produkt= e und mehr: http://www.secnetix.de/bsd=0A=0A"C++ is the only current langu= age making COBOL look good."=0A -- Bertrand Meyer=0A________________= _______________________________=0Afreebsd-questions@freebsd.org mailing lis= t=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-questions=0ATo unsubs= cribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A= =0A=0A