From owner-freebsd-questions@FreeBSD.ORG Mon Mar 22 09:47:14 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26917106566B for ; Mon, 22 Mar 2010 09:47:14 +0000 (UTC) (envelope-from aiza21@comclark.com) Received: from avmxsmtp1.comclark.com (avmxsmtp1.comclark.com [202.69.191.115]) by mx1.freebsd.org (Postfix) with ESMTP id 96E898FC12 for ; Mon, 22 Mar 2010 09:47:13 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvwbAHPZpkvKRa39OWdsb2JhbAAHh1eTWAEBAQE3Brl9hH0Egxw X-IronPort-AV: E=Sophos;i="4.51,286,1267372800"; d="scan'208";a="10598922" Received: from unknown (HELO [10.0.10.3]) ([202.69.173.253]) by avmxsmtp4.comclark.com with ESMTP; 22 Mar 2010 17:47:11 +0800 Message-ID: <4BA73C9D.7090900@comclark.com> Date: Mon, 22 Mar 2010 17:47:09 +0800 From: Aiza User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Mark Shroyer References: <4BA5AA53.5030503@comclark.com> <4BA69566.2040504@markshroyer.com> <4BA6B80F.7050806@comclark.com> <4BA6CB8B.8070309@markshroyer.com> In-Reply-To: <4BA6CB8B.8070309@markshroyer.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ezjail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2010 09:47:14 -0000 Mark Shroyer wrote: > On 3/21/2010 8:21 PM, Aiza wrote: >> Does the ip address notation for the jail include the port number? >> Like 10.0.20.2:80 Nat port forwarding is the long way around just to get >> the correct port number to the jail ip address. > > Nope, jails are assigned one (or more) specific IP addresses, but not > specific port numbers. So if you don't have a separate public IP for > your jail, you'll be relying on some sort of packet filter to redirect > traffic to its private IP address. > > This isn't as big a deal as it may sound, especially if you're already > using PF, which has built-in packet redirection capabilities that do not > require you to run a separate NAT daemon. > > My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here?