From owner-freebsd-questions@FreeBSD.ORG Mon Mar 22 09:56:15 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BB44106564A for ; Mon, 22 Mar 2010 09:56:15 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id E17498FC18 for ; Mon, 22 Mar 2010 09:56:14 +0000 (UTC) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.3/8.14.3) with ESMTP id o2M9tkJG077766; Mon, 22 Mar 2010 10:55:46 +0100 (CET) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.3/8.14.3/Submit) id o2M9tker077765; Mon, 22 Mar 2010 10:55:46 +0100 (CET) (envelope-from mail25@bzerk.org) Date: Mon, 22 Mar 2010 10:55:46 +0100 From: Ruben de Groot To: Aiza Message-ID: <20100322095545.GA77714@ei.bzerk.org> Mail-Followup-To: Ruben de Groot , Aiza , Mark Shroyer , freebsd-questions@freebsd.org References: <4BA5AA53.5030503@comclark.com> <4BA69566.2040504@markshroyer.com> <4BA6B80F.7050806@comclark.com> <4BA6CB8B.8070309@markshroyer.com> <4BA73C9D.7090900@comclark.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BA73C9D.7090900@comclark.com> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Mon, 22 Mar 2010 10:55:49 +0100 (CET) Cc: Mark Shroyer , freebsd-questions@freebsd.org Subject: Re: ezjail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2010 09:56:15 -0000 On Mon, Mar 22, 2010 at 05:47:09PM +0800, Aiza typed: > Mark Shroyer wrote: > >On 3/21/2010 8:21 PM, Aiza wrote: > >>Does the ip address notation for the jail include the port number? > >>Like 10.0.20.2:80 Nat port forwarding is the long way around just to get > >>the correct port number to the jail ip address. > > > >Nope, jails are assigned one (or more) specific IP addresses, but not > >specific port numbers. So if you don't have a separate public IP for > >your jail, you'll be relying on some sort of packet filter to redirect > >traffic to its private IP address. > > > >This isn't as big a deal as it may sound, especially if you're already > >using PF, which has built-in packet redirection capabilities that do not > >require you to run a separate NAT daemon. > > > > > > My host 8.0 system is the gateway to the public internet. > I have ipfilter running blocking all inbound request for service. > I only allow out bound request from the LAN behind the gateway and use > keep state to allow the packet conversation to continue. All this has > worked fine for years across many releases of Freebsd. > > Now comes playing with jails. I created 3 jails, www, ftp, telnet and > used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to > target those jails from other PC on the private LAN who are using ip > address in the 10.0.10.2 through 10.0.10.8 range. > > I used ezjail-admin onestart and all the jails start. Then did > ezjail-admin console ftp.local.com and got logged into that jail. Edited > /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding > inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop > followed by ezjail-admin onestart to cycle the ftp jail to activate the > ftp function. ezjail-admin console ftp.local.com to get logged into that > jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc > on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to > 10.0.20.30 the ftp jail gives me no connection error. > > What is the problem here? How are we supposed to know? Ruben