From owner-freebsd-questions@FreeBSD.ORG Tue Jul 17 09:46:36 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 55B741065673 for ; Tue, 17 Jul 2012 09:46:36 +0000 (UTC) (envelope-from h.skuhra@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4328FC12 for ; Tue, 17 Jul 2012 09:46:35 +0000 (UTC) Received: by yhfs35 with SMTP id s35so206098yhf.13 for ; Tue, 17 Jul 2012 02:46:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=fJa0z6SS+5nQ2Uk8XyRCCfdV8C7iPPyceRieDOPrC/M=; b=ZMR+uvtW4LzcJdCuld4IOY8BbNrbD4BKChCibS3JTh5W+xbgaoVaJxN1v3iJ7wXQlO rxFkMyW/Lt1sB7qo3HbO5Sa85z7bqtBvIbr3WcxwaP1+Izx0D0ZsNvGsJ2fXQNVI5yv5 MKDt9WKqKcw1P4nWgIX7eBSy4M6pxemx849t+Ec1b+zcWyC1tdzH+RKg8GTfV/Q5TDg1 D6zUhsXk6yeH+8Hfb5koCO+TORgRV71JQeUaWKKYdaiSRnZBLrJ2SmcwoOfMyNeJ56/l u0OOA3xbXjDa0X5oWTx1LyBrp4AjOCayZxY260zEMWZZ8XuTWhR/wdfrd35CR0V7Ilqc oaxw== MIME-Version: 1.0 Received: by 10.66.73.40 with SMTP id i8mr4234178pav.2.1342518395003; Tue, 17 Jul 2012 02:46:35 -0700 (PDT) Received: by 10.68.239.67 with HTTP; Tue, 17 Jul 2012 02:46:34 -0700 (PDT) In-Reply-To: References: <87fw8yariq.wl%h.skuhra@gmail.com> Date: Tue, 17 Jul 2012 11:46:34 +0200 Message-ID: From: "Herbert J. Skuhra" To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: Jails on FreeBSD 9.0 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2012 09:46:36 -0000 On Tue, Jul 17, 2012 at 9:59 AM, Kalle M=C3=B8ller wrote: > On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra w= rote: >> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu = wrote: >>> 2012/7/12 Herbert J. Skuhra : >>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra wrote: >>>>> Hi, >>>>> >>>>> although I've followed the instructions in jail(8) and jail.conf(5) I >>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). >>>>> >>>>> The symptons: >>>>> >>>>> * ssh'ing to jail works, but it takes about 20 seconds until password >>>>> prompt appears >>> >>> Does it still the same with UseDNS=3Dno in /etc/ssh/sshd_config ? >> >> No, I can login instantly. >> >>>>> * netstat -r in the jail takes about 150 seconds to finish >>> >>> Does netstat -rn does the same ? >> >> No, the output appears immediately. >> >>>>> * connections to the internet time out; with tcpdump I see that >>>>> packets leave and enter the public interface on the host, but never >>>>> reach the jail >>>>> >>>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Publi= c >>>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned. >>>>> Of course, nat is enable via pf on the public interface. >>> >>> Can you post your PF configuration ? >>>> >>>> After switching to ipfw/natd networking in the jail works. >>>> Could this be a bug? >>> >>> I think you had an issue with firewall that block name resolution and >>> makes everything goes slow. At least you need one single line on your >>> pf.conf : >>> >>> nat on $public_interface form $jail_ip to any -> ($public_interface) >> >> Even when loading only the nat rule it doesn't work: >> >> nat on fxp0 from 192.168.1.0/24 to any -> $ext_addr >> >> Thanks. >> Herbert > > > As Mark Felder wrote > > You don't have anything in /etc/resolv.conf, in the jail do you? :-) I have two nameservers listed! If I boot a kernel with ipfirewall/ipdivert and run natd the network in the jail works! With pf: I see the packets going out/coming in on fxp0 but somehow the jail does not "see" them. A 'dig www.google.com' in the jail fails with "connection timed out; no servers could be reached", but 11:39:45.666630 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:45.694045 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180, A 173.194.35.178 (132) 11:39:50.667799 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:50.687083 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180, A 173.194.35.176 (132) 11:39:55.668783 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:55.675917 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176, A 173.194.35.178 (132) And 'nc 173.194.35.177 80': 11:41:52.176904 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0 11:41:53.382320 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0 11:41:54.088585 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8596173 ecr 0], length 0 11:41:54.098838 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0 11:41:55.796638 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0 11:41:57.288596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8599373 ecr 0], length 0 11:41:57.299125 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0 11:42:00.488595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:00.498606 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0 11:42:00.621724 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6], length 0 11:42:03.688596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:03.698762 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445670018 ecr 8593173,nop,wscale 6], length 0 11:42:06.888595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:06.899032 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445673202 ecr 8593173,nop,wscale 6], length 0 11:42:13.088586 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 [...] % uname -rms FreeBSD 9.1-PRERELEASE amd64 Regards, Herbert