From owner-freebsd-jail@FreeBSD.ORG Thu Mar 7 12:29:48 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 879DDD81 for ; Thu, 7 Mar 2013 12:29:48 +0000 (UTC) (envelope-from yoann.gini@gmail.com) Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) by mx1.freebsd.org (Postfix) with ESMTP id EFFD3743 for ; Thu, 7 Mar 2013 12:29:47 +0000 (UTC) Received: by mail-wg0-f42.google.com with SMTP id 12so6507535wgh.5 for ; Thu, 07 Mar 2013 04:29:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=eMelc5IKSSRMm7SiUV02y4kWojA1ha7mULGtrvOw6SE=; b=u2m0DpjmJkGHcjHfbaR3xl6MKIVtMcYr/wx0+HmWWayBFFMwDZaX0iSZWCpG+XYDgH 8R0IrLtw5ofMuDY3bnAOkMdMnNXPgNEQaTUITqKPlnyTSrP9DH72Okox2gaVExs7IXLU C6ufVJDS7+HXlBQk6ygWDzdeWHKB1xz9qKl7j2w0mymq7hDiT/WWtUqugr9TZGBpHg1W SFkBr7g7re3UM3bqvnPFpa/QQcX7suoo2XIS/+pPHHhRkJ8VexhBZk+A+LMiND2I/Fpx LGloOqXCS0YPAzrbVz9CZQoA7km5lIYJh8VFqg+/qZ5Y04dznQh4yrNFp64poNUouYe9 0ADA== X-Received: by 10.194.121.6 with SMTP id lg6mr40845690wjb.22.1362659387129; Thu, 07 Mar 2013 04:29:47 -0800 (PST) Received: from ?IPv6:2a01:e35:8b17:35b0:80c9:a6b2:8928:573a? ([2a01:e35:8b17:35b0:80c9:a6b2:8928:573a]) by mx.google.com with ESMTPS id fx5sm2493590wib.11.2013.03.07.04.29.45 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 07 Mar 2013 04:29:46 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) Subject: =?utf-8?Q?Re=3A_IPv4_addresses_clash_/_jails_not_working_after_r?= =?utf-8?Q?eboot=E2=80=A6?= From: Yoann Gini In-Reply-To: <513864D5.1070900@passap.ru> Date: Thu, 7 Mar 2013 13:29:44 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <55865.68.255.104.38.1362619385.squirrel@cosmo.uchicago.edu> <6C130E1F-6CDC-4328-A300-5B483B8B4940@gmail.com> <513864D5.1070900@passap.ru> To: Boris Samorodov X-Mailer: Apple Mail (2.1499) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 12:29:48 -0000 Le 7 mars 2013 =C3=A0 10:58, Boris Samorodov a =C3=A9crit= : > 07.03.2013 12:48, Yoann Gini =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >=20 >> I need to share this IP, I=E2=80=99ve only one and I would like to = avoid playing with NAT=E2=80=A6 >=20 > One IP may be shared but for different services (ports). That what I=E2=80=99ve understand and what I=E2=80=99ve planned. >> If someone have a idea=E2=80=A6 >=20 > Give some more information: > 1. OS version, OS arch. FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 = r243825: Tue Dec 4 09:23:10 UTC 2012 = root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > 2. Jail configuration (at least one) from /etc and = LOCALBASE/etc/ezjail. What do you want in /etc ? Except the fstab, I don=E2=80=99t see any = config here, the fstab look like that: /home/jails/basejail /home/jails/front0.public.example.com/basejail = nullfs ro 0 0 /usr/ports /home/jails/front0.public.example.com/usr/ports = nullfs ro 0 0 And here is the ezjail config export = jail_front0_public_example_com_hostname=3D"front0.public.example.com" export jail_front0_public_example_com_ip=3D=C2=AB = IPv6Prefix::80,SharedIPv4,10.42.0.2" export = jail_front0_public_example_com_rootdir=3D"/home/jails/front0.public.exampl= e.com" export jail_front0_public_example_com_exec_start=3D"/bin/sh /etc/rc" export jail_front0_public_example_com_exec_stop=3D"" export jail_front0_public_example_com_mount_enable=3D"YES" export jail_front0_public_example_com_devfs_enable=3D"YES" export jail_front0_public_example_com_devfs_ruleset=3D"devfsrules_jail" export jail_front0_public_example_com_procfs_enable=3D"YES" export jail_front0_public_example_com_fdescfs_enable=3D"YES" export jail_front0_public_example_com_image=3D"" export jail_front0_public_example_com_imagetype=3D"" export jail_front0_public_example_com_attachparams=3D"" export jail_front0_public_example_com_attachblocking=3D"" export jail_front0_public_example_com_forceblocking=3D"" export jail_front0_public_example_com_zfs_datasets=3D"" export jail_front0_public_example_com_cpuset=3D"" export jail_front0_public_example_com_fib=3D"" > 3. What do you want to achieve. I want a setup with: =E2=80=94 srv0 listen only for SSH on a alternate port for supervision = on public IPv4/6 ; =E2=80=94 front0 to handle any public services (web, DNS, e-mail) on = public IPv4/6 ; =E2=80=94 service0 to handle internal services (git, redmine, AFP = sharepoints=E2=80=A6) on private IP and SSH on a other alternate port on = public IPv4/6 ; =E2=80=94 gateway0 to act as a VPN server and webproxy to secure access = to private services on service0 and act as a secure gateway to encrypt = network traffic for road-warriors on public network. In the end, I will dispatch those services on different server but for = now I only access to one system, so I would like to prepare the setup to = be dispatched on different hardware when the budget come. Actually, if I remove the SharedIPv4 from the jails, it works. I=E2=80=99ve investigate more on the open socket area and I think the = problem come from Apache who still lisent on *:* even if I=E2=80=99ve = set a Listen directive=E2=80=A6=