From owner-freebsd-current@freebsd.org Wed Oct 5 14:53:47 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 36C68AF644B for ; Wed, 5 Oct 2016 14:53:47 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CAA6A37C for ; Wed, 5 Oct 2016 14:53:46 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id b201so214268724wmb.0 for ; Wed, 05 Oct 2016 07:53:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UWDjlUlp+reJ0Av7N7bdkx/CpBTY9m0hgTzps45qFW4=; b=BnVJIv/Kvpk/qAZICleTGq7Kj05DXp2VqeMCnMcc73m211v/TAa8dGeyiDAqB73GLW rSKDye/05TKsezH52fPhXicDA9jR9BEdncFLYLtnLoXd51k9aoRlVwNSKJWu5Yp6SB4H UpLaUt9h4VCeTx7I2+4NbGoJ+akP732hq7aMmsGtWFDtQS23WgMzm5UhVykrFezvb8oU WH32PEmrtOgr2DT2VsXSUL334CDoi13kyxaBkDInL/WyqYHOgb/fl2wGEL2kKYORNnVl aMUCEcH/7LjlMj9yK/YE5JWRtHPceyH3HrZT9qYpcdcaavNObRmObdOs8+wY74TsaLkW SZHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UWDjlUlp+reJ0Av7N7bdkx/CpBTY9m0hgTzps45qFW4=; b=IJzr1XrtVyvWCB2XV79krX1Yr5EWvvtmz39pyqxiSpom9iGfaVCq0qj2rzcuTzVcXN y2xjVwgy8Cd0ymG6atJaLNckAvdZTlFFHRQrkypufL6V979DhBdVzJnVyKjNGRN1dtiE DzUtXGeKDgQzi9M9S4seaHjNOEJAMQKEuFbMb4pcoLv587LtpAet5aWUDQ8ggieV66tL CRiXjpP1AQm8vAhbZlDkQJYH5zvSvyYC099A4cdCNFIO7fM59nMZgsDmBdl+QB6ZkK2N qdYadEn6vFL7/4RAD4UeEdIYUDKE+7ubKas7HFIAVIO++ri56Iz8IzBICBhV9DXFqIBh 88Pg== X-Gm-Message-State: AA6/9RkjeRAdghy1C6SL8TXjrDADjnSGkhtXhFPN3RbiWWU1h6nTGqS2+z2YbxOOdYVHgPAY5gOgGUvKswhnxg== X-Received: by 10.28.34.69 with SMTP id i66mr2774760wmi.96.1475679225029; Wed, 05 Oct 2016 07:53:45 -0700 (PDT) MIME-Version: 1.0 Sender: asomers@gmail.com Received: by 10.194.15.137 with HTTP; Wed, 5 Oct 2016 07:53:44 -0700 (PDT) In-Reply-To: <20161005134446.7af8126c@freyja.zeit4.iv.bundesimmobilien.de> References: <20161005134446.7af8126c@freyja.zeit4.iv.bundesimmobilien.de> From: Alan Somers Date: Wed, 5 Oct 2016 08:53:44 -0600 X-Google-Sender-Auth: Feasoe-TblIGM6NvMv-xwil9cvw Message-ID: Subject: Re: jails in CURRENT: can not reach hosts on same network To: "O. Hartmann" Cc: freebsd-current Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Oct 2016 14:53:47 -0000 On Wed, Oct 5, 2016 at 5:44 AM, O. Hartmann wrote: > Hello list. > > I struggle with setting up jails on most recent CURRENT. > > The machine containing the jails has two NICs (bce0 and bce1). the host itself > is supposed to own NIC bce0 exclusively - means, the services running on that > NIC - syslogd, named and others - are bound to that NIC and should not be > shared with the bce1 or jails bound to bce1. > > I followed the instructions given in the most recent version of the handbook > setting up a jail. So far, so good. The NIC bce1 (the second one) is "aliased" > with IPs from the local network. forwarding is disabled > (net.inet.ip.forwarding: 0). > > Setup of each jail is straigh forward, with "ip4.addr=" set to the specific IP > and interface="bce1". > > Within a jail, I can not reach an IP on the same network, not even the gateway > by pinging or doing name resolutions using the DNS server on the local net! The > curious thing is, by setting "nameserver 8.8.8.8" in /etc/resolv.conf, I can > ping "outer world systems" and performing name resolutions as well - this > implies, that the IP pakets are delegated to the local gateway and then further > to the DNS of Google's. But pinging the local gateway directly (192.168.0.1) > seems to be prohibited as well as pinging or reching any other IP on the net, > including the bce0 of the same host (via default gateway?) or any other aliased > IP. > > Since I'm new to jails and the complicated handling with networks, I miss > something here which is probably not well documented. I found some notes on the > forum about setfib, FIB, but I lack in the correct manpage to read more about > this concept, the meaning for a jail and its probable impact in my situation. > > Following the suggestion setting > > net.add_addr_allfibs=0 > > in /boot/loader.conf seems to be senseless - after a reboot this OID is always > set back to 1 (net.add_addr_allfibs=1). > > maybe someone has an idea what's wrong in principle with my attempts. > > thanks in advance for your patience, > > Oliver Firstly, ping doesn't work in a jail, because jailed processes aren't allowed to open raw sockets. To lift that restriction, you can do "sysctl security.jail.allow_raw_sockets". Depending on what your security environment is like, you may or may not want to leave that set permanently. You can also control it on a per-jail basis. If you're using iocage to manage your jails, just do "iocage set allow_raw_sockets=1 ". If that doesn't work, then post the output of "ifconfig". You shouldn't need to screw with fibs unless your jails need to use a different gateway than the host. -Alan