From owner-freebsd-stable@FreeBSD.ORG Sat Feb 14 13:32:26 2004 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50CA616A4CE; Sat, 14 Feb 2004 13:32:26 -0800 (PST) Received: from nfserver.hpc.unm.edu (nfserver.hpc.unm.edu [129.24.245.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FBB843D2D; Sat, 14 Feb 2004 13:32:26 -0800 (PST) (envelope-from download@hpc.unm.edu) Received: from lcws.hpc.unm.edu (lcws.hpc.unm.edu [129.24.244.32]) i1ELWPTv003589 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sat, 14 Feb 2004 14:32:25 -0700 Date: Sat, 14 Feb 2004 14:32:25 -0700 (MST) From: Jim Prewett To: Robert Watson In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-stable@freebsd.org Subject: Re: jail issue X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2004 21:32:26 -0000 One more thing to add: This apparently started happening around 12.02.2004 01:38 CET; I must have cvsup'd and reinstalled the world not too long before that. Jim On Fri, 13 Feb 2004, Jim Prewett wrote: > > Hi Robert, > > I've been using jails (very happily) for quite some time and have *never* > had a problem like this. I really don't have a clue what to look for :) > > I'm getting complaints from fellow keyserver ops as my IP seems to > sometimes be the jail and sometimes the host, so some of my packets get > rejected as that IP has not been configured (by the remote host) to be a > peer. (how strange is that?!) > > Here is an email I recieved. I cvsup'd this morning, rebuilt everything, > and did a final clean reboot before starting up the pgp jail. I recieved > this email from one of my peer sites (the timestamps confirm this was > after starting the jail after rebuilding): > > To: download@hpc.unm.edu > Subject: PGP/nox again > > 2004-02-13 10:52:01 Enabling gossip > 2004-02-13 10:52:02 Reconciliation attempt from unauthorized host > 129 > .24.244.72:2040>. Ignoring > > the host (nox) is 129.24.244.72, the jail (pgp) is 129.24.244.40. > > On Fri, 13 Feb 2004, Robert Watson wrote: > > > > > On Fri, 13 Feb 2004, Jim Prewett wrote: > > > > > I run a PGP key server (SKS 1.0.6) inside of a jail. However, my key > > > server seems to be getting confused as to its IP address and is sending > > > packets as the host environment (not as the jail environment). > > > > Could you show the output of sockstat as run in the host environment? > > Likewise, the output of ps ax. I'd like to see what the socket is bound > > to, as the theory goes that jail modifies the bind requests from the > > process to set them to the IP in the jail. Either we have a bug in socket > > handling, or the process isn't running in the jail. > > I'm really afraid I may have inadvertantly found a bug! It is definantly > in the jail environment (I've included the ps output below). The SKS > daemons definantly answer on the jail environment IP (i've included the > output of nmap against both the host and the jail below)! > > here are the sockets related to the sks process: > > nox# sockstat | grep sks > root sks 276 5 tcp4 129.24.244.40:11371 *:* > root sks 271 4 tcp4 129.24.244.40:11370 *:* > root sks 276 6 stream ./db_com_sock > root sks 271 5 stream ./recon_com_sock > > and sks processes: > nox# ps ax | grep sks > 5804 p2 S+ 0:00.00 grep sks > 271 con- S+J 0:03.29 sks recon > 276 con- S+J 0:11.50 sks db > > nmap of host (nox) and jail (pgp): > > nox# nmap nox pgp -p 11370-11371 > > Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-13 21:21 > MST > Interesting ports on nox.hpc.unm.edu (129.24.244.72): > PORT STATE SERVICE > 11370/tcp closed unknown > 11371/tcp closed pksd > > Interesting ports on pgp.hpc.unm.edu (129.24.244.40): > PORT STATE SERVICE > 11370/tcp open unknown > 11371/tcp open pksd > > Nmap run completed -- 2 IP addresses (2 hosts up) scanned in 0.339 seconds > > ifconfig from the host: > nox# ifconfig -a > fxp0: flags=8943 mtu 1500 > inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255 > inet6 fe80::2d0:b7ff:fe7f:f678%fxp0 prefixlen 64 scopeid 0x1 > ether 00:d0:b7:7f:f6:78 > media: Ethernet autoselect (none) > status: no carrier > vr0: flags=8843 mtu 1500 > inet 129.24.244.72 netmask 0xfffffc00 broadcast 129.24.247.255 > inet6 fe80::210:dcff:fedf:1a01%vr0 prefixlen 64 scopeid 0x2 > inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40 > ether 00:10:dc:df:1a:01 > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > lo0: flags=8049 mtu 16384 > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 > inet 127.0.0.1 netmask 0xff000000 > > ifconfig from the jail: > pgp# ifconfig -a > fxp0: flags=8943 mtu 1500 > ether 00:d0:b7:7f:f6:78 > media: Ethernet autoselect (none) > status: no carrier > vr0: flags=8843 mtu 1500 > inet 129.24.244.40 netmask 0xffffffff broadcast 129.24.244.40 > ether 00:10:dc:df:1a:01 > media: Ethernet autoselect (100baseTX ) > status: active > lp0: flags=8810 mtu 1500 > ppp0: flags=8010 mtu 1500 > sl0: flags=c010 mtu 552 > faith0: flags=8002 mtu 1500 > lo0: flags=8049 mtu 16384 > > If there is anything else that I can provide, please let me know. I'm > *very* interested in resolving this. > > Thanks, > Jim > > -- James Prewett OpenPGP key: pub 1024D/31816D93 Systems Team Leader Designated Security Officer HPC Systems Engineer III @ HPC@UNM -- download@hpc.unm.edu Jim@Prewett.org