From owner-freebsd-questions@FreeBSD.ORG Thu Mar 4 22:58:00 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F44216A4CE for ; Thu, 4 Mar 2004 22:58:00 -0800 (PST) Received: from mail-in.m-online.net (mail-in.m-online.net [62.245.150.237]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3AFB43D2D for ; Thu, 4 Mar 2004 22:57:59 -0800 (PST) (envelope-from h@schmalzbauer.de) Received: from mail.m-online.net (svr14.m-online.net [192.168.3.144]) by svr8.m-online.net (Postfix) with ESMTP id 190B04AF8D; Fri, 5 Mar 2004 07:57:58 +0100 (CET) Received: from sam.flintsbach.schmalzbauer.de (ppp-62-245-208-5.mnet-online.de [62.245.208.5]) by mail.m-online.net (Postfix) with ESMTP id D2F9357AA7; Fri, 5 Mar 2004 07:57:57 +0100 (CET) Received: from cale.flintsbach.schmalzbauer.de (cale.flintsbach.schmalzbauer.de [172.21.1.254])i256vujY033210; Fri, 5 Mar 2004 07:57:56 +0100 (CET) (envelope-from h@schmalzbauer.de) From: Harald Schmalzbauer To: freebsd-questions@freebsd.org, chris@hddesign.com Date: Fri, 5 Mar 2004 07:57:51 +0100 User-Agent: KMail/1.6 References: <1078443115.662.61.camel@zim.hddesign.com> In-Reply-To: <1078443115.662.61.camel@zim.hddesign.com> X-Country: Germany X-Address: Munich, 80686 X-Phone2: +49 (0) 89 18947781 X-Phone1: +49 (0) 163 555 3237 X-Name: Harald Schmalzbauer X-Birthday: 06 Oktober 1972 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_0TCSAozsmvWysAc"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200403050757.56345.h@schmalzbauer.de> Subject: Re: Jail setup X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 06:58:00 -0000 --Boundary-02=_0TCSAozsmvWysAc Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Am Freitag, 5. M=E4rz 2004 00:31 schrieb Chris Meyers: > I need to set up a new mail server at a different building, so I thought > I would put sendmail and its services (virus scanning etc.) in a jail to > be a bit more secure. I thought that before I do this for real I would > try setting up a jail on a test server and see if I can ssh to it and > generally get things to work. I can't. > > Here's what I have set up so far. I found a couple how-tos and I am > following them; one is an ONLamp article > (http://www.onlamp.com/pub/a/bsd/2003/09/04/jails.html), and the other > is the jails section of the AbsoluteBSD book. I am running 5.1. > > On the server I set up a /usr/jail directory to put the jail into. Then > I ran the following from /usr/src/: > > # make world DESTDIR=3D/usr/jail > # cd etc > # make distribution DESTDIR=3D/usr/jail > # cd /usr/jail/dev > # sh MAKEDEV jail > > This is where I had my first problem, MAKEDEV doesn't exist. At first I > was a bit concerned about this, then I remembered that in 5.0 and above > MAKEDEV isn't necessary, it is handled by the kernel (If that isn't > right someone please tell me). I didn't worry about this. > > Next I ran: > # cd ../ > # ln -sf /dev/null kernel > > Then I started my jail: > #jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh > > Things seem to be fine. I can see the jailed environment and everything > looks fine. I log out and then try to set up the last configuations so I > can ssh in and run sendmail. In the non-jail /etc/rc.conf I added the > following lines: > > ifconfig_fxp0_alias0=3D"10.0.0.203 netmask 255.255.255.0" This is wrong. The jail can only have one IP so netmask has to be 0xfffffff= f=20 (255.255.255.255) Do you have something like this on the host? fconfig_fxp0=3D"inet 10.0.0.202 netmask 0xffffff00" #host ifconfig_fxp_alias0=3D"inet 10.0.0.203 netmask 0xffffffff" #jail 1=20 > sendmail_enable=3D"NONE" > inetd_flags=3D"-wW -a 10.0.0.202" > > I also added ListenAddress 10.0.0.202 to /etc/ssh/sshd_config. > > In the jail's /etc/rc.conf (i.e. /usr/jail/etc/rc.conf) I added: > > portmap_enable=3D"NO" > ifconfig_fxp0=3D"inet 10.0.0.203 netmask 255.255.255.0" > sendmail_enable=3D"YES" > sshd_enable=3D"YES" > > and added ListenAddress 10.0.0.203 to /usr/jail/etc/ssh/sshd_config This isn't neccessary, since the jail has only that one IP. IT's important that the host is limited to one address like you wrote a few= =20 lines above! Change the IP like I wrote above and everything should be fine. =2DHarry > > I then rebooted to shut all services down. When the system was back up > and running I ran the commands to mount and start the jail: > > # mount -t procfs proc /usr/jail/proc > # jail /usr/jail jail.myhost.com 10.0.0.203 /bin/sh /etc/rc > > Things seem to "boot" fine until it gets to sendmail; it seems to hang > there (sshd starts fine though). Eventually sendmail times out and I get > a prompt. I figure my jail is running (minus sendmail which I don't care > about at the moment), and a ps -ax|grep J shows a few jailed processes > running including sshd. From another system I try: > % ssh 10.0.0.203 > and I get nothing. I can ping 10.0.0.203 just fine (as well as > 10.0.0.202). A sockstat -4 shows: > root sshd 3041 3 tcp4 10.0.0.203:22 *:* > root syslogd 2908 4 udp4 10.0.0.203:514 *:* > root sshd 2650 3 tcp4 10.0.0.202:22 *:* > > so it seems like sshd is listening on 10.0.0.202 and 203. I can ssh to > 202 without problem, I just can't get into the jail. > > Can anybody tell me where I screwed up, or other things to look for. Any > help would be appreciated. > > Thanks, > Chris --Boundary-02=_0TCSAozsmvWysAc Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBASCT0Bylq0S4AzzwRAlQPAJ9/030hxQt5XmQguxmRPY6xIytD4wCeK61V fvbYz0PsrGqpxWF5HiH1WsU= =b12V -----END PGP SIGNATURE----- --Boundary-02=_0TCSAozsmvWysAc--