From owner-freebsd-questions@FreeBSD.ORG Sat Feb 24 13:05:51 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7FE8E16A402 for ; Sat, 24 Feb 2007 13:05:51 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.186]) by mx1.freebsd.org (Postfix) with ESMTP id CE8AA13C441 for ; Sat, 24 Feb 2007 13:05:50 +0000 (UTC) (envelope-from stapleton.41@gmail.com) Received: by mu-out-0910.google.com with SMTP id g7so699155muf for ; Sat, 24 Feb 2007 05:05:49 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lOwDAB9W5TOxM68r0exrpXzHr7EnML5XXDvrpaSnV11MYNI9DT7hsl/rwMAy9zsECCWrtcoX6UA31nSF2JGH/sUe3Pqd3bKYP0tiDZV0Dt5bjz52xcOFhVs+hpviCExbckeQZJhU9BiZcZU7Ply1IW6FpPwIIZL7gq6Ebw5xa9o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FriphYd9Lte5dS75KymzE8nvdAA+gNrhwj592WtiDpzye5Gho5QHcZR/92FviFrgh7e2hBfauCm1Y5LVHBe/VS7NpsjG7kiiSkibt/eoQucX5Nw6jITe+KWi5gTrVA+8TIf02gFlsjVWi8ItgOzh6qSVO1qU8LmqUbKTiH9xCOo= Received: by 10.82.134.12 with SMTP id h12mr1032005bud.1172322349502; Sat, 24 Feb 2007 05:05:49 -0800 (PST) Received: by 10.82.191.16 with HTTP; Sat, 24 Feb 2007 05:05:49 -0800 (PST) Message-ID: <80f4f2b20702240505o6c7f1e36r87389f645bc86238@mail.gmail.com> Date: Sat, 24 Feb 2007 13:05:49 +0000 From: "Jim Stapleton" To: freebsd-questions@freebsd.org In-Reply-To: <20070224055350.GA2587@idoru.cepheid.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <80f4f2b20702231107p1cf7f4f3n5896aa7e8ef0ecaf@mail.gmail.com> <200702240408.40222.h.schmalzbauer@omnisec.de> <80f4f2b20702231921x603c759g9b143b24edfaa7d5@mail.gmail.com> <200702240430.09674.h.schmalzbauer@omnisec.de> <80f4f2b20702231936m9725099v6e638685273630f0@mail.gmail.com> <80f4f2b20702231943j3fea9f4fxb3919898ad4dfc21@mail.gmail.com> <20070224055350.GA2587@idoru.cepheid.org> Subject: Re: problems with jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Feb 2007 13:05:51 -0000 OK, I managed to get it so something else wasn't grabbing *.*, dunno what made that happen. What you said made me think "Hey, there was something in the man pages about starting services", I figured I ought test that out. So I did: Pre-Jail process/netstat: root@elrond 07:52:14 (0) /usr/ports > ps -A | grep syslog 2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84 root@elrond 07:52:17 (0) /usr/ports > ps -A | grep send 5489 p2 S+ 0:00.00 grep send root@elrond 07:52:25 (0) /usr/ports > ps -A | grep name root@elrond 07:52:29 (0) /usr/ports > ps -A | grep inet root@elrond 07:52:31 (0) /usr/ports > ps -A | grep ssh 2474 ?? Is 0:00.01 /usr/sbin/sshd 5498 p2 R+ 0:00.00 grep ssh sjss@elrond 07:51:08 (0) ~ > netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLIS= HED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLIS= HED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLIS= HED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLIS= HED tcp4 0 0 192.168.1.84.ssh *.* LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLIS= HED udp4 0 0 192.168.1.84.syslog *.* starting jail root@elrond 07:52:50 (0) /usr/ports > jail /jail/ legolas@ameritech.net 192.168.1.85 /bin/sh /etc/rc Loading configuration files. legolas@ameritech.net Setting hostname: legolas@ameritech.net. Creating and/or trimming log files:. ln: /dev/log: Operation not permitted Starting syslogd. ELF ldconfig path: /lib /usr/lib /usr/lib/compat a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout Clearing /tmp (X related). Starting local daemons:. Updating motd. Starting sshd. Starting cron. Local package initialization:. Sat Feb 24 07:54:40 UTC 2007 Jailed port/binding list: sjss@elrond 07:54:05 (0) ~ > netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.85.smtp *.* LISTEN tcp4 0 0 192.168.1.85.ssh *.* LISTEN tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLIS= HED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLIS= HED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLIS= HED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLIS= HED tcp4 0 0 192.168.1.84.ssh *.* LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLIS= HED udp4 0 0 192.168.1.85.syslog *.* udp4 0 0 192.168.1.84.syslog *.* Issue not confused, but it did give me some "try this" tests. Unfortunately I still cant connect to anything outside of the jail, not even to the host. SSHing into jail does not work, into host does. root@elrond 07:54:40 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin= /csh %ssh -x 192.168.1.84 ^C And as a last test I should have thought of before: root@elrond 07:59:13 (0) /usr/ports > sysctl security.jail.allow_raw_socke= ts security.jail.allow_raw_sockets: 1 root@elrond 07:59:26 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin= /csh %ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ^C --- 127.0.0.1 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss %ifconfig nve0: flags=3D8843 mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=3D108810 mtu 1500 lo0: flags=3D8049 mtu 16384 oh, and for testing purposes, I unhid everything in /jail/dev root@elrond 08:04:20 (0) /usr/ports > devfs rule -s 666 show 100 path acd* hide 200 path ad10* hide 300 path audio* hide 400 path dsp* hide 500 path apm* hide 600 path dev* hide 700 path geom* hide 800 path kmem* hide 900 path mem* hide 1000 path nfs* hide 1100 path pci* hide 1200 path nvidia* hide 1300 path snd* hide 1400 path sysmouse* hide 1500 path ukbd0* hide 1600 path usb* hide 1700 path ums* hide 1800 path net* mode 755 1900 path ata* hide 2000 path atkbd* hide 2100 path kbd* hide 2200 path fd* hide 2300 path fid* hide 2400 path net* mode 777 2500 path show 2600 path * unhide Still no luck. Thanks everyone for all the help, hopefully this is enough information to indicate the problem. -Jim Stapleton > sockstat (referenced at the end of the netstat man page) will show you > process names/ports. > > To get any given service to work inside the jail, that IP:Port must > not be bound anywhere else, but it must be bound within the jail. > That is, you need an sshd listening on the host machine port 22, and > a separate sshd listening on the jail port 22. The same applies for > every service you want to run in both machines. > > This can get confusing, too. It's generally best to always explicitly > limit services by IP on the host, even if you have no intention of > running the same service in a jail. This will prevent > confusion--imagine that you are wanting to run a webserver on the > host, but not the jail (for some weird reason). If apache is > listening on all IPs that the host has, it will be listening on the > jail IP, using the host filesystem. > > Hope that didn't confuse the issue or anything. > > > > On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote: > > addendum, I fixed syslogd by adding this to my rc.conf: > > syslogd_flags=3D"-b 192.168.1.84" > > > > However, looking through netstat's man page, I couldn't find the name > > of the flag (if it exists) that will show the process name. Does that > > require a different tool? > > > > Thank you, > > -Jim Stapleton > > > > > > > > On 2/24/07, Jim Stapleton wrote: > > >OK, I have a fairly sizeable list, but it looks like most stuff is > > >bound to 192.168.1.84 except two things, one is closed, and the other > > >is syslog (guess I have to look at it's man page). It also looks like > > >there is something else there. I guess I'll be looking at the netstat > > >man page to figure out how to get the name of the daemon touch it: > > > > > > > netstat -f inet -a; netstat -f inet6 -a > > >Active Internet connections (including servers) > > >Proto Recv-Q Send-Q Local Address Foreign Address (st= ate) > > >tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http > > >ESTABLISHED > > >tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol > > >TIME_WAIT > > >tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol > > >TIME_WAIT > > >tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol > > >TIME_WAIT > > >tcp4 0 0 192.168.1.84.ssh *.* LIS= TEN > > >tcp4 0 0 *.* *.* CLO= SED > > >tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http > > >ESTABLISHED > > >tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http > > >ESTABLISHED > > >udp4 0 0 *.syslog *.* > > >Active Internet connections (including servers) > > >Proto Recv-Q Send-Q Local Address Foreign Address (st= ate) > > >udp6 0 0 *.syslog *.* > > > > > > > > > > > >On 2/24/07, Harald Schmalzbauer wrote: > > >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton: > > >> > I did the ssh after you did the previous mail, but it didn't fix t= he > > >> > problem. > > >> > > > >> > I'm not having problems senmail or named, they were simply mention= ed > > >> > in the man page. I never had named running, and I didn't realize > > >> > sendmail was running. The latter was my problem with sendmail. Tha= t > > >> > problem as I said is fixed. Beyond that I don't even know which > > >> > process on my system are daemons at this point, except usbd and de= vd, > > >> > neither of which (to my knowledge) should be listening to any sock= ets. > > >> > Actually there are a couple of kernel processes (pagedaemon, vmdae= mon, > > >> > and bufdaemon), but I don't know where to find documentation on th= em, > > >> > X, and KDM. I can't find anything on limiting sockets of these to = a > > >> > specific IP only. > > >> > > >> To see what daemons are listening you can use 'netstat -f inet -a'. = Then > > >you > > >> see if you have to limit some other daemons (use -f inet6 for IPv6 i= f > > >> configured). > > >> > > >> Please post the output of the command above to see why you get ssh > > >connections > > >> to your jail IP answered by the host's ssh daemon. > > >> > > >> -Harry > > >> > > >> -- > > >> OmniSEC - UNIX und Windows Netzwerke - Sicher > > >> Harald Schmalzbauer > > >> Flintsbacher Str. 3 > > >> 80686 M=FCnchen > > >> +49 (0) 89 18947781 > > >> +49 (0) 160 93860101 > > >> > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd= .org" >