From owner-freebsd-jail@FreeBSD.ORG Tue Nov 17 11:18:44 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D67CF1065672 for ; Tue, 17 Nov 2009 11:18:44 +0000 (UTC) (envelope-from Lars.Scheithauer@fh-heidelberg.de) Received: from dnsfh.fh-heidelberg.de (dnsfh.fh-heidelberg.de [193.197.74.49]) by mx1.freebsd.org (Postfix) with ESMTP id 5992B8FC2A for ; Tue, 17 Nov 2009 11:18:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by dnsfh.spamfilter.fh-heidelberg.de (Postfix) with ESMTP id 88EDD20028; Tue, 17 Nov 2009 12:18:43 +0100 (CET) X-Virus-Scanned: AMAVIS New Header in DNSFH Received: from dnsfh.fh-heidelberg.de ([127.0.0.1]) by localhost (dnsfh.fh-heidelberg.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwu8ypLAncC3; Tue, 17 Nov 2009 12:18:40 +0100 (CET) Received: from FHCLUSRV-EX.dcs.fh-heidelberg.de (FHCLUSRV-N1.dcs.fh-heidelberg.de [172.28.0.41]) by dnsfh.fh-heidelberg.de (Postfix) with ESMTP id C66EB2001A; Tue, 17 Nov 2009 12:18:40 +0100 (CET) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Tue, 17 Nov 2009 12:18:40 +0100 Message-ID: <26040005B7F3AA41A0345BCE386CA09701C62A7D@FHCLUSRV-EX.dcs.fh-heidelberg.de> In-Reply-To: <20091117103601.G37440@maildrop.int.zabbadoz.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Networking from jail - errata Thread-Index: Acpncxu90Zxqzz9pRqaRNW7LMdmzswABCKaw References: <26040005B7F3AA41A0345BCE386CA09701C62A79@FHCLUSRV-EX.dcs.fh-heidelberg.de><26040005B7F3AA41A0345BCE386CA09701C62A7A@FHCLUSRV-EX.dcs.fh-heidelberg.de> <20091117103601.G37440@maildrop.int.zabbadoz.net> From: "Scheithauer, Lars (FH)" To: Cc: "Bjoern A. Zeeb" Subject: AW: Networking from jail - errata X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Nov 2009 11:18:44 -0000 Hi Bjoern, thanks for the clarification, I changed the values according to your = suggestions. However, it did not resolve the problem. I've checked the proxy logfiles and it seems, that the Makefile(s) don't = try to access the proxy at all while fetching files. Is there any = reason, why the Makefile(s) should not use the *_PROXY-variables on the = jails? Best Regards, Lars -----Urspr=FCngliche Nachricht----- Von: owner-freebsd-jail@freebsd.org = [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Bjoern A. Zeeb Gesendet: Dienstag, 17. November 2009 11:41 An: Scheithauer, Lars (FH) Cc: freebsd-jail@freebsd.org Betreff: Re: Networking from jail - errata On Tue, 17 Nov 2009, Scheithauer, Lars (FH) wrote: Hi, > Quick note: > Forgot to replace two values. > Jail - x.y.z.61 > Host - x.y.z.60 > Router - x.y.z.62 > > > -----Urspr=FCngliche Nachricht----- > Von: owner-freebsd-jail@freebsd.org = [mailto:owner-freebsd-jail@freebsd.org] Im Auftrag von Scheithauer, Lars = (FH) > Gesendet: Dienstag, 17. November 2009 10:19 > An: freebsd-jail@freebsd.org > Betreff: Networking from jail > > Hi everyone! > > I'm having a little trouble with my jail's networking and I'm not sure > what to make of it. > > My jailhost has an IP of x.y.z.48, my test jail is x.y.z.49. The > jailhost has both IP-adresses, the jail has just it's own: > > Jail# ifconfig > bce0: flags=3D8843 metric 0 = mtu > 1500 > > = options=3D1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > Host# ifconfig > bce0: flags=3D8843 metric 0 = mtu > 1500 > > = options=3D1bb TSO4> > ether xx:xx:xx:xx:xx:10 > inet x.y.z.61 netmask 0xffffffc0 broadcast x.y.z.63 > inet x.y.z.60 netmask 0xffffffc0 broadcast x.y.z.63 > media: Ethernet autoselect (1000baseSX ) > status: active > [...] > > I am able to access the ssh-server running on the jail, and I am able = to > access the proxyserver of our network via telnet and get some pages of > the internet. However, if I want to install something from the ports, > the jail is unable to fetch it: > > Jail# cd /usr/ports/ftp/wget > Jail# make > =3D=3D=3D> Vulnerability check disabled, database not found > =3D=3D=3D> Found saved configuration for wget-1.11.4_1 > =3D> wget-1.11.4.tar.bz2 doesn't seem to exist in = /usr/ports/distfiles/. > =3D> Attempting to fetch from http://ftp.gnu.org/gnu/wget/. > fetch: http://ftp.gnu.org/gnu/wget/wget-1.11.4.tar.bz2: Operation = timed > out > =3D> Attempting to fetch from ftp://ftp.gnu.org/gnu/wget/. > [...] > > I've set the appropriate environment variables HTTP_PROXY, HTTPS_PROXY > and FTP_PROXY. If I test the connection with netcat, I get the = following > error message: > # nc -zvw 1 -x 'proxy.example.com:8080' www.freebsd.org 80 > nc: read failed (0/3): Broken pipe The usual thing I am interested at that point is - does name resolution work properly from within the jail? /etc/resolv.conf setup correctly etc? > The funny thing is, that I have no problem installing ports from the > Host-system. From what I can tell, all the config files are correct: > > Jail# cat /etc/rc.conf > sshd_enable=3D"YES" > ifconfig_bce0=3D"inet x.y.z.60 netmask 255.255.255.192" > defaultrouter=3D"x.y.z.62" > hostname=3D"jail.example.com" That's not going to work, really (the ifconfig, defaultrouter, and unless you changed the defaults on the host system not even the hostname). You should actually remove those. > Host# cat /etc/rc.conf > sshd_enable=3D"NO" > ifconfig_bce0=3D"inet x.y.z.61 netmask 255.255.255.192" > defaultrouter=3D"x.y.z.62" > hostname=3D"host.example.com" > ipv6_enable=3D"NO" > jail_enable=3D"YES" > jail_set_hostname_allow=3D"NO" > jail_list=3D"jail" > jail_jail_hostname=3D"jail" > jail_jail_ip=3D"x.y.z.60" > jail_jail_rootdir=3D"my/jail/root" > jail_jail_devfs_enable=3D"YES" That doesn't really match your ifconfig output from above; something on the host system would have to set the IP address of the host. I would expect something like (you may have mixed jail and host addresses so properly sort this): # host system IP address ifconfig_bce0=3Dinet x.y.z.61 netmask 255.255.255.192" # jail IP address ifconfig_bce0_alias0=3Dinet x.y.z.60 netmask 255.255.255.255" Note that the alias has a /32 netmask. /bz --=20 Bjoern A. Zeeb It will not break if you know what you are doing.