From owner-freebsd-questions@freebsd.org  Fri Aug 24 15:55:02 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 293D7108DBB0
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 24 Aug 2018 15:55:02 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from plockton.cent.gla.ac.uk (plockton.cent.gla.ac.uk
 [130.209.16.75])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BFC598BF79
 for <freebsd-questions@freebsd.org>; Fri, 24 Aug 2018 15:55:01 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from cas08.campus.gla.ac.uk ([130.209.14.165])
 by plockton.cent.gla.ac.uk with esmtp (Exim 4.72)
 (envelope-from <Norman.Gray@glasgow.ac.uk>)
 id 1ftEQH-0005EU-UJ; Fri, 24 Aug 2018 16:54:53 +0100
Received: from [10.130.248.80] (130.209.203.66) by cas08.campus.gla.ac.uk
 (130.209.14.165) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 24 Aug
 2018 16:54:53 +0100
From: Norman Gray <norman.gray@glasgow.ac.uk>
To: Alejandro Imass <aimass@yabarana.com>
CC: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: Jails and networks
Date: Fri, 24 Aug 2018 16:54:53 +0100
X-Mailer: MailMate (1.11.3r5509)
Message-ID: <702BA4E1-A1D1-4120-866D-755CB2C76143@glasgow.ac.uk>
In-Reply-To: <CAHieY7SBwGHUkWezTNBJXk5Te_FZKOy0jL1HLKDgPU-MNBycsQ@mail.gmail.com>
References: <6B17F10B-F3AE-45C5-8011-EBE52462230E@glasgow.ac.uk>
 <CAHieY7TVruoxm4M46DgZ1CLOr6x9OyDyeKEKfj7B3mW+Zjk1tw@mail.gmail.com>
 <D620F21E-566B-420A-AB88-0207E21F2B14@glasgow.ac.uk>
 <CAHieY7SBwGHUkWezTNBJXk5Te_FZKOy0jL1HLKDgPU-MNBycsQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
X-Originating-IP: [130.209.203.66]
X-ClientProxiedBy: CAS08.campus.gla.ac.uk (130.209.14.165) To
 cas08.campus.gla.ac.uk (130.209.14.165)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 15:55:02 -0000


Alejandro, hello.

Thanks for your further comments.

On 24 Aug 2018, at 16:10, Alejandro Imass wrote:

> Try by IP to the outside first.

I should have mentioned that I tried that, too, but

# telnet 130.209.16.90 80
Trying 130.209.16.90...
telnet: connect to address 130.209.16.90: Operation timed out
telnet: Unable to connect to remote host
#

(and I can telnet to that machine -- a web server -- normally from 
outside).

> Make sure you have a resolv.conf in your jail. Copy the one from
> outside or use something like:
>
> nameserver 8.8.8.8

I thought of that -- my resolv.conf is sane.

>> There's something important about jail networking that I'm not
>> understanding, but I haven't a clue what it is.  Most frustrating.
>>
>
> It usually works pretty much automatic, especially with ezjail.

That's the very strong impression I've gleaned from elsewhere -- it 
should Just Work.  It must be that I've messed up _something_ in the 
host's networking, though it's a pretty fresh install on a machine where 
I'm experimenting only with this.  (and yes, it's installed on bare 
metal, not a VM).

I know that the jail's networking will look slightly different from the 
host's but I'm not sure in just what respect.  The routing table looks 
odd:

     # netstat -rn
     Routing tables

     Internet:
     Destination        Gateway            Flags     Netif Expire
     192.168.11.128     link#3             UHS         lo0
     #

But since none of the ezjail guides have mentioned having to adjust 
routing, even in passing, I don't _think_ that's wrong.  In any case, 
since the jail doesn't have its own networking stack, it's the host's 
routing table that matters.  Or at least I think so -- this is what I 
mean when I say that I'm suddenly doubting what I think I know about 
networking+jails.

>> That is:
>>
>>     # ezjail-admin onestart norman
>>     Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf 
>> is
>> created and used for jail norman.
>>     /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* 
>> variables  is
>> obsolete.  Please consider migrating to /etc/jail.conf.
>>
>
>
> Yeah, I've seen that for a long time now and I've seen some discussion
> around it. Not sure it makes any real difference and has never been a
> problem for me.
>
> Maybe you can try a the ezjail mailing list:
>
> https://erdgeist.org/arts/software/ezjail/#author-contact
>
> Dirk is usually very friendly and fast in responding. Qjail says they
> work on 11 and beyond but I've never tried it.

I think I should indeed try there.  It sounds as if this might need some 
specialised knowledge.

> There's been some
> friction over the years and I sided with Dirk and continue to use
> ezjail.

That's also very useful to know.  As with all of these things, it'd be 
interesting to know more about the grounds and nature of the split, but 
that's not always easy to find.

Best wishes,

Norman


-- 
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
SUPA School of Physics and Astronomy, University of Glasgow, UK
// My current template week for IT Management tasks is: Monday, Tuesday, 
and Friday