From owner-freebsd-questions@freebsd.org Thu Feb 1 16:13:49 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A49AEDAFFE for ; Thu, 1 Feb 2018 16:13:49 +0000 (UTC) (envelope-from sysadmin@grouchysysadmin.com) Received: from outbound00.knthost.com (outbound00.knthost.com [209.195.10.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7AC0744A6 for ; Thu, 1 Feb 2018 16:13:48 +0000 (UTC) (envelope-from sysadmin@grouchysysadmin.com) Reply-To: sysadmin@i.grouchysysadmin.com DKIM-Filter: OpenDKIM Filter v2.10.3 outbound00.knthost.com CA1DD51880 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grouchysysadmin.com; s=default; t=1517501308; bh=76UaYyxgY/JIt9Qh2JFQQo6saOdtdXU1yqrEAjtIrbc=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=o6ik6eNtDaGRUyAWmzwVyhNEN/xtgc3oJ3cIlG+ofX3oHoEgGRug6ZAgVB3HM9wnr lFd74uSZ6tCcF+Xqm6qGCtRIoNZixAnjKyZT+U+hZb85Tr/0Vlprl+a2hWIqvanOHB huqhX+U4sImzzdwOl4XccXUU264KNuBrX1Tqo4cW8QUe/4TxsXes3pmayfhRb4Gpn1 XRrOac+m7yHYHq29g05vu+ATdekPYmpNhFjwMc60H+gHHzCG0OuLvFK6Q47zKmVGaP QbYz7yV5Zy1u6OTI5yYzDPaEShH8y45xLpN+8dttLtM8aiaWqg5KM0hEMGo6gy2w4w WRpiWblFqNL0A== Subject: Re: EZJAIL and ping on FreeBSD-11. To: freebsd-questions@freebsd.org References: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> From: Grouchy Sysadmin Message-ID: <0fe114e1-bc87-db17-ed24-8035bb1582b1@grouchysysadmin.com> Date: Thu, 1 Feb 2018 10:08:25 -0600 MIME-Version: 1.0 In-Reply-To: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Feb 2018 16:13:49 -0000 On 02/01/2018 09:23 AM, James B. Byrne via freebsd-questions wrote: > I have read the various 'howtos' respecting this issue and I cannot > see where I have failed to properly follow the instructions. But > clearly I have not done it right. > > I have setup a jail named hll124. it is configured and running. It > can connect to the network and the Internet without issue. DNS > resolution works fine using local_unbound. > > In /etc/sysctl.conf on the host I have this: > > # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ > # > # This file is read when going to multi-user and its contents piped thru > # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for > details. > # > > # Uncomment this to prevent users from seeing information about > processes that > # are being run under another UID. > #security.bsd.see_other_uids=0 > security.bsd.see_other_uids=0 > security.bsd.see_other_gids=0 > security.bsd.unprivileged_read_msgbuf=0 > security.bsd.unprivileged_proc_debug=0 > security.bsd.stack_guard_page=1 > > # Required for Chrome/Chromium > kern.ipc.shm_allow_removed=1 > > # Add to allow jails to create sockets - 2018-01-31 JBB > security.jail.allow_raw_sockets=1 > > > The host system shows this: > > $ sudo sysctl security.jail.allow_raw_sockets > security.jail.allow_raw_sockets: 1 > > > In the ezjail configuration file I have this: > > # Allow ping, traceroute and other things 2018-01-31 JBB > export jail_hll124_allow_raw_sockets="YES" > > > When I connect to the ezjail instance with ezjail-admin console and > run ping then I see this: > > # ping 192.168.71.44 > ping: ssend socket: Operation not permitted > > What else am I missing? > You don't need to allow raw sockets globally. I'd leave it set as, "security.jail.allow_raw_sockets=0". Then allow raw sockets on a per jail basis by changing the parameters in the ezjail configuration. For example, add this to the /usr/local/etc/ezjail/hll124 file. export jail_hll124_parameters="allow.raw_sockets=1" Stop the jail, and then start it for the setting to take effect.