From owner-freebsd-questions@freebsd.org  Fri Dec 23 03:25:44 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66F31C8C9C7
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Fri, 23 Dec 2016 03:25:44 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: from mail-pf0-x243.google.com (mail-pf0-x243.google.com
 [IPv6:2607:f8b0:400e:c00::243])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3ABB5195B
 for <freebsd-questions@freebsd.org>; Fri, 23 Dec 2016 03:25:44 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: by mail-pf0-x243.google.com with SMTP id 127so3221919pfg.0
 for <freebsd-questions@freebsd.org>; Thu, 22 Dec 2016 19:25:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-transfer-encoding;
 bh=tl/9QwxiIVB6xYgcEw0Uo2L8h2pm2J+RmSfjCfTgqME=;
 b=EIQHmkfPzkckKGjJsmM6oC2qvA4pKS/z2IBwGpHAC+hVStCf4526zaTCE59XbkmqL+
 re4bobHV4rasZnLa/veSjrfLtJrr+oqqOH7lZzfAx+1mix9kueMbIdHrGh4eyw8j4E6v
 t3rPynuL3hl6H2gWKYJhDITLwe2Y1nYUrnIppVMGQbrhM0kZmSCg0mcn/9o+8IsmI8Jz
 dQSqTweU9afEW+gZcyLaV4J8TfoxtyRNDbGTS7g6r+9txpSRVKlSTAd77y1FNrziS5Yv
 NJjAB34Wj9UMUbuKo8IacK6LZD3nXxvznHssPTPZoM9NxE/JiiW3yQKbKl2OVCmuVlLk
 Ow6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :cc:subject:references:in-reply-to:content-transfer-encoding;
 bh=tl/9QwxiIVB6xYgcEw0Uo2L8h2pm2J+RmSfjCfTgqME=;
 b=BI4+nrv6IEY/l0+RH3lVqx1RyG+BhoBxd9tqTf7efkRQ55QstozT0fcRwLzFDJFWgv
 /kFw/ZDox4gjsH2amchLfNCqWPEQNeKgW6NM7liRgxnfuLHPVVmnETM4ggRRNmaphjZS
 +nR61lQLWB95j9DPxlrHFQbkO5KRYIafQRWl6hE6rmp7J226yWaLHFTt9ShNsM9PMApi
 HCUqXdpL/1NzIMcqQdvzWchkXfTXZ6dIP60RHKoPuht8CzY83tyNlafVCb/aNTQKMCk9
 AJuoAUeCV5S9WX9fzux0rNrvDFPnLy3NwMy6WrEKnJpEbVcPKQEpQ8P6SgjvkmMRXS2k
 +c/Q==
X-Gm-Message-State: AIkVDXJVoes6D8/qsByj1XOfAo0usoejzekeYJQZ2wOsKQf23z21p82YXchc/yhswT5OJA==
X-Received: by 10.84.171.1 with SMTP id k1mr25879624plb.169.1482463543672;
 Thu, 22 Dec 2016 19:25:43 -0800 (PST)
Received: from [192.168.1.103] ([120.29.76.197])
 by smtp.googlemail.com with ESMTPSA id
 y189sm57778680pfy.32.2016.12.22.19.25.41
 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 22 Dec 2016 19:25:43 -0800 (PST)
Message-ID: <585C993B.7040805@gmail.com>
Date: Fri, 23 Dec 2016 11:25:47 +0800
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: byrnejb@harte-lyne.ca
CC: freebsd-questions@freebsd.org
Subject: Re: IP address assignments to jails using ezjail
References: <b6c71debe36b214c620d4027ce6bec31.squirrel@webmail.harte-lyne.ca>
In-Reply-To: <b6c71debe36b214c620d4027ce6bec31.squirrel@webmail.harte-lyne.ca>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2016 03:25:44 -0000

James B. Byrne via freebsd-questions wrote:
> When I created the new jail I used this invocation:
> 
> ezjail-admin create -x hlldrupal 'lo1|127.0.1.1,vtnet0|192.168.216.196'
> 
> Inside the host rc.conf I have this:
> 
> # Cloned i/f and assigned ipv4 addr for jails
> cloned_interfaces="lo1"           # For shared jail configuration
> 
> And ifconfig on the host shows this:
> 
> vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
> metric 0 mtu 1500
>         options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
>         ether 00:a0:98:fa:aa:b6
>         inet 216.185.71.16 netmask 0xffffff00 broadcast 216.185.71.255
>         inet 192.168.216.16 netmask 0xffffff00 broadcast 192.168.216.255
>         inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196
>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
> . . .
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>         inet 127.0.1.1 netmask 0xffffffff
>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>         groups: lo
> 
> Inside the jail ifconfig shows this:
> 
> vtnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST>
> metric 0 mtu 1500
>         options=80028<VLAN_MTU,JUMBO_MTU,LINKSTATE>
>         ether 00:a0:98:fa:aa:b6
>         inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>         groups: lo
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>         inet 127.0.1.1 netmask 0xffffffff
>         groups: lo
> 
> 
> All this seems to be correct and yet I cannot seem to obtain an ssh
> connection to or from the jailed instance.  ubound is running in the
> jail and seems to be working.  At least host responds to queries.
> 
> root@hlldrupal:~ # host sendmail.com
> sendmail.com has address 209.246.26.25
> sendmail.com mail is handled by 10 mxa-00148501.gslb.pphosted.com.
> sendmail.com mail is handled by 20 mx2.proofpoint.com.
> sendmail.com mail is handled by 10 mxb-00148501.gslb.pphosted.com.
> 
> pf is not running in the jail but sshd is:
> 
> root@hlldrupal:~ # service sshd status
> sshd is running as pid 81502.
> 
> root@hlldrupal:~ # service pf status
> Cannot 'status' pf. Set pf_enable to YES in /etc/rc.conf or use
> 'onestatus' instead of 'status'.
> root@hlldrupal:~ # service pf onestatus
> pf.ko is not loaded
> 
> 
> I note that the flag IFDISABLED is present on the host's lo1. Why?  Is
> this the source of the connectivity problem with the jail? If so then
> why does the host commend work when executed within the jail?  In any
> case I can ping the jail from without:
> 
> [root@vhost04 ~ (master *%)]# ping 192.168.216.196
> PING 192.168.216.196 (192.168.216.196) 56(84) bytes of data.
> 64 bytes from 192.168.216.196: icmp_seq=1 ttl=64 time=0.647 ms
> 
> I just cannot connect to that address via ssh from without nor can I
> connect ssh to any address from within the jail.
> 
> 


1. Loopback is only necessary in a jail if that jail has a service 
running that uses it. But you have to modify that services config file 
to use the loopback ip address you assigned to the jail before things 
work correctly. lo1 is not necessary, can assign any 127.x.x.x ip 
address to the jail as long as you don't assign the hosts default 
127.0.0.1 ip address.

2. I use qjail which is a fork of ezjail. It automatically configures 
your network for you so you don't have to manually add statements into 
rc.conf for your jails. Since this is a learning test anyway, give it a try.

3. Take ubound out of the mix by not starting that jail. Then use only 
ip addresses in your host to jail ssh command.

4. What is output of issuing host ssh command to a jail? Does host answer?