From owner-freebsd-jail@FreeBSD.ORG Fri Jun 20 14:48:09 2014 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C69E5B11 for ; Fri, 20 Jun 2014 14:48:09 +0000 (UTC) Received: from furnace.wzff.de (furnace.wzff.de [176.9.216.40]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 88F862891 for ; Fri, 20 Jun 2014 14:48:08 +0000 (UTC) Received: from mw by furnace.wzff.de with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1Wy02z-000Oqs-4J for freebsd-jail@freebsd.org; Fri, 20 Jun 2014 16:44:09 +0200 Date: Fri, 20 Jun 2014 16:44:09 +0200 From: Moritz Wilhelmy To: freebsd-jail@freebsd.org Subject: Jail network connectivity issues Message-ID: <20140620144408.GY9432@barfooze.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jun 2014 14:48:09 -0000 Hello, I have a jail with a public IP address assigned to it on 10.0/amd64, however both inbound and outbound connections randomly fail. I'm using ipfilter as a packet filter but the issue persists when I reboot without ipfilter enabled. Usually inbound connections work a couple of times (around 4) and the 5th-ish attempt at establishing a TCP connection fails with a connection timeout. From that point on it's hit-and-miss. Nothing else on the system is listening on the port. The timeouting connection does not show up in the host system, neither in tcpdump or -- if enabled -- ipmon, the ipfilter monitoring utility. When trying to telnet out of the box, the connection hangs before "Trying
...", except sometimes when it works. Even then, the connection is established excruciatingly slow, while outside the jail, connections are established instantaneously. On the host system, specifying the jail's IP as telnet's source IP via -s works, so I doubt it's my ISP's fault. To make sure the configuration in the jail tree isn't what's causing the issues I created another jail with "/" as root directory and the jail's IP assigned and /bin/sh as command. Same issue. This leads me to believe that the jail subsystem is responsible somehow. Any ideas what I might be missing? Best, Moritz -- Die Beamten können nicht den ganzen Tag mit dem Grundgesetz unter dem Arm herumlaufen. -Hermann Höcherl, 1963