From owner-freebsd-questions@freebsd.org  Thu Feb  1 18:15:57 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C2686EE2DAE
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  1 Feb 2018 18:15:57 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70])
 by mx1.freebsd.org (Postfix) with ESMTP id 763CE7B94C
 for <freebsd-questions@freebsd.org>; Thu,  1 Feb 2018 18:15:57 +0000 (UTC)
 (envelope-from galtsev@kicp.uchicago.edu)
Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6])
 by kicp.uchicago.edu (Postfix) with ESMTP id 1D67E71804D;
 Thu,  1 Feb 2018 12:15:57 -0600 (CST)
Subject: Re: FreeBSD, jail, ping
To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org
References: <35d8e9b01acbb929ba4cb9b98241df54.squirrel@webmail.harte-lyne.ca>
 <b6671fa375965a267ac11a245b9dc321.squirrel@webmail.harte-lyne.ca>
From: Valeri Galtsev <galtsev@kicp.uchicago.edu>
Message-ID: <c9d6a2a0-7734-b445-1bdb-84ab793059c7@kicp.uchicago.edu>
Date: Thu, 1 Feb 2018 12:15:56 -0600
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.5.2
MIME-Version: 1.0
In-Reply-To: <b6671fa375965a267ac11a245b9dc321.squirrel@webmail.harte-lyne.ca>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 18:15:57 -0000



On 02/01/18 12:05, James B. Byrne via freebsd-questions wrote:
> 
> On Thu, February 1, 2018 12:55, James B. Byrne wrote:
>> On the jail I see this behaviour:
>>
>> root@hll124:~ # sysctl security.jail.allow_raw_sockets
>> security.jail.allow_raw_sockets: 0
>>
>> root@hll124:~ # sysctl security.jail.allow_raw_sockets=1
>> security.jail.allow_raw_sockets: 0
>> sysctl: security.jail.allow_raw_sockets=1: Operation not permitted
>>
>> So, how is this fixed?
>>
> 
> On host:
> 
> # jls
>     JID  IP Address      Hostname                      Path
>       6  127.0.124.1     hll124.hamilton.harte-lyne.ca /usr/jails/hll124
> 
> # jail -m jid=6 allow.raw_sockets=1
> 
> On jail:
> 
> # sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
> 
> root@hll124:~ # ping 192.168.71.1
> PING 192.168.71.1 (192.168.71.1): 56 data bytes
> 64 bytes from 192.168.71.1: icmp_seq=0 ttl=64 time=0.253 ms
> 
> 
> So, how does one get the jail to automatically configure this setting?
> 

I do not know how to do it using ezjail, but after ezjail does its 
magic, the following line

allow.raw_sockets = 1;

will be in /etc/jail.conf inside particular jail configuration.

( after that setting is modified, particular jail has to be restarted as 
someone already mentioned)

I hope, someone who uses ezjail will chime in.

Thanks.
Valeri

> 

-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++