Date: Thu, 29 Aug 2013 10:03:39 +0100 From: Frank Leonhardt <frank2@fjl.co.uk> To: freebsd-questions@freebsd.org Subject: Re: Jail with public IP alias Message-ID: <521F0E6B.8020507@fjl.co.uk> In-Reply-To: <521F0BD6.7040306@fjl.co.uk> References: <CAHieY7Sq5XKFuwp9PYnbuLAM6i=6KrrS8h-RM2uJUCzgAQ5rcw@mail.gmail.com> <CAHieY7QnkKv3st31tFHipd7q1jZ1YnFAXizQvgFKjH4oPc5Hsw@mail.gmail.com> <CA%2BdWbmYDfNNAv1kV=68eGQ8ySs9G07TZz_6zE0Fkit5t40484g@mail.gmail.com> <CAHieY7ROHTret4QgCfgUaO5t1HwPzoi8O%2B85y7KKjCW=haoGmg@mail.gmail.com> <CA%2BdWbmb6VqmjQAiEyLmsE_%2BP8bHNZxf_Yff7BZAzdDEM3Ka4SA@mail.gmail.com> <521DC5EC.1010701@fjl.co.uk> <CAHieY7TpuAcpEAqLc8=kUf=GOiwu2DonoRkTJ60stBUsVMQCcQ@mail.gmail.com> <CA%2BdWbmbzwDV=UeUPonAKdpM080=rAvQ6xu_BG3FbRYWM4pwjoQ@mail.gmail.com> <521E5976.8000605@fjl.co.uk> <CAHieY7QshB9tVrthZkuqiwWQewN1V2ZOcTZo=B_ziSKaOo%2BDWg@mail.gmail.com> <521F0BD6.7040306@fjl.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29/08/2013 09:52, Frank Leonhardt wrote: > On 29/08/2013 02:08, Alejandro Imass wrote: >> On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt <frank2@fjl.co.uk> >> wrote: >>> On 28/08/2013 19:42, Patrick wrote: >>>> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass@yabarana.com> >>>> wrote: >>>>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2@fjl.co.uk> >>>>> wrote: >> [...] >> >>> Sorry guys - I had not intention of upsetting the EzJail fan club! >>> >> No worries there I just think it's an awesome tool. We used plain old >> jails before, and we even went through the "service jail" path once, >> but EzJail is a lot more than just lightweight easy-to-use jailing. >> >> >>> The fact remains that I've tried to recreate this problem on what >>> comes to a >>> similar set-up, but without EzJail, and I can't. I've only tested it on >>> FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I >>> completely >>> understood what you were saying about it doing weird stuff outside a >>> jail, >>> but my point is that this may or may not be related. >>> >> Actually you can replicate it easily. Assign a number of IPs to any >> interface but that the interface has a default route. It will always >> use the "primary" or default IP on the other end. You can probably see >> this effect even on a private network provided all the aliases route >> through the same gateway. You will not be able to see this effect >> using aliases on the loopback AFAIK. >> >> >>> You don't say what version you're running. I can try and recreate it on >>> another version. >>> >> It doesn't matter, it's a very basic network issue with aliases in >> FreeBSD, Linux and other OSs. Look here: >> >> http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour >> >> >> >> I would like to know how people deal with this on FBSD >> >> > > Okay, I'm trying here. I tried to recreate it thus: > > b1# ifconfig > > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu > 1500 > options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE> > > ether 00:21:9b:fd:30:8b > inet xx.yy.41.196 netmask 0xffffffc0 broadcast xx.yy.41.255 > inet xx.yy.41.197 netmask 0xffffffff broadcast xx.yy.41.197 > inet xx.yy.41.198 netmask 0xffffffff broadcast xx.yy.41.198 > inet xx.yy.41.199 netmask 0xffffffff broadcast xx.yy.41.199 > inet xx.yy.41.200 netmask 0xffffffff broadcast xx.yy.41.200 > inet xx.yy.41.201 netmask 0xffffffff broadcast xx.yy.41.201 > inet xx.yy.41.202 netmask 0xffffffff broadcast xx.yy.41.202 > inet xx.yy.41.203 netmask 0xffffffff broadcast xx.yy.41.203 > inet xx2.yy2.76.62 netmask 0xffffffc0 broadcast xx2.yy2.76.63 > inet xx.yy.41.207 netmask 0xffffffff broadcast xx.yy.41.207 > inet xx.yy.41.206 netmask 0xffffffff broadcast xx.yy.41.206 > media: Ethernet autoselect (100baseTX > <full-duplex,flowcontrol,rxpause,txpause>) > status: active > <etc...> > > Then: > b1# ssh -b xx.yy.41.197 b2 -l myname > > Open new session and... > > b1# ssh -b xx.yy.41.198 b2 -l myname > > Open new session and... > > b1# ssh -b xx.yy.41.199 b2 -l myname > > An so on.... > > Then on b2: > > b2# w -n > 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 > USER TTY FROM LOGIN@ IDLE WHAT > myname p0 ns0.domainname.org.uk 9:28AM 14 -csh (csh) > myname p1 ns1.domainname.net 9:29AM 14 -csh (csh) > myname p5 xx.yy.41.199 9:29AM 13 -csh (csh) > myname p6 xx.yy.41.201 9:30AM - w -n > myname p7 xx.yy.41.207 9:30AM 11 -csh (csh) > > The only problem I can see there is that the -n option isn't working > on w! I'll look in to that. The reverse lookups match the IP addressed > dialled in on. b2 has the same sshd bound to all IP addresses, > incidentally. b1 has more than one interface, but all the IP addresses > I used are on the same one. > > My guess, if you're not getting this, is that you're configuring the > aliases in a different way, so the output of ipconfig might help, even > if it just convinces me the netmask is correct and stops me worrying. > I've obviously obfuscated the first part of mine. > > Or have I misunderstood the problem? > > Regards, Frank. P.S. Just for completeness: b1# netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default xx.yy.41.193 UGS 112374 7203472736 bge0 <etc...> The default route does go through that interface.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?521F0E6B.8020507>