From owner-freebsd-questions@FreeBSD.ORG Thu Aug 29 09:03:43 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 426392A8 for ; Thu, 29 Aug 2013 09:03:43 +0000 (UTC) (envelope-from frank2@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 70B672117 for ; Thu, 29 Aug 2013 09:03:42 +0000 (UTC) Received: from [192.168.1.35] (mux.fjl.org.uk [62.3.120.246]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id r7T93dMV027815 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 29 Aug 2013 10:03:40 +0100 (BST) (envelope-from frank2@fjl.co.uk) Message-ID: <521F0E6B.8020507@fjl.co.uk> Date: Thu, 29 Aug 2013 10:03:39 +0100 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Jail with public IP alias References: <521DC5EC.1010701@fjl.co.uk> <521E5976.8000605@fjl.co.uk> <521F0BD6.7040306@fjl.co.uk> In-Reply-To: <521F0BD6.7040306@fjl.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Aug 2013 09:03:43 -0000 On 29/08/2013 09:52, Frank Leonhardt wrote: > On 29/08/2013 02:08, Alejandro Imass wrote: >> On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt >> wrote: >>> On 28/08/2013 19:42, Patrick wrote: >>>> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass >>>> wrote: >>>>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt >>>>> wrote: >> [...] >> >>> Sorry guys - I had not intention of upsetting the EzJail fan club! >>> >> No worries there I just think it's an awesome tool. We used plain old >> jails before, and we even went through the "service jail" path once, >> but EzJail is a lot more than just lightweight easy-to-use jailing. >> >> >>> The fact remains that I've tried to recreate this problem on what >>> comes to a >>> similar set-up, but without EzJail, and I can't. I've only tested it on >>> FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I >>> completely >>> understood what you were saying about it doing weird stuff outside a >>> jail, >>> but my point is that this may or may not be related. >>> >> Actually you can replicate it easily. Assign a number of IPs to any >> interface but that the interface has a default route. It will always >> use the "primary" or default IP on the other end. You can probably see >> this effect even on a private network provided all the aliases route >> through the same gateway. You will not be able to see this effect >> using aliases on the loopback AFAIK. >> >> >>> You don't say what version you're running. I can try and recreate it on >>> another version. >>> >> It doesn't matter, it's a very basic network issue with aliases in >> FreeBSD, Linux and other OSs. Look here: >> >> http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour >> >> >> >> I would like to know how people deal with this on FBSD >> >> > > Okay, I'm trying here. I tried to recreate it thus: > > b1# ifconfig > > bge0: flags=8843 metric 0 mtu > 1500 > options=8009b > > ether 00:21:9b:fd:30:8b > inet xx.yy.41.196 netmask 0xffffffc0 broadcast xx.yy.41.255 > inet xx.yy.41.197 netmask 0xffffffff broadcast xx.yy.41.197 > inet xx.yy.41.198 netmask 0xffffffff broadcast xx.yy.41.198 > inet xx.yy.41.199 netmask 0xffffffff broadcast xx.yy.41.199 > inet xx.yy.41.200 netmask 0xffffffff broadcast xx.yy.41.200 > inet xx.yy.41.201 netmask 0xffffffff broadcast xx.yy.41.201 > inet xx.yy.41.202 netmask 0xffffffff broadcast xx.yy.41.202 > inet xx.yy.41.203 netmask 0xffffffff broadcast xx.yy.41.203 > inet xx2.yy2.76.62 netmask 0xffffffc0 broadcast xx2.yy2.76.63 > inet xx.yy.41.207 netmask 0xffffffff broadcast xx.yy.41.207 > inet xx.yy.41.206 netmask 0xffffffff broadcast xx.yy.41.206 > media: Ethernet autoselect (100baseTX > ) > status: active > > > Then: > b1# ssh -b xx.yy.41.197 b2 -l myname > > Open new session and... > > b1# ssh -b xx.yy.41.198 b2 -l myname > > Open new session and... > > b1# ssh -b xx.yy.41.199 b2 -l myname > > An so on.... > > Then on b2: > > b2# w -n > 9:43AM up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02 > USER TTY FROM LOGIN@ IDLE WHAT > myname p0 ns0.domainname.org.uk 9:28AM 14 -csh (csh) > myname p1 ns1.domainname.net 9:29AM 14 -csh (csh) > myname p5 xx.yy.41.199 9:29AM 13 -csh (csh) > myname p6 xx.yy.41.201 9:30AM - w -n > myname p7 xx.yy.41.207 9:30AM 11 -csh (csh) > > The only problem I can see there is that the -n option isn't working > on w! I'll look in to that. The reverse lookups match the IP addressed > dialled in on. b2 has the same sshd bound to all IP addresses, > incidentally. b1 has more than one interface, but all the IP addresses > I used are on the same one. > > My guess, if you're not getting this, is that you're configuring the > aliases in a different way, so the output of ipconfig might help, even > if it just convinces me the netmask is correct and stops me worrying. > I've obviously obfuscated the first part of mine. > > Or have I misunderstood the problem? > > Regards, Frank. P.S. Just for completeness: b1# netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default xx.yy.41.193 UGS 112374 7203472736 bge0 The default route does go through that interface.