From owner-freebsd-current@freebsd.org Fri Mar 23 16:14:21 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B626CF55A5D for ; Fri, 23 Mar 2018 16:14:20 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 283CD7C3B0 for ; Fri, 23 Mar 2018 16:14:19 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 51047 invoked from network); 23 Mar 2018 16:14:17 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 16:14:17 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Cc: freebsd-current@freebsd.org References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> From: Joerg Surmann Message-ID: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> Date: Fri, 23 Mar 2018 17:14:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 16:14:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP Content-Type: multipart/mixed; boundary="FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp"; protected-headers="v1" From: Joerg Surmann To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Cc: freebsd-current@freebsd.org Message-ID: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> --FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable tail -f /var/log/httpd-access.log 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 -= 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 -= 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209 tail -f /var/log/httpd-error.log [Fri Mar 23 12:08:18.142835 2018] [mpm_prefork:notice] [pid 18904] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 12:08:18.142925 2018] [core:notice] [pid 18904] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' [Fri Mar 23 12:30:19.005654 2018] [mpm_prefork:notice] [pid 18904] AH00169: caught SIGTERM, shutting down [Fri Mar 23 12:31:11.111900 2018] [ssl:warn] [pid 2542] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Fri Mar 23 12:31:11.847515 2018] [mpm_prefork:notice] [pid 2542] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 12:31:11.847589 2018] [core:notice] [pid 2542] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' [Fri Mar 23 15:32:08.238227 2018] [mpm_prefork:notice] [pid 2542] AH00169: caught SIGTERM, shutting down [Fri Mar 23 15:32:08.414689 2018] [ssl:warn] [pid 40920] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Fri Mar 23 15:32:08.716943 2018] [mpm_prefork:notice] [pid 40920] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 15:32:08.717018 2018] [core:notice] [pid 40920] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT jls -v =C2=A0=C2=A0 JID=C2=A0 Hostname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Path =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Name=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 State =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CPUSetID =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 IP Address(es) =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 2=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 /usr/jails/apache24 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 ACTIVE =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 192.168.100.2 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 213.70.80.92 jls -s devfs_ruleset=3D0 enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=3Ddisab= le jid=3D2 name=3Dapache24 osreldate=3D1101001 osrelease=3D11.1-RELEASE path=3D/usr/jails/apache24 nopersist securelevel=3D-1 sysvmsg=3Ddisable sysvsem=3Ddisable sysvshm=3Ddisable allow.nochflags allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=3D0 host.domainname=3D"" host.hostid=3D0 host.hostname=3Dapache24 host.hostuuid=3D00000000-0000-0000-0000-000000000000 Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 16:45: >> Thanks for replay. >> >> netstat -an | egrep 'tcp4.*80 .*LISTEN' >> say: >> netstat: kvm not available: /dev/mem No such file or directory <- is >> inside a jail. >> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2= =A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0= LISTEN >> >> grep -i Listen /usr/local/etc/apache24/httpd.conf >> >> Listen 80 >> Listen 443 >> >> =C2=A0From the internal IP is no Problem. >> You are right. I'm not sure on wich IP's Apache is listening. >> >> I have change the Listen directive to the external IP in httpd.conf >> Listen 213.70.80.92:80 >> >> netstat -an | egrep 'tcp4.*80 .*LISTEN' >> now say: >> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 = 213.70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN >> >> But apache is not availble from Internet. >> =C2=A0From Intranet... no Problem. >> >> When i use tcpdump on Host i can see Traffic. >> >> Whats wrong? > > That's strange. > > Listen 80 and Listen 443 is OK, it is the same as > =C2=A0 Listen *:80 > =C2=A0 Listen *:443 > and as you see with netstat, Apache was listening on both IPs: > =C2=A0*.80=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 LISTEN > > Do you have something listening on port 80 in the Host? > > What netstat shows in the host? > > Also check Apache log files. If you didn't configure virtual host, > then you have just these two log files: > /var/log/httpd-access.log > /var/log/httpd-error.log > > Use tail and then try to access your website from the internet > > # tail -f /var/log/httpd-*.log > > Please send what "jls -v" in the Host will show you. (there should be > 2 IPs for your jail) or "jls -s"=C2=A0 (replace any sensitive informati= ons > if you want) > > And move this discussion to proper mailing list: > =C2=A0freebsd-jail@FreeBSD.org > > Miroslav Lachman > > >> Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: >>> Joerg Surmann wrote on 2018/03/23 13:49: >>>> Hi all, >>>> >>>> I have a Problem to understund how to manage 2 Networks inside a Jai= l. >>>> >>>> i have create a jail (using ezjail) with a alias IP. >>>> in rc.conf (on Host): >>>> >>>> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0" >>>> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2= =A0 <- >>>> this >>>> is the jail ip >>>> >>>> Inside the jail running apachhe24. >>>> >>>> Now i add a new NIC to the System. >>>> in rc.conf (on Host): >>>> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" >>>> >>>> in /usr/local/etc/ezjail/myjail.conf: >>>> i add the new ip >>>> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92" >>>> >>>> Restart the jail and ifconfig looks fine. >>>> vmx0 -> inet 192.168.100.2 >>>> em0=C2=A0 -> inet 213.70.80.92 >>>> >>>> Apache Listen on all NIC's () >>>> But i can see my Website only via 192.168.100.2 from intern Network.= >>>> >>>> The Host is behind a Firewall. >>>> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic. >>>> >>>> When i give the Hostname in a Browser i become "connection Timeout".= >>>> >>>> What is to do that the Host is accessable from Inet? >>> >>> Are you sure Apache is listening on both IPs? >>> >>> What netstat says? >>> >>> # netstat -an | egrep 'tcp4.*80 .*LISTEN' >>> >>> Also check what you have in httpd.conf for Listen directive >>> >>> # grep -i Listen /usr/local/etc/apache24/httpd.conf >>> >>> I am not using ezjail, I am using jail.conf >>> >>> costa { >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2= =A0 =3D "costa.example.com"; >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD; >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 +=3D 192.168.222.57; >>> } >>> >>> Real IP was replaced with AA.BB.CCC.DDD >>> >>> And it works. Services inside jail must be listening on both IPs or >>> wildcard * (0.0.0.0) >>> >>> And be sure to disable hosts services to listen on IPs and ports you >>> want to be served from jail. --FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp-- --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1J9YACgkQGHz25TAa 4suq3Q//WS/az9y5SEcMrPW/UNVQg5azDu8VnFWG/2imKX1blBUsybedo6SQWvuc eOyAy23ppyS0gFFtn0rStYl49Y5K/ZnZqgQEf4U9gvQCjUl5Ei3i4E1hAKac4v83 mwY9DUSdbgL+vZsvCfdEkUovGNzQRWuppq/h5Ieek96gF1kD3tkDTZTLAP/aYsH3 wzMGFy0UlUoboLHCdkgFbIpspfFjvqjlOqArCkKvt/wA196UARKpdLe1LGxvT+BM /Gl31CSubsgJHCXUHPlwKjWEfSEzOjOPp7KtKxlcLUauvqjO1ppVTNz1nrLJzKY/ N6DdkzQOWtm0gNSivfphMtviygJ90HIR+B1frOeJtHRp1z4HmVEbGgmKYe1SfVk4 BHYz0VDrTeqyd0DY8oRiR0gtHxsCVxCelrHJGK/jh2ZSH+jA5LUj5F4+kvEDpxZC PdwKdCfXIzQSOXoGzUFy7OOq3zrnNvdZertxT9Y2Rc74fBLLmym/WqqC/ZpCVy6m +SrGoiG0jqnkYb2taagE3+fgRlWm3b/HP/47xAMi3FDgxhC6m6yVahCMS1+9ZxO1 rs6f6G5R2Bnsjmhtgyqi0ULbkCH81MnOLf7aK6cBtmZ/OkkNpHhBF0OFki+XzOFB 9NCEHg7TWTWNP00YFMeRlZLqKvVj42Cn9cffQz+wsVDAO4Cb2lc= =iJnj -----END PGP SIGNATURE----- --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP--