Date: Fri, 23 Mar 2018 16:45:32 +0100 From: Joerg Surmann <joerg_surmann@elektropost.org> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org Subject: Re: two NIC's in a jail Message-ID: <bb02401b-e43b-7800-5a15-025636a2971f@elektropost.org> In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe
Content-Type: multipart/mixed; boundary="oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy";
protected-headers="v1"
From: Joerg Surmann <joerg_surmann@elektropost.org>
To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org
Message-ID: <bb02401b-e43b-7800-5a15-025636a2971f@elektropost.org>
Subject: Re: two NIC's in a jail
References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org>
<31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
--oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: de-DE
Thanks for replay.
netstat -an | egrep 'tcp4.*80 .*LISTEN'
say:
netstat: kvm not available: /dev/mem No such file or directory <- is
inside a jail.
tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2=A0=
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
LISTEN
grep -i Listen /usr/local/etc/apache24/httpd.conf
Listen 80
Listen 443
=46rom the internal IP is no Problem.
You are right. I'm not sure on wich IP's Apache is listening.
I have change the Listen directive to the external IP in httpd.conf
Listen 213.70.80.92:80
netstat -an | egrep 'tcp4.*80 .*LISTEN'
now say:
tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 213=
=2E70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 LISTEN
But apache is not availble from Internet.
=46rom Intranet... no Problem.
When i use tcpdump on Host i can see Traffic.
Whats wrong?
Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
> Joerg Surmann wrote on 2018/03/23 13:49:
>> Hi all,
>>
>> I have a Problem to understund how to manage 2 Networks inside a Jail.=
>>
>> i have create a jail (using ezjail) with a alias IP.
>> in rc.conf (on Host):
>>
>> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0"
>> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2=A0=
<- this
>> is the jail ip
>>
>> Inside the jail running apachhe24.
>>
>> Now i add a new NIC to the System.
>> in rc.conf (on Host):
>> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0"
>>
>> in /usr/local/etc/ezjail/myjail.conf:
>> i add the new ip
>> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92"
>>
>> Restart the jail and ifconfig looks fine.
>> vmx0 -> inet 192.168.100.2
>> em0=C2=A0 -> inet 213.70.80.92
>>
>> Apache Listen on all NIC's (<VirtualHost *:80>)
>> But i can see my Website only via 192.168.100.2 from intern Network.
>>
>> The Host is behind a Firewall.
>> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic.
>>
>> When i give the Hostname in a Browser i become "connection Timeout".
>>
>> What is to do that the Host is accessable from Inet?
>
> Are you sure Apache is listening on both IPs?
>
> What netstat says?
>
> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>
> Also check what you have in httpd.conf for Listen directive
>
> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>
> I am not using ezjail, I am using jail.conf
>
> costa {
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2=A0 =3D=
"costa.example.com";
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD;
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 +=3D 192.168.222.57;
> }
>
> Real IP was replaced with AA.BB.CCC.DDD
>
> And it works. Services inside jail must be listening on both IPs or
> wildcard * (0.0.0.0)
>
> And be sure to disable hosts services to listen on IPs and ports you
> want to be served from jail.
>
> Miroslav Lachman
--oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy--
--0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1IRwACgkQGHz25TAa
4sts4hAAvWyhtPHyBtKVPm93x8N5Qkx1GP0rd4IJb/kZWdPkCF4dnFpOawxLDCC0
gmc1U9oBEUUnf+/dA0Yrf/iWgFX9nFJ1TBT9pyy4Ia8Kc/6hP1X3vz4WYVfScA93
IEHY9D//UGLct0ytx+7LJZQ03MMWgai59yJsrXIhSpnJ/NLad5cZJjU278HEkMuN
5u5N62jrP3ijRsUlOEOxib4WYMlojXbej9a/YnzAFZqOPOadQwq5wJY3UryeqpKY
CwlkyzlYJp+o+Hnr2gOlW3zBj+1pTF52lTP3w8I1f2ham4Qq+BnabDaOsKq77B5d
br1buzJCCNXVCSX0EoOc16G07nwmreT9tA8eSaJ5zjo14POsc5J4yeJP1xTSYvIg
GJSpqVDF8RKHdmRHz/tWq7FWIYpKkitInXovTHgMsTSZ/UmdX8714tSfN6++cFM1
E3LIMlfMKh8fLr8WEiw9tYEhiF1bmtRraOgcm91qGGOF+42EZsaweewS9c+/hS4e
D/SNMKWCe2v6VEEn8oEhMFLd9aNJ1ghBWJHfz+9JNuJHPiiXsKMdfjJzbaQUylJg
d2B0PEL2bKuiyMm8so15SxpNidcS9L2IwwnzyKXr4YGlWvKVnoJGRMM/cynqU5R+
N5VVtiaxAHk7eAXtjGr7ygCRo9GAUDh3/rvdCo3P7bwLkSf14jo=
=8xoF
-----END PGP SIGNATURE-----
--0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bb02401b-e43b-7800-5a15-025636a2971f>