From owner-freebsd-current@freebsd.org Fri Mar 23 15:45:39 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 267A8F52DE7 for ; Fri, 23 Mar 2018 15:45:39 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 964EC7AB05 for ; Fri, 23 Mar 2018 15:45:38 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 44569 invoked from network); 23 Mar 2018 15:45:36 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 15:45:36 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> From: Joerg Surmann Message-ID: Date: Fri, 23 Mar 2018 16:45:32 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe" X-Mailman-Approved-At: Fri, 23 Mar 2018 16:29:39 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:45:39 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe Content-Type: multipart/mixed; boundary="oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy"; protected-headers="v1" From: Joerg Surmann To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org Message-ID: Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> --oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: de-DE Thanks for replay. netstat -an | egrep 'tcp4.*80 .*LISTEN' say: netstat: kvm not available: /dev/mem No such file or directory <- is inside a jail. tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2=A0= =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 = LISTEN grep -i Listen /usr/local/etc/apache24/httpd.conf Listen 80 Listen 443 =46rom the internal IP is no Problem. You are right. I'm not sure on wich IP's Apache is listening. I have change the Listen directive to the external IP in httpd.conf Listen 213.70.80.92:80 netstat -an | egrep 'tcp4.*80 .*LISTEN' now say: tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 213= =2E70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN But apache is not availble from Internet. =46rom Intranet... no Problem. When i use tcpdump on Host i can see Traffic. Whats wrong? Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 13:49: >> Hi all, >> >> I have a Problem to understund how to manage 2 Networks inside a Jail.= >> >> i have create a jail (using ezjail) with a alias IP. >> in rc.conf (on Host): >> >> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0" >> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2=A0= <- this >> is the jail ip >> >> Inside the jail running apachhe24. >> >> Now i add a new NIC to the System. >> in rc.conf (on Host): >> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" >> >> in /usr/local/etc/ezjail/myjail.conf: >> i add the new ip >> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92" >> >> Restart the jail and ifconfig looks fine. >> vmx0 -> inet 192.168.100.2 >> em0=C2=A0 -> inet 213.70.80.92 >> >> Apache Listen on all NIC's () >> But i can see my Website only via 192.168.100.2 from intern Network. >> >> The Host is behind a Firewall. >> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic. >> >> When i give the Hostname in a Browser i become "connection Timeout". >> >> What is to do that the Host is accessable from Inet? > > Are you sure Apache is listening on both IPs? > > What netstat says? > > # netstat -an | egrep 'tcp4.*80 .*LISTEN' > > Also check what you have in httpd.conf for Listen directive > > # grep -i Listen /usr/local/etc/apache24/httpd.conf > > I am not using ezjail, I am using jail.conf > > costa { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2=A0 =3D= "costa.example.com"; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 +=3D 192.168.222.57; > } > > Real IP was replaced with AA.BB.CCC.DDD > > And it works. Services inside jail must be listening on both IPs or > wildcard * (0.0.0.0) > > And be sure to disable hosts services to listen on IPs and ports you > want to be served from jail. > > Miroslav Lachman --oDk8OBSzAxwFs8fcs1DAhjILq0X6gqRZy-- --0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1IRwACgkQGHz25TAa 4sts4hAAvWyhtPHyBtKVPm93x8N5Qkx1GP0rd4IJb/kZWdPkCF4dnFpOawxLDCC0 gmc1U9oBEUUnf+/dA0Yrf/iWgFX9nFJ1TBT9pyy4Ia8Kc/6hP1X3vz4WYVfScA93 IEHY9D//UGLct0ytx+7LJZQ03MMWgai59yJsrXIhSpnJ/NLad5cZJjU278HEkMuN 5u5N62jrP3ijRsUlOEOxib4WYMlojXbej9a/YnzAFZqOPOadQwq5wJY3UryeqpKY CwlkyzlYJp+o+Hnr2gOlW3zBj+1pTF52lTP3w8I1f2ham4Qq+BnabDaOsKq77B5d br1buzJCCNXVCSX0EoOc16G07nwmreT9tA8eSaJ5zjo14POsc5J4yeJP1xTSYvIg GJSpqVDF8RKHdmRHz/tWq7FWIYpKkitInXovTHgMsTSZ/UmdX8714tSfN6++cFM1 E3LIMlfMKh8fLr8WEiw9tYEhiF1bmtRraOgcm91qGGOF+42EZsaweewS9c+/hS4e D/SNMKWCe2v6VEEn8oEhMFLd9aNJ1ghBWJHfz+9JNuJHPiiXsKMdfjJzbaQUylJg d2B0PEL2bKuiyMm8so15SxpNidcS9L2IwwnzyKXr4YGlWvKVnoJGRMM/cynqU5R+ N5VVtiaxAHk7eAXtjGr7ygCRo9GAUDh3/rvdCo3P7bwLkSf14jo= =8xoF -----END PGP SIGNATURE----- --0TTFhAyFe7E7t1E11gehlgrHG5X8TURKe--