From owner-freebsd-questions@FreeBSD.ORG Wed Nov 30 17:56:04 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE87D106564A for ; Wed, 30 Nov 2011 17:56:03 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 75B1F8FC14 for ; Wed, 30 Nov 2011 17:56:03 +0000 (UTC) Received: by faak28 with SMTP id k28so1050199faa.13 for ; Wed, 30 Nov 2011 09:56:02 -0800 (PST) Received: by 10.180.3.71 with SMTP id a7mr2433599wia.0.1322675761532; Wed, 30 Nov 2011 09:56:01 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id ht10sm762872wib.6.2011.11.30.09.56.00 (version=SSLv3 cipher=OTHER); Wed, 30 Nov 2011 09:56:00 -0800 (PST) Message-ID: <4ED66E2F.4000401@my.gd> Date: Wed, 30 Nov 2011 18:55:59 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: bsd References: <3EE6B227-24EC-4600-AF04-BEE7A04677FB@todoo.biz> <4ED65705.8020503@my.gd> <5B932D73-456D-4895-BD8B-9BABAD7AE766@todoo.biz> <4ED66992.9010207@my.gd> In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: "freebsd-questions@FreeBSD.org" Subject: Re: Problem with jail network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2011 17:56:04 -0000 On 11/30/11 6:52 PM, bsd wrote: > Le 30 nov. 2011 à 18:36, Damien Fleuriot a écrit : > >> >> >> On 11/30/11 6:29 PM, bsd wrote: >>> Le 30 nov. 2011 à 17:17, Damien Fleuriot a écrit : >>> >>>> >>>> >>>> On 11/30/11 5:05 PM, bsd wrote: >>>>> Hi, >>>>> >>>>> I have been configuring a jail system using the howto provided here : http://www.freebsd.org/doc/handbook/jails-application.html >>>>> >>>>> The is now correctly starting, but I can't seem to use the network stack. >>>>> >>>>> >>>>>> root@master 16:52:55 ~ -> jls >>>>>> JID IP Address Hostname Path >>>>>> 1 xx.216.yy.150 n0.no.no /jail/j/n0 >>>>> >>>>> >>>>> But I can't ping neither outside of the jail, nor inside of It. >>>>> >>>>> I am a bit confused because I don't know if I have to configure the IP using an alias on the main Eth interface, or do something else. >>>>> >>>>>> ifconfig_bce0_alias0="inetxx.216.yy.150/32" >>>>> >>>>> >>>>> >>>>> This last command seems to have frozen my system. >>>>> >>>> >>>> Confirm that the MISSING SPACE between your "inet" and "xxx.216..." >>>> statements is only a typo and NOT present in your actual rc.conf >>>> >>> >>> This is confirmed. >>> >>> I have the equivalent of : >>> >>> ifconfig_bce0_alias0="inet 1.2.3.4/32" >>> >> >> AFAIK, unless you allow raw sockets, you will not be able to ping from >> the jail. >> >> >> Find below the conf I successfully used, a long time ago, for a jail >> hosting DNS. >> >> This is from my rc.conf on the host system. >> >> >> >> >> ### JAILS >> jail_enable="NO" >> jail_set_hostname_allow="NO" >> jail_list="ns" >> jail_ns_interface="lo53" >> jail_ns_ip="192.168.0.53,2001:41d0:2:613b::53/56" >> jail_ns_hostname="ns.my.gd" >> # fec0:[interface index]::[damien fleuriot]:[interface number] >> # example: fec0:5::df:252 for loopback interface lo252 >> jail_ns_rootdir="/var/jail/ns" >> jail_ns_devfs_enable="YES" >> #jail_ns_devfs_ruleset="devfsrules_jail_ns" >> >> >> You will notice this creates a lo53 (loopback) interface with private >> IPv4 and IPv6 addresses. >> >> I then used PF to redirect DNS queries to this jail. > > I don't want the IP to be redirected, I would like the jail to have It's own IP. > Redirection would probably involve a NAT on your main IP to the IP of the jail, which is something I would like to avoid. > > > Did you use something like the aforementioned ifconfig alias to give the IP to your jail ? > > ifconfig_bce0_alias0="inet 1.2.3.4/32" > > > What bothers me is that I am not able to ping from the outside either… ?? > > And I can't install any ports because I don't have any network available inside the jail. > > Nope, I used the loopback interface. Again, for pings to work, AFAIK, you need to enable raw sockets within the jail. security.jail.allow_raw_sockets=1