Date: Fri, 23 Mar 2018 16:51:21 +0100 From: Joerg Surmann <joerg_surmann@elektropost.org> To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org Subject: Re: two NIC's in a jail Message-ID: <0960a59d-ec5d-5ad1-9132-cc8a68f92adf@elektropost.org> In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39
Content-Type: multipart/mixed; boundary="4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4";
protected-headers="v1"
From: Joerg Surmann <joerg_surmann@elektropost.org>
To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org
Message-ID: <0960a59d-ec5d-5ad1-9132-cc8a68f92adf@elektropost.org>
Subject: Re: two NIC's in a jail
References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org>
<31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz>
--4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: de-DE
Thanks for replay.
netstat -an | egrep 'tcp4.*80 .*LISTEN'
say:
netstat: kvm not available: /dev/mem No such file or directory <- is
inside a jail.
tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2=A0=
=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =
LISTEN
grep -i Listen /usr/local/etc/apache24/httpd.conf
Listen 80
Listen 443
=46rom the internal IP is no Problem.
You are right. I'm not sure on wich IP's Apache is listening.
I have change the Listen directive to the external IP in httpd.conf
Listen 213.70.80.92:80
netstat -an | egrep 'tcp4.*80 .*LISTEN'
now say:
tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 213=
=2E70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 LISTEN
But apache is not availble from Internet.
=46rom Intranet... no Problem.
When i use tcpdump on Host i can see Traffic.
Whats wrong?
Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
> Joerg Surmann wrote on 2018/03/23 13:49:
>> Hi all,
>>
>> I have a Problem to understund how to manage 2 Networks inside a Jail.=
>>
>> i have create a jail (using ezjail) with a alias IP.
>> in rc.conf (on Host):
>>
>> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0"
>> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2=A0=
<- this
>> is the jail ip
>>
>> Inside the jail running apachhe24.
>>
>> Now i add a new NIC to the System.
>> in rc.conf (on Host):
>> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0"
>>
>> in /usr/local/etc/ezjail/myjail.conf:
>> i add the new ip
>> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92"
>>
>> Restart the jail and ifconfig looks fine.
>> vmx0 -> inet 192.168.100.2
>> em0=C2=A0 -> inet 213.70.80.92
>>
>> Apache Listen on all NIC's (<VirtualHost *:80>)
>> But i can see my Website only via 192.168.100.2 from intern Network.
>>
>> The Host is behind a Firewall.
>> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic.
>>
>> When i give the Hostname in a Browser i become "connection Timeout".
>>
>> What is to do that the Host is accessable from Inet?
>
> Are you sure Apache is listening on both IPs?
>
> What netstat says?
>
> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>
> Also check what you have in httpd.conf for Listen directive
>
> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>
> I am not using ezjail, I am using jail.conf
>
> costa {
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2=A0 =3D=
"costa.example.com";
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD;
> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0 +=3D 192.168.222.57;
> }
>
> Real IP was replaced with AA.BB.CCC.DDD
>
> And it works. Services inside jail must be listening on both IPs or
> wildcard * (0.0.0.0)
>
> And be sure to disable hosts services to listen on IPs and ports you
> want to be served from jail.
>
> Miroslav Lachman
--4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4--
--zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1InkACgkQGHz25TAa
4suLjA//csxgRHoYochsJbpkcMpXhf5vnBOXHMzOu822oxk4nzenPie2Hv3T2UFf
HaLILUP22fEvF8v1ZoddOkZmZek3C/dGjEgKY3LzRT2qIhyedwpeiLuuw4hOO6xX
IQ1nCtBBywXhZfiu6fEH3MLUogZByQ1JkmKA5HdW1/NUBL9eotNJj63VTkBkK7cD
b9TwuiKcJCFF8vfmle/5J/gw64DLX8/HrnZvwKZVQRpiz3LzqKwJ1VEBWfS5ebij
0OxQ4cPsAV+dSokbCrHY7IUqq2fajFxkcZ/VkvlJESg+ATUV0spdaTNVAi5ZkVak
jk/bX/x7NyojEL3yBf1sfQvhVwuE2o8UDC8/hzx/MgsqVekQR/FL62hpRW6nrNLI
iTN3yge+QGXwH30zwLTXCqOpYQB2QmAIqIaCfT+j3/mJMCVh0xicmnAEE0FUOsvt
cVeBq44D6zvs2kD1uWUabbnMztA8U50Csm0AZjI4Nxc1q7F5cyqtliRn/4DL9cT0
YhkY317EYPN3W1hupry8+O/OgGQ+v+9qX8uLaBc/FTL34uN88LA3IFvCLey2x44B
pEuQjzyQKhc3wC0jdDIkOT3ReU9aZjE5d8Q0ceGu8w73u4+wHgo6roSPpkHnwHZS
HgKoJuU3lnQHo37pROB9ztQafQBDVlqz+9UW9kBrYmt1b+HamKA=
=jQIg
-----END PGP SIGNATURE-----
--zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0960a59d-ec5d-5ad1-9132-cc8a68f92adf>