From owner-freebsd-current@freebsd.org Fri Mar 23 15:51:27 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2BCB7F53812 for ; Fri, 23 Mar 2018 15:51:27 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9CB1D7B11C for ; Fri, 23 Mar 2018 15:51:26 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 45745 invoked from network); 23 Mar 2018 15:51:24 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 15:51:24 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> From: Joerg Surmann Message-ID: <0960a59d-ec5d-5ad1-9132-cc8a68f92adf@elektropost.org> Date: Fri, 23 Mar 2018 16:51:21 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39" X-Mailman-Approved-At: Fri, 23 Mar 2018 18:05:43 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:51:27 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39 Content-Type: multipart/mixed; boundary="4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4"; protected-headers="v1" From: Joerg Surmann To: Miroslav Lachman <000.fbsd@quip.cz>, freebsd-current@freebsd.org Message-ID: <0960a59d-ec5d-5ad1-9132-cc8a68f92adf@elektropost.org> Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> In-Reply-To: <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> --4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: de-DE Thanks for replay. netstat -an | egrep 'tcp4.*80 .*LISTEN' say: netstat: kvm not available: /dev/mem No such file or directory <- is inside a jail. tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2=A0= =C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 = LISTEN grep -i Listen /usr/local/etc/apache24/httpd.conf Listen 80 Listen 443 =46rom the internal IP is no Problem. You are right. I'm not sure on wich IP's Apache is listening. I have change the Listen directive to the external IP in httpd.conf Listen 213.70.80.92:80 netstat -an | egrep 'tcp4.*80 .*LISTEN' now say: tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 213= =2E70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN But apache is not availble from Internet. =46rom Intranet... no Problem. When i use tcpdump on Host i can see Traffic. Whats wrong? Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 13:49: >> Hi all, >> >> I have a Problem to understund how to manage 2 Networks inside a Jail.= >> >> i have create a jail (using ezjail) with a alias IP. >> in rc.conf (on Host): >> >> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0" >> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2=A0= <- this >> is the jail ip >> >> Inside the jail running apachhe24. >> >> Now i add a new NIC to the System. >> in rc.conf (on Host): >> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" >> >> in /usr/local/etc/ezjail/myjail.conf: >> i add the new ip >> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92" >> >> Restart the jail and ifconfig looks fine. >> vmx0 -> inet 192.168.100.2 >> em0=C2=A0 -> inet 213.70.80.92 >> >> Apache Listen on all NIC's () >> But i can see my Website only via 192.168.100.2 from intern Network. >> >> The Host is behind a Firewall. >> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic. >> >> When i give the Hostname in a Browser i become "connection Timeout". >> >> What is to do that the Host is accessable from Inet? > > Are you sure Apache is listening on both IPs? > > What netstat says? > > # netstat -an | egrep 'tcp4.*80 .*LISTEN' > > Also check what you have in httpd.conf for Listen directive > > # grep -i Listen /usr/local/etc/apache24/httpd.conf > > I am not using ezjail, I am using jail.conf > > costa { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2=A0 =3D= "costa.example.com"; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD; > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 +=3D 192.168.222.57; > } > > Real IP was replaced with AA.BB.CCC.DDD > > And it works. Services inside jail must be listening on both IPs or > wildcard * (0.0.0.0) > > And be sure to disable hosts services to listen on IPs and ports you > want to be served from jail. > > Miroslav Lachman --4Fr0elwfgQHi4FW7XDd7AUlnpEnQ0p2m4-- --zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1InkACgkQGHz25TAa 4suLjA//csxgRHoYochsJbpkcMpXhf5vnBOXHMzOu822oxk4nzenPie2Hv3T2UFf HaLILUP22fEvF8v1ZoddOkZmZek3C/dGjEgKY3LzRT2qIhyedwpeiLuuw4hOO6xX IQ1nCtBBywXhZfiu6fEH3MLUogZByQ1JkmKA5HdW1/NUBL9eotNJj63VTkBkK7cD b9TwuiKcJCFF8vfmle/5J/gw64DLX8/HrnZvwKZVQRpiz3LzqKwJ1VEBWfS5ebij 0OxQ4cPsAV+dSokbCrHY7IUqq2fajFxkcZ/VkvlJESg+ATUV0spdaTNVAi5ZkVak jk/bX/x7NyojEL3yBf1sfQvhVwuE2o8UDC8/hzx/MgsqVekQR/FL62hpRW6nrNLI iTN3yge+QGXwH30zwLTXCqOpYQB2QmAIqIaCfT+j3/mJMCVh0xicmnAEE0FUOsvt cVeBq44D6zvs2kD1uWUabbnMztA8U50Csm0AZjI4Nxc1q7F5cyqtliRn/4DL9cT0 YhkY317EYPN3W1hupry8+O/OgGQ+v+9qX8uLaBc/FTL34uN88LA3IFvCLey2x44B pEuQjzyQKhc3wC0jdDIkOT3ReU9aZjE5d8Q0ceGu8w73u4+wHgo6roSPpkHnwHZS HgKoJuU3lnQHo37pROB9ztQafQBDVlqz+9UW9kBrYmt1b+HamKA= =jQIg -----END PGP SIGNATURE----- --zmmwBEkKXzk6kuAHYuUzm1fJVmreVyC39--