From owner-freebsd-questions@FreeBSD.ORG Thu Feb 21 19:00:22 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 236CFD16 for ; Thu, 21 Feb 2013 19:00:22 +0000 (UTC) (envelope-from doug@safeport.com) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by mx1.freebsd.org (Postfix) with ESMTP id C9F251B2 for ; Thu, 21 Feb 2013 19:00:21 +0000 (UTC) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id r1LJ0Imx047502; Thu, 21 Feb 2013 14:00:18 -0500 (EST) (envelope-from doug@safeport.com) Received: from localhost (doug@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id r1LJ0Hgh047498; Thu, 21 Feb 2013 14:00:18 -0500 (EST) (envelope-from doug@safeport.com) X-Authentication-Warning: fledge.watson.org: doug owned process doing -bs Date: Thu, 21 Feb 2013 14:00:17 -0500 (EST) From: doug@safeport.com X-X-Sender: doug@fledge.watson.org To: Shane Ambler Subject: Re: jail and networking In-Reply-To: <51258CEA.1050006@ShaneWare.Biz> Message-ID: References: <5124F505.4040906@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABA71@ltcfiswmsgmb21> <51250B20.4000308@bananmonarki.se> <512510ED.6080807@mail.com>, <51251496.4050701@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABC1F@ltcfiswmsgmb21> <51251FA5.6030903@mail.com> <512554C6.3070306@bananmonarki.se> <51258CEA.1050006@ShaneWare.Biz> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 21 Feb 2013 14:00:19 -0500 (EST) Cc: freebsd-questions@freebsd.org, Bernt Hansson X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2013 19:00:22 -0000 On Thu, 21 Feb 2013, Shane Ambler wrote: > It's been a while since I experimented with jails but I'm pretty sure it is > the reason I changed my sshd_config > > When you start sshd on the base system by default it binds against 0.0.0.0 > and :: which is every ip4 and ip6 address configured on the base system, > which includes the aliased ip's for your jails. This is represented by the > *:22 from sockstat. When you start the jail it can't start sshd because the > base already has that address/port in use. > > In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and > ListenAddress :: then add ListenAddress 10.0.0.3 > > service sshd restart > > start your jail and try again > > The jail config is fine as the jail only sees the one ip address assigned to > it. This is what fixed the problem. From the jail man page, "... The following frequently deployed services must have their individual configuration files modified to limit the application to listening to a specific IP address ...". It then specifically mentions ssh and send mail. The system I looked at runs seven jails fine without my having made that change. I am not sure why I am getting away with this, but I also thank you