From owner-freebsd-questions@FreeBSD.ORG Thu Feb 21 19:22:10 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9D324888 for ; Thu, 21 Feb 2013 19:22:10 +0000 (UTC) (envelope-from Devin.Teske@fisglobal.com) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) by mx1.freebsd.org (Postfix) with ESMTP id 6A3E3300 for ; Thu, 21 Feb 2013 19:22:10 +0000 (UTC) Received: from smtp.fisglobal.com ([10.132.206.17]) by ltcfislmsgpa05.fnfis.com (8.14.5/8.14.5) with ESMTP id r1LJM6q3030322 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 21 Feb 2013 13:22:06 -0600 Received: from dtwin (10.242.182.124) by smtp.fisglobal.com (10.132.206.17) with Microsoft SMTP Server (TLS) id 14.2.309.2; Thu, 21 Feb 2013 13:22:05 -0600 From: Devin Teske To: , "'Shane Ambler'" References: <5124F505.4040906@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABA71@ltcfiswmsgmb21> <51250B20.4000308@bananmonarki.se> <512510ED.6080807@mail.com>, <51251496.4050701@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABC1F@ltcfiswmsgmb21> <51251FA5.6030903@mail.com> <512554C6.3070306@bananmonarki.se> <51258CEA.1050006@ShaneWare.Biz> In-Reply-To: Subject: RE: jail and networking Date: Thu, 21 Feb 2013 11:22:00 -0800 Message-ID: <031701ce1068$baa82cf0$2ff886d0$@fisglobal.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIvW9eow+qT+JSedtJtBg3UpaiRIAMX5rQjAd6qPPcBQ567NwFg2x6BAhgWOowBz1b+dQIbzLQ8AoJvtRABHo3F4QHqo1vVAeKQKVeXGbQOEA== Content-Language: en-us X-Originating-IP: [10.242.182.124] X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.9.8327, 1.0.431, 0.0.0000 definitions=2013-02-21_08:2013-02-21,2013-02-21,1970-01-01 signatures=0 Cc: devin.teske@fisglobal.com, freebsd-questions@freebsd.org, 'Bernt Hansson' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2013 19:22:10 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of doug@safeport.com > Sent: Thursday, February 21, 2013 11:00 AM > To: Shane Ambler > Cc: freebsd-questions@freebsd.org; Bernt Hansson > Subject: Re: jail and networking > > On Thu, 21 Feb 2013, Shane Ambler wrote: > > > It's been a while since I experimented with jails but I'm pretty sure it is > > the reason I changed my sshd_config > > > > When you start sshd on the base system by default it binds against 0.0.0.0 > > and :: which is every ip4 and ip6 address configured on the base system, > > which includes the aliased ip's for your jails. This is represented by the > > *:22 from sockstat. When you start the jail it can't start sshd because the > > base already has that address/port in use. > > > > In /etc/ssh/sshd_config comment out the ListenAddress 0.0.0.0 and > > ListenAddress :: then add ListenAddress 10.0.0.3 > > > > service sshd restart > > > > start your jail and try again > > > > The jail config is fine as the jail only sees the one ip address assigned to > > it. > > This is what fixed the problem. From the jail man page, "... The following > frequently deployed services must have their individual configuration files > modified to limit the application to listening to a specific IP address ...". It > then specifically mentions ssh and send mail. > > The system I looked at runs seven jails fine without my having made that change. > I am not sure why I am getting away with this, but I also thank you > What I find strange is that: 1. I knew about ListenAddress w/respect to jails, but... 2. We are not changing it (sshd_config has no ListenAddress -- leading to default values used), yet... 3. Base machine and jails both work fine Not sure when it's required versus not, because we're running fine without that change here with over a dozen jails. The only thing I've ever noticed is that we tend to use jail_NAME_ip="iface|addr" while most everybody else seems to be using jail_NAME_ip="addr". -- Devin _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.