From owner-freebsd-questions@FreeBSD.ORG  Thu Nov 20 17:15:51 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B7EB6DA8
 for <freebsd-questions@freebsd.org>; Thu, 20 Nov 2014 17:15:51 +0000 (UTC)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
 [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.infracaninophile.co.uk",
 Issuer "ca.infracaninophile.co.uk" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 436F9A31
 for <freebsd-questions@freebsd.org>; Thu, 20 Nov 2014 17:15:50 +0000 (UTC)
Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com
 [85.199.232.226] (may be forged)) (authenticated bits=0)
 by smtp.infracaninophile.co.uk (8.14.9/8.14.9) with ESMTP id sAKHFiXF043680
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO)
 for <freebsd-questions@freebsd.org>; Thu, 20 Nov 2014 17:15:45 GMT
 (envelope-from m.seaman@infracaninophile.co.uk)
Authentication-Results: smtp.infracaninophile.co.uk;
 dmarc=none header.from=infracaninophile.co.uk
DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk sAKHFiXF043680
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=infracaninophile.co.uk; s=201001-infracaninophile; t=1416503745;
 bh=tfGE7vyCFvnkiOPnY3opd3SePDK7V+4hwbjKDxdntZE=;
 h=Date:From:To:Subject:References:In-Reply-To;
 z=Date:=20Thu,=2020=20Nov=202014=2017:15:38=20+0000|From:=20Matthew
 =20Seaman=20<m.seaman@infracaninophile.co.uk>|To:=20freebsd-questi
 ons@freebsd.org|Subject:=20Re:=20127.0.0.1=20in=20a=20jail|Referen
 ces:=20<546E08B3.9090906@yahoo.com>=20<546E0EE8.3050102@qeng-ho.or
 g>|In-Reply-To:=20<546E0EE8.3050102@qeng-ho.org>;
 b=yYEa2iiWn2sCJ6rA0PjxKuHNNz/xjZC81EdsKdb3DWDNnO+183i2mhEgC5ygTOqk7
 f9IiX/CqH4JDpM/N6CDl1Y/Z3vNfdh6p+MagwvT9DEgzz2EbN5kHu2PrjMaSxEJ4sa
 YL7BuSGblGBAPf3TQ98VLG5lyydnmjVIc9W+vuyY=
X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host
 no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be
 ox-dell39.ox.adestra.com
Message-ID: <546E21BA.703@infracaninophile.co.uk>
Date: Thu, 20 Nov 2014 17:15:38 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Subject: Re: 127.0.0.1 in a jail
References: <546E08B3.9090906@yahoo.com> <546E0EE8.3050102@qeng-ho.org>
In-Reply-To: <546E0EE8.3050102@qeng-ho.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb"
X-Virus-Scanned: clamav-milter 0.98.4 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,RDNS_NONE,SPF_FAIL autolearn=no autolearn_force=no
 version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 lucid-nonsense.infracaninophile.co.uk
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 17:15:51 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 11/20/14 15:55, Arthur Chance wrote:
> I don't think you can do anything to make 127.0.0.1 work as a target fo=
r
> connecting to - how is the common network stack to decide whether you'r=
e
> talking to the jail or the main box? It might be possible in VIMAGE
> jails, but I have no experience of them.

With a VIMAGE jail you certainly can create a loopback interface per
jail and set that to use 127.0.0.1 or ::1 as its addresses with a VIMAGE
jail.  Unfortunately at the moment you need a custom kernel to add the
VIMAGE functionality, and you need to avoid some of the various firewall
implementations: with VIMAGE you'ld naturally run the firewall code from
within the jail, rather than as something controlled by the host system.

There are moves to make VIMAGE part of the default kernel config for
11.0-RELEASE, but that isn't expected until sometime next year and there
are some pretty nasty crash-bugs which will have to be thoroughly
squashed before it is enabled in a release.

> You could always add an entry for localhost in the jail's /etc/hosts
> that is the jail's address rather than 127.0.0.1. That's not going to
> happen automatically though.

You can do that -- but a lot of software will try and bind to localhost
by one of the well known IP numbers rather than looking up 'localhost'.

I've found it is generally possible to configure most software --
particularly server software -- either to bind to a specific IP address
or else to use a unix domain socket, and that gives good results in
jails.  It is a bit of a faff though, and you don't get the intrinsic
protection of binding some software to the loopback address if you have
to bind it to the jail's IP.

(One of the few common daemons you can't do that with is ntpd(8), but
that's something it makes no sense at all to run in a jail, seeing as
jails use exactly the same time-of-day as the host system)

	Cheers,

	Matthew



--jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJUbiHAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnBYQP/2oc5a0Pr9pSIzyxRy45VjIx
WFaYZEKv22aHlq/3VlFFdiMvY1Za026vKH9GUkCfm4Oi/qCHdqup8d7/ZJsbrgLg
hNnsX/a6Ur0N4HN1acnRt1mh1GcXObDj+rQ4XCJjkU+MX5tAR6x7G50KPzeCCbgA
nsblX6xF9Ry5zJrUZQ0nWOGNvrASNxshzj3uhxQKckAoTlZnyVMwSNFc8GbQWxhb
5GUOscQH3hMISEWMBjIZxWaKgru34eO2EpEjWNNVh4RwYeAbwHqdUAk6+N+lJqsE
QZkqhBhdDKALqrXWvJ6ioWc+XgVR2bZcmbN+ZdkSllvQlzvcnLgowwLrCXEq9VI7
0ZjEDjV4qfz4PhWeb+FjHPWLjFi8QbpDKUcpPAVoinsJPlVGTUYgL9kiDJBoHYfY
D7xc3HIYFmvEXQ50AY2B4YI+TlFq4iFiEJfXg9RnRgWviAyhlKMVGS4Ayy+g/+sO
mpxcvmQvH/mRIetJhq5ymMhog64vYmkc70EatD5PdJM75h70llq6+SCZsbNIKK4b
f55Pkf6waQ28/8v15SqmTO5lwe77pow65FPIbrCyNzd2VnpV2Jb/F8iBqyvvlIin
m9oKM+T0DgQhIwm71dS0udBlKrow6P3yl7SgueVQqAaWFO6rhVNHzqSuJMakIfeU
mG0TDZNEzTVZpbc/6tWv
=oC3T
-----END PGP SIGNATURE-----

--jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb--