From owner-freebsd-questions@FreeBSD.ORG Wed Jun 17 14:36:54 2009 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BBF1106564A for ; Wed, 17 Jun 2009 14:36:54 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4B0858FC13 for ; Wed, 17 Jun 2009 14:36:53 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 5B7621C1A66; Wed, 17 Jun 2009 16:36:52 +0200 (CEST) Message-ID: <4A38FF83.3010501@locolomo.org> Date: Wed, 17 Jun 2009 16:36:51 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: Steve Bertrand References: <4A37F2B7.6000505@locolomo.org> <4A38A8A6.4090702@locolomo.org> <4A38EBE4.9040009@ibctech.ca> In-Reply-To: <4A38EBE4.9040009@ibctech.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: questions@freebsd.org Subject: Re: Problem with jail connecting out X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2009 14:36:54 -0000 Steve Bertrand wrote: > Erik Norgaard wrote: >> Erik Norgaard wrote: >> >>> I have no problem connecting from the host to the jail, but the other >>> way around doesn't work. >>> >>> Also, related, how do I configure multiple interfaces in a jail? >> Second problem solved, starting jail with >> >> # jail /var/jail jail 127.0.0.2,172.16.0.2 /bin/sh /etc/rc >> >> So, now I have: >> >> vr1: flags=8943 metric 0 >> mtu 1500 >> options=2808 >> ether 00:40:63:ee:97:f1 >> inet 172.16.0.2 netmask 0xffffffff broadcast 172.16.0.2 >> media: Ethernet autoselect (100baseTX ) >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> inet 127.0.0.2 netmask 0xffffffff >> >> Now, I can connect out on vr1 to 172.16.0.1, but not on lo0 to >> 127.0.0.1. Any suggestions what might be wrong? > > I don't think that it is a wise idea to be using the loopback address > space to route packets outside of the OS, and it is even possible that > some implementations forbid this behaviour (don't quote me on that). I have read some recommendations not to use the loopback interface without any real explanation, I don't see why it shouldn't work with a different IP as for other interfaces - or a cloned loopback. > If you want a loopback to be a receive interface, you should clone off a > second one (lo1), and assign an IP address to it that was not designed > to be short circuited within the host, like this: > > % grep lo10 /etc/rc.conf > > cloned_interfaces="lo1 lo3 lo10 ...etc > > # lo10 (IPv4 iBGP loopback, advertised by OSPF) > ifconfig_lo10="UP" > ifconfig_lo10="inet 172.16.104.8 netmask 255.255.255.255" > >>From RFC 1700: > > (g) {127, } > > Internal host loopback address. Should never appear outside > a host. It won't. It's intended to be stricly local on the internal loopback interface. The idea is to use the loopback interface for connecting between the jail and the host while not exposing the jail to the exterior. Basically, I'm trying to setup a jail for my imap server to migrate my mail from the existing server, a last resort clumsy way of upgrading the Berkeley DB. Then a script connecting to both services can create accounts, folders and copy the mail to the new service. The idea is that this way I could do it transparently - well, that's the theory. BR, Erik. -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org