From owner-freebsd-questions@FreeBSD.ORG Wed Aug 11 00:03:02 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB1691065676 for ; Wed, 11 Aug 2010 00:03:01 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id B211B8FC1D for ; Wed, 11 Aug 2010 00:03:01 +0000 (UTC) Received: from [10.0.10.3] ([202.69.173.114]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 10 Aug 2010 17:03:01 -0700 Message-ID: <4C61E8B1.7050605@a1poweruser.com> Date: Wed, 11 Aug 2010 08:02:57 +0800 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Brice ERRANDONEA References: <268321.67123.qm@web24608.mail.ird.yahoo.com> In-Reply-To: <268321.67123.qm@web24608.mail.ird.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 11 Aug 2010 00:03:01.0902 (UTC) FILETIME=[908E8AE0:01CB38E8] X-Sender: fbsd8@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2010 00:03:02 -0000 Brice ERRANDONEA wrote: > Hello, > > I've just created my first FreeBSD jail in order to install a web server inside. > But I don't know how to connect it to the web. When I try pinging a http > website, it doesn't work. Of course, it works when I do it from outside the > jail. > > Another problem, probably linked to the first one, I can't run rc within the > jail, even as the jail's root. It says : permission denied. > > Here's how I built and started my jail. I had already run make buildworld when > upgrading to 8.1 release : > > # mkdir /usr/prison > # cd /usr/src > # make installworld DESTDIR=/usr/prison > # make distribution DESTDIR=/usr/prison > # mount -t devfs devfs /usr/prison/dev > # jail -c path=/usr/prison host.hostname=ServeurWeb ip4.addr=192.1.1.1 persist > # jail /usr/prison ServeurWeb 192.1.1.1 csh > > I guess this must be a very basic question but please help me. > > 1. ping is a security risk from within a jail and is disabled by design. (read jail(8) for details). No use using a jail if the first thing you do is re-enable ping in the jail. To test for public internet connection from within a jail use dig or whois commands. 2. Using the hosts firewall to drive traffic to a jail is a sign you have your jail incorrectly configured or do not understand how jails are intended to work. 3. Jail do not have a network stack of their own, so they cant have a firewall. The host's firewall and and network stack are in control. 4. There are 2 utilities for creating jails. Qjail the better documented of the 2, is designed for the novice which clearly you are. I strongly suggest you checkout http://sourceforge.net/projects/qjail