Date: Wed, 11 Aug 2010 15:35:17 +0000 (GMT) From: Brice ERRANDONEA <berrandonea@yahoo.fr> To: Roland Smith <rsmith@xs4all.nl>, freebsd-questions@freebsd.org Subject: Re : How to connect a jail to the web ? Message-ID: <463890.24711.qm@web24606.mail.ird.yahoo.com> In-Reply-To: <20100811112334.GA19667@slackbox.erewhon.net> References: <268321.67123.qm@web24608.mail.ird.yahoo.com> <20100810130834.GA48376@slackbox.erewhon.net> <128012.76976.qm@web24611.mail.ird.yahoo.com> <20100810152004.GB51287@slackbox.erewhon.net> <994682.73446.qm@web24611.mail.ird.yahoo.com> <20100811112334.GA19667@slackbox.erewhon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I tried all of this without any result. But I won't give up.=0A=0AWhat I wa=
nt is a jail with an Apache http server running inside. So, the jail =0Amus=
t have a public IPv4 and access to the web.=0A=0AWhat I'd understood of the=
jails' role (but I must have misunderstood) is that =0Ait will have a diff=
erent public ip than the host, so that if a pirate manage to =0Acrack the s=
erver, he will only have access to the jail (the real public ip of =0Athe h=
ost remaining secret). Then I'm surprised to learn that such traffic will =
=0Abe routed through the host.=0A=0AThe jail is created. The next step now =
is to install the ports collection inside =0Awith portsnap fetch. But each =
time I try to run this command inside the jail =0A(with jexec), I get the s=
ame answer :=0A=0ALooking up portsnap.FreeBSD.org mirrors... none found.=0A=
Fetching public key from portsnap.FreeBSD.org... failed.=0ANo mirrors remai=
ning, giving up.=0A=0AThis makes me think my jail is not connected to the w=
eb. To check this, I tried =0Ato ping various know websites. When I tried d=
omain names, like "ping =0Awww.freebsd.org", this error message appears :=
=0A=0Aping: cannot resolve www.freebsd.org : Host name lookup failure=0A=0A=
So, I can't contact DNS servers able to translate www.freebsd.org to its ip=
. =0ASince I know this ip, I tried : "ping 69.147.83.33". This time, the er=
ror =0Amessage is :=0A=0Aping: socket: Operation not permitted=0A=0AFrom th=
is, I concluded my jail was not connected to the web. Meanwhile, I've =0Aun=
derstood that, anyway, the ping command is forbidden inside a jail. But the=
=0A"portsnap fetch" one is not.=0A=0AIt seems that the local ip given to t=
he jail has to be an alias of an existing =0Aone. I'm not on a local networ=
k so I only have 2 real network interfaces : rl0 =0A(192.168.1.38) and the =
loopack lo0 (127.0.0.1).=0A=0A192.168.1.38 is the host's ip so I use 127.0.=
0.1 for the jail. By the way, I =0Awonder which one I will be able to choos=
e if I ever have to create a second =0Ajail. And also how the computer know=
s which data is for the jail and which one =0Ais for the loopback.=0A=0AI a=
lso added the line "net.inet.ip.forwarding=3D1" to sysctl.conf (on the host=
). =0AAnd here is the rc.conf of my jail :=0A=0Adevfs_system_ruleset=3D"dev=
fsrules_jail"=0Anetwork_interfaces=3D""=0Asshd_enable=3D"YES"=0Asendmail_en=
able=3D"NO"=0Arpcbind_enable=3D"NO"=0A=0ADespite the sshd_enable=3D"YES" li=
ne, I can't ssh from the host to the jail. Well, =0AI can... The first time=
I did it, I was asked if I wanted to add the jail to the =0Alist of known =
hosts. I did it. No problem there. But, immediatly after that, =0Ainstead o=
f displaying "login :", the system displayed "passwd :". And none of =0Athe=
passwords I had set with sysinstall (for the root and the common user) wer=
e =0Aaccepted. That's why I can only run commands inside the jail running j=
exec. It's =0Anot that big problem for the moment but one purpose of the ja=
il is also (I =0Abelieve) to ssh into them from a distant computer without =
accessing to the host.=0A=0AIt was not clear after the various answers I re=
ceived if I had to use a firewall =0Aor not so I tried both ways.=0A=0AWith=
out the firewall, the rc.conf of my host is :=0A=0Ahostname=3D"FreeBSD.ici"=
=0Aifconfig_rl0=3D"DHCP"=0Akeymap=3D"fr.iso.acc" (yes, I'm french)=0A=
moused_enable=3D"YES"=0Asaver=3D"dragon"=0Ahald_enable=3D"YES"=0Adbus_enabl=
e=3D"YES"=0Adevfs_system_ruleset=3D"localrules"=0A=0Ajail_enable=3D"NO"=0Aj=
ail_list=3D"MaPrison"=0Ajail_interface=3D"lo0" (I also tried rl0 her=
e)=0Ajail_devfs_ruleset=3D"devfsrules_jail"=0Ajail_devfs_enable=3D"YES"=0A=
=0Ajail_server_rootdir=3D"/usr/prison"=0Ajail_server_hostname=3D"MaPrison"=
=0Ajail_server_ip=3D"127.0.0.1"=0A=0Agateway_enable=3D"YES"=0Arouter_enable=
=3D"YES"=0A=0ASince I've added this last line (router_enable=3D"YES"), I ha=
ve to press Enter at =0Athe end of the bootup process to obtain the "login =
:". Again, it's not a big =0Aproblem but nonetheless a strange one.=0A=0AWi=
th this configuration, portsnap fetch continues to give me the same error =
=0Amessage I told before.=0A=0AWith the firewall (pf), now, the rc.conf of =
my host becomes :=0A=0Ahostname=3D"FreeBSD.ici"=0Aifconfig_rl0=3D"DHCP"=0Ak=
eymap=3D"fr.iso.acc"=0Amoused_enable=3D"YES"=0Asaver=3D"dragon"=0Ahald_enab=
le=3D"YES"=0Adbus_enable=3D"YES"=0Adevfs_system_ruleset=3D"localrules"=0A=
=0Ajail_enable=3D"NO"=0Ajail_list=3D"MaPrison"=0Ajail_interface=3D"lo0"=0Aj=
ail_devfs_ruleset=3D"devfsrules_jail"=0Ajail_devfs_enable=3D"YES"=0A=0Ajail=
_server_rootdir=3D"/usr/prison"=0Ajail_server_hostname=3D"MaPrison"=0Ajail_=
server_ip=3D"127.0.0.1"=0A=0Agateway_enable=3D"YES"=0Apf_enable=3D"YES"=0Ap=
f_rules=3D"/etc/pf.conf"=0Apflog_enable=3D"YES"=0Apflog_logfile=3D"/var/log=
/pflog"=0A=0AAnd here's the /etc/pf.conf :=0A=0Aext_if=3D"rl0"=0Aint_if=3D"=
rl0"=0A=0ASame result for portsnap fetch.=0A=0A=0AA lot of questions, isn't=
it. I guess I must have made a lot of mistakes. But I =0Acan't believe I'm=
the first one who tries to install a web server in a jail. =0AThis must be=
a well known process.=0A=0AThanks to those who helped me and to those who =
will !=0A=0AGood evening=0A=0ABrice=0A=0A=0A=0A=0A_________________________=
_______=0ADe : Roland Smith <rsmith@xs4all.nl>=0A=C0 : Brice ERRANDONEA <be=
rrandonea@yahoo.fr>=0AEnvoy=E9 le : Mer 11 ao=FBt 2010, 13h 23min 34s=0AObj=
et : Re: Re : Re : How to connect a jail to the web ?=0A=0AOn Wed, Aug 11, =
2010 at 11:07:59AM +0000, Brice ERRANDONEA wrote:=0A=0A> OK, I'll try this=
. And, as you suggested, I switch my jail's IP to=0A> 192.168.1.1. Why do =
you use age0 as ext_if and not rl0 ?=0A=0ABecause rl(4) is just not the bes=
t quality network chip. It's really windows=0Aquality hardware. The age(4) =
is on the motherboard, and I couldn't find a=0Afxp(4) or em(4) based networ=
k card.=0A=0A> Here's my ifconfig. Which interfaces should I use for ext_i=
f in pf.conf ?=0A> =0A> rl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MUL=
TICAST> metric 0 mtu 1500=0A> options=3D8<VLAN_MTU>=0A> e=
ther 00:11:09:15:72:6a=0A> inet 192.168.1.38 netmask 0xffffff00 br=
oadcast 192.168.1.255=0A> media: Ethernet autoselect (100baseTX <f=
ull-duplex>)=0A> status: active=0A=0AIn your case, the above rl0 i=
s the only _real_ network chip. As you can see=0Afrom the "UP" flag, only r=
l0 and lo0 are actually active (and the loopback=0Ainterface is always ther=
e). They also are the only ones that have an actual IP=0Aaddress.=0A=0AIf y=
ou don't want to run a firewall, you can alternatively add=0A'router_enable=
=3D"YES"' to /etc/rc.conf. This will start the routed(8) daemon=0Awhich by =
default forwards packets between interfaces.=0A=0A> fwe0: flags=3D8802<BRO=
ADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500=0A> options=3D8<VLAN_M=
TU>=0A> ether 02:11:06:99:8a:ff=0A> ch 1 dma -1=0A> fwip=
0: flags=3D8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500=0A> =
lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0=0A> plip0: flags=3D8810<POI=
NTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500=0A> lo0: flags=3D8049<UP,LOO=
PBACK,RUNNING,MULTICAST> metric 0 mtu 16384=0A> options=3D3<RXCSUM=
,TXCSUM>=0A> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5=0A> =
inet6 ::1 prefixlen 128=0A> inet 127.0.0.1 netmask 0xff000000=
=0A> nd6 options=3D3<PERFORMNUD,ACCEPT_RTADV>=0A=0AYou could alias=
your jail to lo0.=0A=0ARoland=0A-- =0AR.F.Smith =
http://www.xs4all.nl/~rsmith/=0A[plain text _non-HTML_ PGP/GnuPG enc=
rypted/signed email much appreciated]=0Apgp: 1A2B 477F 9970 BA3C 2914 B7CE=
1277 EFB0 C321 A725 (KeyID: C321A725)=0A=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?463890.24711.qm>