Date: Wed, 11 Aug 2010 18:46:20 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-questions@FreeBSD.ORG, berrandonea@yahoo.fr Subject: Re: Re : How to connect a jail to the web ? Message-ID: <201008111646.o7BGkKKI041795@lurza.secnetix.de> In-Reply-To: <463890.24711.qm@web24606.mail.ird.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brice ERRANDONEA <berrandonea@yahoo.fr> wrote: > I tried all of this without any result. But I won't give up. > > What I want is a jail with an Apache http server running inside. > So, the jail must have a public IPv4 and access to the web. Not necessarily. Of course, the jail _can_ have a public IP address. This will make things easier. But some people prefer to give their jails private addresses or even aliases on lo0 (e.g. 127.0.0.2). In order to access such a jail from the outside, the host has to forward packets from and to the private address. This can be done with IPFW "fwd" rules, for example. > What I'd understood of the jails' role (but I must have > misunderstood) is that it will have a different public ip than the > host, so that if a pirate manage to crack the server, he will only > have access to the jail (the real public ip of the host remaining > secret). Yes, it has advantages to give a jail its own IP address, but it's not strictly necessary. The IP address can be shared with the host and with other IP addresses if you prefer. It's also possible to give the jail the host's IP address during installation, so things like portsnap, pkg_add -r and similar will run without trouble, and then switch the jail to its final IP address. > Then I'm surprised to learn that such traffic will be routed > through the host. Routing happens globally (unless you use VIMAGE and/or multiple FIBs, but let's forget about these for now because they make things even more complicated, and you probably don't need them). By default there is only one routing table inside the kernel, through which all packets go. So, packets from your jails go through the same routing table as packets from yur host. > The jail is created. The next step now is to install the ports > collection inside with portsnap fetch. But each time I try to run > this command inside the jail (with jexec), I get the same answer : > > Looking up portsnap.FreeBSD.org mirrors... none found. Fetching > public key from portsnap.FreeBSD.org... failed. No mirrors > remaining, giving up. > > This makes me think my jail is not connected to the web. This has nothing to do with the web. Maybe you confuse web and internet or network? Obviously your jail cannot do DNS lookups, i.e. it cannot resolve host names. > So, I can't contact DNS servers able to translate www.freebsd.org to > its ip. Since I know this ip, I tried : "ping 69.147.83.33". This > time, the error message is : > > ping: socket: Operation not permitted ping(1) uses raw sockets in order to be able to send and receive ICMP packets. By default, raw sopckets or disallowed in jails. To change that, use this command on the host: sysctl security.jail.allow_raw_sockets=1 Add an entry to /etc/sysctl.conf so the setting will survive reboots. > It seems that the local ip given to the jail has to be an alias > of an existing one. No, it must simply be an existing address, i.e. it must be configured on one of your interfaces (whether alias or not). > I'm not on a local network so I only have 2 > real network interfaces : rl0 (192.168.1.38) and the loopack lo0 > (127.0.0.1). So you can use one of those two addresses, or you can add aliases (e.g. 192.168.1.39) and then use that one. Of course you can only use addresses that you "own" and that will work on your network. If addresses are assigned to you by an ISP or administrator, then you can only use those. > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. By the way, you don't have to build ports inside the jail. Of course you *can* do that, but there are other ways, too. For example, you could build packages (apache etc.) on the host, or in a different jail, or even on a different machine, and then use pkg_add(8) inside your jail to install them. > By the way, I wonder which one I will be able to choose if I ever > have to create a second jail. Multiple jails can share the same address if required. > And also how the computer knows which data is for the jail and which > one is for the loopback. Services (such as apache) listen on certain ports for connections. For example, the default port for the HTTP protocol is 80. So, when someone is trying to open a connection to your IP address on port 80, your kernel looks it up in its table of listening TCP sockets and find the apache process which is running inside the jail. So the connection is handed to the jail. (This is a bit oversimplifying, but basically that's how it works.) > I also added the line "net.inet.ip.forwarding=1" to sysctl.conf > (on the host). You don't need that one. It's only required when your machine should act as a router, i.e. forward packets to other hosts. > Despite the sshd_enable="YES" line, I can't ssh from the host to the > jail. Well, I can... The first time I did it, I was asked if I wanted > to add the jail to the list of known hosts. I did it. No problem > there. But, immediatly after that, instead of displaying "login :", > the system displayed "passwd :". That's normal. ssh never asks for the login. You can use the -l option if you need to specify a different user name (or put it in your ~/.ssh/config). > And none of the passwords I had set with sysinstall (for the root and > the common user) were accepted. Are you sure that those passwords are set *inside* the jail? You can go into the jail with jexec (or even chroot) and then set a new password. > It's not that big problem for the moment but one purpose of the jail > is also (I believe) to ssh into them from a distant computer without > accessing to the host. That's not a good idea. ssh access should not be open to the public. It's better to log into the host first, then log into the jail from there. Some paranoid people have a special "login jail". They ssh into the login jail, then log into the host or into other jails from there. The host accepts ssh only from localhost. But please forget this immediately; we don't want to make things more complicated than necessary. > It was not clear after the various answers I received if I had to use > a firewall or not so I tried both ways. If your just starting with jails, it's better not to use a firewall for the jail. First get the jail running. When it's running, you can think about adding firewall rules to make it more secure. A firewall is *not* required to get jails working. > gateway_enable="YES" > router_enable="YES" Remove both. You don't need either of those. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Above all, they contribute to the genetic diversity in the operating system pool. Which is a good thing." -- Ruben van Staveren, on the question which BSD OS is the best one.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008111646.o7BGkKKI041795>