Date: Wed, 11 Aug 2010 18:14:04 +0000 (GMT) From: Brice ERRANDONEA <berrandonea@yahoo.fr> To: freebsd-questions@FreeBSD.ORG Subject: Re : Re : How to connect a jail to the web ? Message-ID: <671410.73325.qm@web24615.mail.ird.yahoo.com> In-Reply-To: <201008111646.o7BGkKKI041795@lurza.secnetix.de> References: <201008111646.o7BGkKKI041795@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Thank you very much for your answer. It helped me understand some elements.= But =0Aportsnap still doesn't work.=0A=0A=0A>> So, I can't contact DNS ser= vers able to translate www.freebsd.org to=0A>> its ip. Since I know this i= p, I tried : "ping 69.147.83.33". This=0A>> time, the error message is :=0A= >>=0A>> ping: socket: Operation not permitted=0A=0A>ping(1) uses raw socket= s in order to be able to send and=0A>receive ICMP packets. By default, raw= sopckets or disallowed=0A>in jails. To change that, use this command on t= he host:=0A=0A>sysctl security.jail.allow_raw_sockets=3D1=0A=0A>Add an entr= y to /etc/sysctl.conf so the setting will survive=0A>reboots.=0A=0AI did it= but ping still doesn't work.=0A=0A>> 192.168.1.38 is the host's ip so I us= e 127.0.0.1 for the jail.=0A=0A>Well, localnet addresses are not routed. I= f you give your=0A>jail a localnet address, it won't be able to access the= =0A>network outside of the host. (Unless you take measures=0A>to rewrite/t= ranslate the addresses and forward them.)=0A>That's why DNS and portsnap do= n't work.=0A=0A>I suggest using the address 192.168.1.38 for the jail,=0A>a= t least during installation. Make sure that the file=0A>/etc/resolv.conf i= nside the jail is correct, so DNS will=0A>work. Copying it from the host s= hould be sufficient.=0A=0AIsn't 192.168.1.38 a localnet address too ? Do yo= u mean I should use the public =0Aip of my computer here ?=0A=0A> By the wa= y, you don't have to build ports inside the jail.=0A> Of course you *can* d= o that, but there are other ways, too.=0A> For example, you could build pac= kages (apache etc.) on=0A> the host, or in a different jail, or even on a d= ifferent=0A> machine, and then use pkg_add(8) inside your jail to=0A> insta= ll them.=0A=0AI prefer doing that way. I will use apache later so I will ha= ve to connect the =0Ajail to internet anyway.=0A=0A>> And also how the comp= uter knows which data is for the jail and which=0A>> one is for the loopbac= k.=0A=0A>Services (such as apache) listen on certain ports for=0A>connectio= ns. For example, the default port for the HTTP=0A>protocol is 80. So, whe= n someone is trying to open a=0A>connection to your IP address on port 80, = your kernel=0A>looks it up in its table of listening TCP sockets and=0A>fin= d the apache process which is running inside the jail.=0A>So the connection= is handed to the jail.=0A=0A>(This is a bit oversimplifying, but basically= that's how=0A>it works.)=0A=0AOK. This is clear. And it explains how multi= ple jails can share the same =0Aaddress.=0A=0A>> Despite the sshd_enable=3D= "YES" line, I can't ssh from the host to the=0A>> jail. Well, I can... The = first time I did it, I was asked if I wanted=0A>> to add the jail to the li= st of known hosts. I did it. No problem=0A>> there. But, immediatly after t= hat, instead of displaying "login :",=0A>> the system displayed "passwd :".= =0A=0A>That's normal. ssh never asks for the login. You can use the -l=0A>= option if you need to specify a different user name (or put it in your=0A>~= /.ssh/config).=0A=0AOf course. I'm loosing my mind with all that jail troub= le. It works perfectly =0Awell with le -l option.=0A=0A> Some paranoid peop= le have a special "login jail". They=0A> ssh into the login jail, then log= into the host or into=0A> other jails from there. The host accepts ssh on= ly from=0A> localhost. But please forget this immediately; we don't=0A> wa= nt to make things more complicated than necessary.=0A=0AI thought it was in= tended to be impossible to access the host from the jail. But =0Ayou're rig= ht : I'll forget that.=0A=0ASo, we're progressing. But the problem is not o= ver yet. Any other idea ?=0A=0AHave a good evening, anyway.=0A=0ABrice=0A= =0A=0A=0A=0A=0A=0A=0A=0A-- =0AOliver Fromme, secnetix GmbH & Co. KG, Marktp= latz 29, 85567 Grafing b. M.=0AHandelsregister: Registergericht Muenchen, H= RA 74606, Gesch=E4ftsfuehrung:=0Asecnetix Verwaltungsgesellsch. mbH, Hande= lsregister: Registergericht M=FCn-=0Achen, HRB 125758, Gesch=E4ftsf=FChrer= : Maik Bachmann, Olaf Erb, Ralf Gebhart=0A=0AFreeBSD-Dienstleistungen, -Pro= dukte und mehr: http://www.secnetix.de/bsd=0A=0A"Above all, they contribut= e to the genetic diversity in the=0Aoperating system pool. Which is a good= thing."=0A -- Ruben van Staveren, on the question which BSD OS is the bes= t one.=0A=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?671410.73325.qm>