Date: Wed, 11 Aug 2010 22:55:11 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-questions@FreeBSD.ORG, berrandonea@yahoo.fr Subject: Re: How to connect a jail to the web ? Message-ID: <201008112055.o7BKtBP0053143@lurza.secnetix.de> In-Reply-To: <263335.86236.qm@web24604.mail.ird.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brice ERRANDONEA <berrandonea@yahoo.fr> wrote: > Oliver Fromme wrote: > > sysctl security.jail.allow_raw_sockets=1 > > I did it but ping still doesn't work. Which IP address are you using for the jail now? If you're using 127.0.0.1, you can only ping the host's own IP addresses, because packets with a localnet IP never leave a machine. If you're using the "real" address (192.168.1.38) for the jail, then you should be able to ping all addresses that you can ping from the host. I just did a quick test on my machine; it has the IP address 172.20.0.2 (which is being translated with NAT on my router, but that doesn't matter): HOST# sysctl security.jail.allow_raw_sockets=1 security.jail.allow_raw_sockets: 0 -> 1 HOST# jail / testjail 172.20.0.2 /bin/sh -E # ping www.google.com PING www.l.google.com (66.102.13.105): 56 data bytes 64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms 64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms 64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms > > > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. > > > Well, localnet addresses are not routed. If you give your > > jail a localnet address, it won't be able to access the > > network outside of the host. (Unless you take measures > > to rewrite/translate the addresses and forward them.) > > That's why DNS and portsnap don't work. > > > I suggest using the address 192.168.1.38 for the jail, > > at least during installation. Make sure that the file > > /etc/resolv.conf inside the jail is correct, so DNS will > > work. Copying it from the host should be sufficient. > > Isn't 192.168.1.38 a localnet address too ? It's a private address (RFC 1918). I assume that you've got a NAT router that translates it to a public IP address. > Do you mean I should use the public ip of my computer here ? Do you have one? So far you only mentioned 192.168.1.38. > I thought it was intended to be impossible to access the host from the jail. It depends on what you want to do with the jail. Jails can be used for vastly different purposes. > But you're right : I'll forget that. Good. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Clear perl code is better than unclear awk code; but NOTHING comes close to unclear perl code" (taken from comp.lang.awk FAQ)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008112055.o7BKtBP0053143>