Date: Wed, 11 Aug 2010 18:24:53 +0000 (GMT) From: Brice ERRANDONEA <berrandonea@yahoo.fr> To: freebsd-questions@freebsd.org Subject: Re: How to connect a jail to the web ? Message-ID: <263335.86236.qm@web24604.mail.ird.yahoo.com>
next in thread | raw e-mail | index | archive | help
Thank you very much for your answer. It helped me understand some elements.= But =0Aportsnap still doesn't work.=0A=0A>> So, I can't contact DNS server= s able to translate www.freebsd.org to=0A>> its ip. Since I know this ip, = I tried : "ping 69.147.83.33". This=0A>> time, the error message is :=0A>>= =0A>> ping: socket: Operation not permitted=0A=0A>ping(1) uses raw sockets = in order to be able to send and=0A>receive ICMP packets. By default, raw s= opckets or disallowed=0A>in jails. To change that, use this command on the= host:=0A=0A>sysctl security.jail.allow_raw_sockets=3D1=0A=0A>Add an entry= to /etc/sysctl.conf so the setting will survive=0A>reboots.=0A=0AI did it = but ping still doesn't work.=0A=0A>> 192.168.1.38 is the host's ip so I use= 127.0.0.1 for the jail.=0A=0A>Well, localnet addresses are not routed. If= you give your=0A>jail a localnet address, it won't be able to access the= =0A>network outside of the host. (Unless you take measures=0A>to rewrite/t= ranslate the addresses and forward them.)=0A>That's why DNS and portsnap do= n't work.=0A=0A>I suggest using the address 192.168.1.38 for the jail,=0A>a= t least during installation. Make sure that the file=0A>/etc/resolv.conf i= nside the jail is correct, so DNS will=0A>work. Copying it from the host s= hould be sufficient.=0A=0AIsn't 192.168.1.38 a localnet address too ? Do yo= u mean I should use the public =0Aip of my computer here ?=0A=0A> By the w= ay, you don't have to build ports inside the jail.=0A> Of course you *can* = do that, but there are other ways, too.=0A> For example, you could build pa= ckages (apache etc.) on=0A> the host, or in a different jail, or even on a = different=0A> machine, and then use pkg_add(8) inside your jail to=0A> inst= all them.=0A=0AI prefer doing that way. I will use apache later so I will h= ave to connect the =0Ajail to internet anyway.=0A=0A>> And also how the com= puter knows which data is for the jail and which=0A>> one is for the loopba= ck.=0A=0A>Services (such as apache) listen on certain ports for=0A>connecti= ons. For example, the default port for the HTTP=0A>protocol is 80. So, wh= en someone is trying to open a=0A>connection to your IP address on port 80,= your kernel=0A>looks it up in its table of listening TCP sockets and=0A>fi= nd the apache process which is running inside the jail.=0A>So the connecti= on is handed to the jail.=0A=0A>(This is a bit oversimplifying, but basical= ly that's how=0A>it works.)=0A=0AOK. This is clear. And it explains how mul= tiple jails can share the same =0Aaddress.=0A=0A>> Despite the sshd_enable= =3D"YES" line, I can't ssh from the host to the=0A>> jail. Well, I can... T= he first time I did it, I was asked if I wanted=0A>> to add the jail to the= list of known hosts. I did it. No problem=0A>> there. But, immediatly afte= r that, instead of displaying "login :",=0A>> the system displayed "passwd = :".=0A=0A>That's normal. ssh never asks for the login. You can use the -l= =0A>option if you need to specify a different user name (or put it in your= =0A>~/.ssh/config).=0A=0AOf course. I'm loosing my mind with all that jail = trouble. It works perfectly =0Awell with le -l option.=0A=0A> Some paranoid= people have a special "login jail". They=0A> ssh into the login jail, th= en log into the host or into=0A> other jails from there. The host accepts = ssh only from=0A> localhost. But please forget this immediately; we don't= =0A> want to make things more complicated than necessary.=0A=0AI thought it= was intended to be impossible to access the host from the jail. But =0Ayou= 're right : I'll forget that.=0A=0ASo, we're progressing. But the problem i= s not over yet. Any other idea ?=0A=0AHave a good evening, anyway.=0A=0ABri= ce=0A=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?263335.86236.qm>