Date: Mon, 22 Mar 2010 17:47:09 +0800 From: Aiza <aiza21@comclark.com> To: Mark Shroyer <subscriber+freebsd@markshroyer.com> Cc: freebsd-questions@freebsd.org Subject: Re: ezjail Message-ID: <4BA73C9D.7090900@comclark.com> In-Reply-To: <4BA6CB8B.8070309@markshroyer.com> References: <4BA5AA53.5030503@comclark.com> <4BA69566.2040504@markshroyer.com> <4BA6B80F.7050806@comclark.com> <4BA6CB8B.8070309@markshroyer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Shroyer wrote: > On 3/21/2010 8:21 PM, Aiza wrote: >> Does the ip address notation for the jail include the port number? >> Like 10.0.20.2:80 Nat port forwarding is the long way around just to get >> the correct port number to the jail ip address. > > Nope, jails are assigned one (or more) specific IP addresses, but not > specific port numbers. So if you don't have a separate public IP for > your jail, you'll be relying on some sort of packet filter to redirect > traffic to its private IP address. > > This isn't as big a deal as it may sound, especially if you're already > using PF, which has built-in packet redirection capabilities that do not > require you to run a separate NAT daemon. > > My host 8.0 system is the gateway to the public internet. I have ipfilter running blocking all inbound request for service. I only allow out bound request from the LAN behind the gateway and use keep state to allow the packet conversation to continue. All this has worked fine for years across many releases of Freebsd. Now comes playing with jails. I created 3 jails, www, ftp, telnet and used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to target those jails from other PC on the private LAN who are using ip address in the 10.0.10.2 through 10.0.10.8 range. I used ezjail-admin onestart and all the jails start. Then did ezjail-admin console ftp.local.com and got logged into that jail. Edited /etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop followed by ezjail-admin onestart to cycle the ftp jail to activate the ftp function. ezjail-admin console ftp.local.com to get logged into that jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 10.0.20.30 the ftp jail gives me no connection error. What is the problem here?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BA73C9D.7090900>