I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web.
What I'd understood of the jails' role (but I must have misunderstood) is that it will have a different public ip than the host, so that if a pirate manage to crack the server, he will only have access to the jail (the real public ip of the host remaining secret). Then I'm surprised to learn that such traffic will be routed through the host. The jail is created. The next step now is to install the ports collection inside with portsnap fetch. But each time I try to run this command inside the jail (with jexec), I get the same answer : Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. This makes me think my jail is not connected to the web. To check this, I tried to ping various know websites. When I tried domain names, like "ping www.freebsd.org", this error message appears : ping: cannot resolve www.freebsd.org : Host name lookup failure So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : "ping 69.147.83.33". This time, the error message is : ping: socket: Operation not permitted From this, I concluded my jail was not connected to the web. Meanwhile, I've understood that, anyway, the ping command is forbidden inside a jail. But the "portsnap fetch" one is not. It seems that the local ip given to the jail has to be an alias of an existing one. I'm not on a local network so I only have 2 real network interfaces : rl0 (192.168.1.38) and the loopack lo0 (127.0.0.1). 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. By the way, I wonder which one I will be able to choose if I ever have to create a second jail. And also how the computer knows which data is for the jail and which one is for the loopback. I also added the line "net.inet.ip.forwarding=1" to sysctl.conf (on the host). And here is the rc.conf of my jail : devfs_system_ruleset="devfsrules_jail" network_interfaces="" sshd_enable="YES" sendmail_enable="NO" rpcbind_enable="NO" Despite the sshd_enable="YES" line, I can't ssh from the host to the jail. Well, I can... The first time I did it, I was asked if I wanted to add the jail to the list of known hosts. I did it. No problem there. But, immediatly after that, instead of displaying "login :", the system displayed "passwd :". And none of the passwords I had set with sysinstall (for the root and the common user) were accepted. That's why I can only run commands inside the jail running jexec. It's not that big problem for the moment but one purpose of the jail is also (I believe) to ssh into them from a distant computer without accessing to the host. It was not clear after the various answers I received if I had to use a firewall or not so I tried both ways. Without the firewall, the rc.conf of my host is : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" (yes, I'm french) moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="lo0" (I also tried rl0 here) jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="127.0.0.1" gateway_enable="YES" router_enable="YES" Since I've added this last line (router_enable="YES"), I have to press Enter at the end of the bootup process to obtain the "login :". Again, it's not a big problem but nonetheless a strange one. With this configuration, portsnap fetch continues to give me the same error message I told before. With the firewall (pf), now, the rc.conf of my host becomes : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="lo0" jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="127.0.0.1" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" And here's the /etc/pf.conf : ext_if="rl0" int_if="rl0" Same result for portsnap fetch. A lot of questions, isn't it. I guess I must have made a lot of mistakes. But I can't believe I'm the first one who tries to install a web server in a jail. This must be a well known process. Thanks to those who helped me and to those who will ! Good evening Brice ________________________________ De : Roland Smith <rsm...@xs4all.nl> À : Brice ERRANDONEA <berrando...@yahoo.fr> Envoyé le : Mer 11 août 2010, 13h 23min 34s Objet : Re: Re : Re : How to connect a jail to the web ? On Wed, Aug 11, 2010 at 11:07:59AM +0000, Brice ERRANDONEA wrote: > OK, I'll try this. And, as you suggested, I switch my jail's IP to > 192.168.1.1. Why do you use age0 as ext_if and not rl0 ? Because rl(4) is just not the best quality network chip. It's really windows quality hardware. The age(4) is on the motherboard, and I couldn't find a fxp(4) or em(4) based network card. > Here's my ifconfig. Which interfaces should I use for ext_if in pf.conf ? > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=8<VLAN_MTU> > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active In your case, the above rl0 is the only _real_ network chip. As you can see from the "UP" flag, only rl0 and lo0 are actually active (and the loopback interface is always there). They also are the only ones that have an actual IP address. If you don't want to run a firewall, you can alternatively add 'router_enable="YES"' to /etc/rc.conf. This will start the routed(8) daemon which by default forwards packets between interfaces. > fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=8<VLAN_MTU> > ether 02:11:06:99:8a:ff > ch 1 dma -1 > fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 > lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 > plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3<RXCSUM,TXCSUM> > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > nd6 options=3<PERFORMNUD,ACCEPT_RTADV> You could alias your jail to lo0. Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"