Re : Re : Re : How to connect a jail to the web ?
.302933 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 343 09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 325 09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 24445+ PTR? 250.255.255.239.in-addr.arpa. (46) 09:08:50.906882 IP neufbox.domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103) 09:08:50.917164 IP FreeBSD.59750 > neufbox.domain: 24446+ PTR? 1.1.168.192.in-addr.arpa. (42) 09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|domain] 09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR? 38.1.168.192.in-addr.arpa. (43) 09:08:51.918870 IP neufbox.domain > FreeBSD.32837: 24447* 1/0/0 (64) ^C 14 packets captured 14 packets received by filter 0 packets dropped by kernel FreeBSD# Then, I started the jail. Firefox immediatly stopped being able to browse websites. I tried a tcpdump on the host while running portsnap fetch in the jail : FreeBSD# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:43:50.334499 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:43:50.334966 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:43:50.335402 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:43:50.335944 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:43:50.336560 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.41 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:44:20.333807 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:44:20.334246 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:44:20.334684 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:44:20.335165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:44:20.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 ^C 16 packets captured 16 packets received by filter 0 packets dropped by kernel FreeBSD# If you compare these two tcpdump, you can see that the word "neufbox" is replaced by 192.168.1.1. It confirms that DNS is no longer running. Not easy... Brice De : Oliver Fromme À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Jeu 12 août 2010, 17h 52min 24s Objet : Re: Re : Re : How to connect a jail to the web ? Brice ERRANDONEA wrote: > On the host, when the jail is not running : > > %ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX ) OK, so 192.168.1.38 is the only (non-localnet) IP address that you have. You should use that one for your jail. > On the host when the jail is running : > > FreeBSD# jls >JID IP Address Hostname Path > 1 93.0.168.242MaPrison /usr/prison > FreeBSD# ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 > media: Ethernet autoselect (100baseTX ) Where did you get that second IP address from? Did you just add it manually? Or is that the address that your gateway (DSL router, whatever) got assigned from your ISP? I assume that IP address is not really routed to your host, but that NAT (Network Address Translation) is used on your router. So you cannot use that address on the host. (If that's not true, please exlain the structure of your network in more detail.) So, if my assumptions are true, you must use the address 192.168.1.38 for your jail. Make sure that DNS is working inside the jail ... It should be sufficient to copy /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf If it still doesn't work: Are you using any packet filter (ipfw, ipf, pf)? If so, please show the complete list of rules. Otherwise, it might help to run tcpdump(1) on the host, so you can see the actual packets that are transmitted and received. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsreg
Re : Re : Re : How to connect a jail to the web ?
> Where did you get that second IP address from? Did you just > add it manually? Or is that the address that your gateway > (DSL router, whatever) got assigned from your ISP? I added it manually in rc.conf (on the host) : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" (yes, I'm french) moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="rl0" jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="93.0.168.242" I choosed it because that's my computer's public ip, at least according to this website : http://whatismyipaddress.com/ > I assume that IP address is not really routed to your host, > but that NAT (Network Address Translation) is used on your > router. So you cannot use that address on the host. > (If that's not true, please exlain the structure of your > network in more detail.) My "network" is VERY simple. I've got a modem (or "box") provided by my phone company. It's called a "neufbox" and acts as a gateway. The computer with FreeBSD is connected to this "box" through an ethernet cable. Two other computers are connected to it via wifi. > So, if my assumptions are true, you must use the address > 192.168.1.38 for your jail. Make sure that DNS is working > inside the jail ... It should be sufficient to copy > /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf OK, I'll try this. > If it still doesn't work: Are you using any packet filter > (ipfw, ipf, pf)? If so, please show the complete list of > rules. No, I don't. I've tried pf but you told it was not necessary. > Otherwise, it might help to run tcpdump(1) on the host, so > you can see the actual packets that are transmitted and > received. Allright. I try it too. Good bye for the moment and thanks for your help. Brice ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : Re : How to connect a jail to the web ?
Here they are. On the host, when the jail is not running : %ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3 %netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS16 434rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 1 98rl0 192.168.1.38 link#1 UHS 00lo0 On the host when the jail is running : FreeBSD# jls JID IP Address Hostname Path 1 93.0.168.242MaPrison /usr/prison FreeBSD# ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3 FreeBSD# netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 474rl0 93.0.168.242 link#1 UHS 0 20lo0 => 93.0.168.242/32link#1 U 00rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 0 102rl0 192.168.1.38 link#1 UHS 00lo0 In the jail (running, of course) : FreeBSD# jexec 1 ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 FreeBSD# jexec 1 netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 480rl0 93.0.168.242 link#1 UHS 0 20lo0 => 93.0.168.242/32link#1 U 00rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 0 102rl0 192.168.1.38 link#1 UHS 00lo0 Do you find what's wrong ? Brice De : Oliver Fromme À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Jeu 12 août 2010, 14h 52min 00s Objet : Re: Re : How to connect a jail to the web ? Brice ERRANDONEA wrote: > 192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the > public one. I tried both as the jail's address. With the private one, neither > portsnap nor ping work at all. > > With the public one, I get this result : > [...] > FreeBSD# jexec 2 ping www.yahoo.fr > ping: cannot resolve www.yahoo.fr: Host name lookup failure > FreeBSD# jexec 2 ping 69.147.83.33 > PING 69.147.83.33 (69.147.83.33): 56 data bytes > [...] > 32 packets transmitted, 0 packets received, 100.0% packet loss Please show the _complete_ output from "ifconfig" and "netstat -rnfinet". Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: htt
Re : How to connect a jail to the web ?
192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the public one. I tried both as the jail's address. With the private one, neither portsnap nor ping work at all. With the public one, I get this result : FreeBSD# sysctl security.jail.allow_raw_sockets=1 security.jail.allow_raw_sockets: 0 -> 1 FreeBSD# /etc/rc.d/jail onestart server Configuring jails:. Starting jails: MaPrison. FreeBSD# jexec 1 portsnap fetch jexec: jail_attach(1): Invalid argument FreeBSD# jls JID IP Address Hostname Path 2 93.0.168.242MaPrison /usr/prison FreeBSD# jexec 2 portsnap fetch Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. FreeBSD# jexec 2 ping www.yahoo.fr ping: cannot resolve www.yahoo.fr: Host name lookup failure FreeBSD# jexec 2 ping 69.147.83.33 PING 69.147.83.33 (69.147.83.33): 56 data bytes Then, nothing during a few minutes, so I used : ^C --- 69.147.83.33 ping statistics --- 32 packets transmitted, 0 packets received, 100.0% packet loss Data can be sent to the net now but it seems they can't come back. I also tried after opening the jail the same way you do : FreeBSD# jail /usr/prison MaPrison 93.0.168.242 /bin/sh -E # ping 69.147.83.33 PING 69.147.83.33 (69.147.83.33): 56 data bytes ^C --- 69.147.83.33 ping statistics --- 30 packets transmitted, 0 packets received, 100.0% packet loss # portsnap fetch Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. # De : Oliver Fromme À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Mer 11 août 2010, 22h 55min 11s Objet : Re: How to connect a jail to the web ? Brice ERRANDONEA wrote: > Oliver Fromme wrote: > > sysctl security.jail.allow_raw_sockets=1 > > I did it but ping still doesn't work. Which IP address are you using for the jail now? If you're using 127.0.0.1, you can only ping the host's own IP addresses, because packets with a localnet IP never leave a machine. If you're using the "real" address (192.168.1.38) for the jail, then you should be able to ping all addresses that you can ping from the host. I just did a quick test on my machine; it has the IP address 172.20.0.2 (which is being translated with NAT on my router, but that doesn't matter): HOST# sysctl security.jail.allow_raw_sockets=1 security.jail.allow_raw_sockets: 0 -> 1 HOST# jail / testjail 172.20.0.2 /bin/sh -E # ping www.google.com PING www.l.google.com (66.102.13.105): 56 data bytes 64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms 64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms 64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms > > > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. > > > Well, localnet addresses are not routed. If you give your > > jail a localnet address, it won't be able to access the > > network outside of the host. (Unless you take measures > > to rewrite/translate the addresses and forward them.) > > That's why DNS and portsnap don't work. > > > I suggest using the address 192.168.1.38 for the jail, > > at least during installation. Make sure that the file > > /etc/resolv.conf inside the jail is correct, so DNS will > > work. Copying it from the host should be sufficient. > > Isn't 192.168.1.38 a localnet address too ? It's a private address (RFC 1918). I assume that you've got a NAT router that translates it to a public IP address. > Do you mean I should use the public ip of my computer here ? Do you have one? So far you only mentioned 192.168.1.38. > I thought it was intended to be impossible to access the host from the jail. It depends on what you want to do with the jail. Jails can be used for vastly different purposes. > But you're right : I'll forget that. Good. :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Clear perl code is better than unclear awk code; but NOTHING comes close to unclear perl code" (taken from comp.lang.awk FAQ) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: How to connect a jail to the web ?
Thank you very much for your answer. It helped me understand some elements. But portsnap still doesn't work. >> So, I can't contact DNS servers able to translate www.freebsd.org to >> its ip. Since I know this ip, I tried : "ping 69.147.83.33". This >> time, the error message is : >> >> ping: socket: Operation not permitted >ping(1) uses raw sockets in order to be able to send and >receive ICMP packets. By default, raw sopckets or disallowed >in jails. To change that, use this command on the host: >sysctl security.jail.allow_raw_sockets=1 >Add an entry to /etc/sysctl.conf so the setting will survive >reboots. I did it but ping still doesn't work. >> 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. >Well, localnet addresses are not routed. If you give your >jail a localnet address, it won't be able to access the >network outside of the host. (Unless you take measures >to rewrite/translate the addresses and forward them.) >That's why DNS and portsnap don't work. >I suggest using the address 192.168.1.38 for the jail, >at least during installation. Make sure that the file >/etc/resolv.conf inside the jail is correct, so DNS will >work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public ip of my computer here ? > By the way, you don't have to build ports inside the jail. > Of course you *can* do that, but there are other ways, too. > For example, you could build packages (apache etc.) on > the host, or in a different jail, or even on a different > machine, and then use pkg_add(8) inside your jail to > install them. I prefer doing that way. I will use apache later so I will have to connect the jail to internet anyway. >> And also how the computer knows which data is for the jail and which >> one is for the loopback. >Services (such as apache) listen on certain ports for >connections. For example, the default port for the HTTP >protocol is 80. So, when someone is trying to open a >connection to your IP address on port 80, your kernel >looks it up in its table of listening TCP sockets and >find the apache process which is running inside the jail. >So the connection is handed to the jail. >(This is a bit oversimplifying, but basically that's how >it works.) OK. This is clear. And it explains how multiple jails can share the same address. >> Despite the sshd_enable="YES" line, I can't ssh from the host to the >> jail. Well, I can... The first time I did it, I was asked if I wanted >> to add the jail to the list of known hosts. I did it. No problem >> there. But, immediatly after that, instead of displaying "login :", >> the system displayed "passwd :". >That's normal. ssh never asks for the login. You can use the -l >option if you need to specify a different user name (or put it in your >~/.ssh/config). Of course. I'm loosing my mind with all that jail trouble. It works perfectly well with le -l option. > Some paranoid people have a special "login jail". They > ssh into the login jail, then log into the host or into > other jails from there. The host accepts ssh only from > localhost. But please forget this immediately; we don't > want to make things more complicated than necessary. I thought it was intended to be impossible to access the host from the jail. But you're right : I'll forget that. So, we're progressing. But the problem is not over yet. Any other idea ? Have a good evening, anyway. Brice ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : Re : How to connect a jail to the web ?
Thank you very much for your answer. It helped me understand some elements. But portsnap still doesn't work. >> So, I can't contact DNS servers able to translate www.freebsd.org to >> its ip. Since I know this ip, I tried : "ping 69.147.83.33". This >> time, the error message is : >> >> ping: socket: Operation not permitted >ping(1) uses raw sockets in order to be able to send and >receive ICMP packets. By default, raw sopckets or disallowed >in jails. To change that, use this command on the host: >sysctl security.jail.allow_raw_sockets=1 >Add an entry to /etc/sysctl.conf so the setting will survive >reboots. I did it but ping still doesn't work. >> 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. >Well, localnet addresses are not routed. If you give your >jail a localnet address, it won't be able to access the >network outside of the host. (Unless you take measures >to rewrite/translate the addresses and forward them.) >That's why DNS and portsnap don't work. >I suggest using the address 192.168.1.38 for the jail, >at least during installation. Make sure that the file >/etc/resolv.conf inside the jail is correct, so DNS will >work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public ip of my computer here ? > By the way, you don't have to build ports inside the jail. > Of course you *can* do that, but there are other ways, too. > For example, you could build packages (apache etc.) on > the host, or in a different jail, or even on a different > machine, and then use pkg_add(8) inside your jail to > install them. I prefer doing that way. I will use apache later so I will have to connect the jail to internet anyway. >> And also how the computer knows which data is for the jail and which >> one is for the loopback. >Services (such as apache) listen on certain ports for >connections. For example, the default port for the HTTP >protocol is 80. So, when someone is trying to open a >connection to your IP address on port 80, your kernel >looks it up in its table of listening TCP sockets and >find the apache process which is running inside the jail. >So the connection is handed to the jail. >(This is a bit oversimplifying, but basically that's how >it works.) OK. This is clear. And it explains how multiple jails can share the same address. >> Despite the sshd_enable="YES" line, I can't ssh from the host to the >> jail. Well, I can... The first time I did it, I was asked if I wanted >> to add the jail to the list of known hosts. I did it. No problem >> there. But, immediatly after that, instead of displaying "login :", >> the system displayed "passwd :". >That's normal. ssh never asks for the login. You can use the -l >option if you need to specify a different user name (or put it in your >~/.ssh/config). Of course. I'm loosing my mind with all that jail trouble. It works perfectly well with le -l option. > Some paranoid people have a special "login jail". They > ssh into the login jail, then log into the host or into > other jails from there. The host accepts ssh only from > localhost. But please forget this immediately; we don't > want to make things more complicated than necessary. I thought it was intended to be impossible to access the host from the jail. But you're right : I'll forget that. So, we're progressing. But the problem is not over yet. Any other idea ? Have a good evening, anyway. Brice -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Above all, they contribute to the genetic diversity in the operating system pool. Which is a good thing." -- Ruben van Staveren, on the question which BSD OS is the best one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : How to connect a jail to the web ?
I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. What I'd understood of the jails' role (but I must have misunderstood) is that it will have a different public ip than the host, so that if a pirate manage to crack the server, he will only have access to the jail (the real public ip of the host remaining secret). Then I'm surprised to learn that such traffic will be routed through the host. The jail is created. The next step now is to install the ports collection inside with portsnap fetch. But each time I try to run this command inside the jail (with jexec), I get the same answer : Looking up portsnap.FreeBSD.org mirrors... none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. This makes me think my jail is not connected to the web. To check this, I tried to ping various know websites. When I tried domain names, like "ping www.freebsd.org", this error message appears : ping: cannot resolve www.freebsd.org : Host name lookup failure So, I can't contact DNS servers able to translate www.freebsd.org to its ip. Since I know this ip, I tried : "ping 69.147.83.33". This time, the error message is : ping: socket: Operation not permitted From this, I concluded my jail was not connected to the web. Meanwhile, I've understood that, anyway, the ping command is forbidden inside a jail. But the "portsnap fetch" one is not. It seems that the local ip given to the jail has to be an alias of an existing one. I'm not on a local network so I only have 2 real network interfaces : rl0 (192.168.1.38) and the loopack lo0 (127.0.0.1). 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. By the way, I wonder which one I will be able to choose if I ever have to create a second jail. And also how the computer knows which data is for the jail and which one is for the loopback. I also added the line "net.inet.ip.forwarding=1" to sysctl.conf (on the host). And here is the rc.conf of my jail : devfs_system_ruleset="devfsrules_jail" network_interfaces="" sshd_enable="YES" sendmail_enable="NO" rpcbind_enable="NO" Despite the sshd_enable="YES" line, I can't ssh from the host to the jail. Well, I can... The first time I did it, I was asked if I wanted to add the jail to the list of known hosts. I did it. No problem there. But, immediatly after that, instead of displaying "login :", the system displayed "passwd :". And none of the passwords I had set with sysinstall (for the root and the common user) were accepted. That's why I can only run commands inside the jail running jexec. It's not that big problem for the moment but one purpose of the jail is also (I believe) to ssh into them from a distant computer without accessing to the host. It was not clear after the various answers I received if I had to use a firewall or not so I tried both ways. Without the firewall, the rc.conf of my host is : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" (yes, I'm french) moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="lo0"(I also tried rl0 here) jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="127.0.0.1" gateway_enable="YES" router_enable="YES" Since I've added this last line (router_enable="YES"), I have to press Enter at the end of the bootup process to obtain the "login :". Again, it's not a big problem but nonetheless a strange one. With this configuration, portsnap fetch continues to give me the same error message I told before. With the firewall (pf), now, the rc.conf of my host becomes : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="lo0" jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="127.0.0.1" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog"
How to connect a jail to the web ?
Hello, I've just created my first FreeBSD jail in order to install a web server inside. But I don't know how to connect it to the web. When I try pinging a http website, it doesn't work. Of course, it works when I do it from outside the jail. Another problem, probably linked to the first one, I can't run rc within the jail, even as the jail's root. It says : permission denied. Here's how I built and started my jail. I had already run make buildworld when upgrading to 8.1 release : # mkdir /usr/prison # cd /usr/src # make installworld DESTDIR=/usr/prison # make distribution DESTDIR=/usr/prison # mount -t devfs devfs /usr/prison/dev # jail -c path=/usr/prison host.hostname=ServeurWeb ip4.addr=192.1.1.1 persist # jail /usr/prison ServeurWeb 192.1.1.1 csh I guess this must be a very basic question but please help me. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"