Re: Jails and IP Aliasing

[Matthew Seaman]

Jason Morgan wrote:

On 2008.07.07 12:16:44, David Allen wrote:



# grep fxp0 /etc/rc.conf
ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00
ifconfig_fxp0_alias0=10.0.1.3 netmask 0x
ifconfig_fxp0_alias1=10.0.1.4 netmask 0x
ifconfig_fxp0_alias2=10.0.1.5 netmask 0x

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)


That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...


Using a /32 netmask for aliases in the same network as the primary
address used to be mandatory until sometime during the 6.x RELEASE
series.  It is still recommended in the various documentation, and
it does make it clear to the administrator which is the primary
address when looking at ifconfig output, when that distinction is
important[*].

Using the 'natural' netmask for the network the aliases are part of
has worked for several years: this seems to be what most new users
expect and it's familiar for users of other operating systems.  As
far as I know, there is no technical or performance reason to prefer
one style over the other -- just a matter of administrator preference.

Cheers,

Matthew

[*] ie. which is the source address used for connection /from/ the
server.  If all the aliases are used for jails, or all your software
is configured to bind to one or other of the addresses this doesn't
come into play.

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

[Ivailo Tanusheff]

Hi,

I guess the problem is with your netmask and respectivly the broadcast 
adrresses for the jails.
It should be:

inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

Regards,

Ivailo Tanusheff
Deputy Head of IT Department
ProCredit Bank (Bulgaria) AD




Jason Morgan [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
07.07.2008 21:01

To
FreeBSD Questions freebsd-questions@freebsd.org
cc

Subject
Re: Jails and IP Aliasing






Hello,

On 2008.07.07 09:51:33, David Allen wrote:
 Unless I'm losing my mind, I'm encountering what seems to yet another
 gotcha with jails.  The following has been dumbed down for clarity and
 brevity.
 
 -
 # hostname
 jailhost.example.org
 
 # host jailhost
 jailhost.example.org has address 10.0.1.2
 
 # ifconfig fxp0
 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 
1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 ether 00:07:e9:c8:2e:32
 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1)
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Mel]

On Monday 07 July 2008 18:51:33 David Allen wrote:

 Granted, everything is really happening over the loopback address, but a
 connection originating from the jailhost to a jail should appear to be
 using the jailhost's IP address, or so I'd like to think.  If it doesn't,
 then the scenario is awkward at best when trying to understand or debug
 issues.

To debug this, you need to 'add jail support to sockstat'. This sounds hard, 
and it is, but you can fake it, since sockstat gives you the PID. With a 
little creative scripting, you can call `ps -o state' for each PID in the 
list, look for the capital 'J' and if it is, add the 'J' to the line.

 The thought occurred to me, however, that I could add a new network card
 and reserve that for the IP aliases needed by the jails.  But I'm not sure
 whether that will work in telling me who's who, or whether I'll discover
 another gotcha.  ;-)

It will add more gotcha's, unless you put each network card in a different 
network. With the IP's given here, you tell the host that 10.0.1.0/24 is on 
fxp0, so it will never go to fxp1 for 10.0.1.4.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Mel]

On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
 Hi,

 I guess the problem is with your netmask and respectivly the broadcast
 adrresses for the jails.
 It should be:

 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Ivailo Tanusheff]

No, I am right.
Try it yourself and you will see that solves the issue. I have several 
jails on different machines and this way the system works without any 
error or problem.
Try it and see it :)

Regards,

Ivailo Tanusheff




Mel [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
08.07.2008 12:38

To
freebsd-questions@freebsd.org
cc

Subject
Re: Jails and IP Aliasing






On Tuesday 08 July 2008 11:13:04 Ivailo Tanusheff wrote:
 Hi,

 I guess the problem is with your netmask and respectivly the broadcast
 adrresses for the jails.
 It should be:

 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.4 netmask 0xff00 broadcast 10.0.1.255

You guess wrong. Aliases SHOULD (as in IETF RFC should) have 
255.255.255.255 
netmask.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[David Allen]

On Mon, Jul 7, 2008 at 2:01 PM, George Hartzell [EMAIL PROTECTED] wrote:

 Did you take the necessary steps to restrict the IP addresses on which
 sendmail on the host and the jail listen?  The jail man page only
 says:

I don't think anyone would get too far with jails in general if the
jail host wasn't properly configured beforehand.  To answer your
question, sendmail on the jail host is listening to the loopback
address only.  And to the extent it's not redundant or meaningless,
within each jail, sendmail is configured to listen to the jail's IP
address only.

Regrettably, the problem isn't specific to sendmail or any other
service, as an ssh connection would exhibit identical behaviour.  Put
simply, all connections from the jail host to any jail are reported as
using that jail's IP address only.  Doesn't matter if your viewing the
state from the perspective of the jail host, or from within the jail
itself.   Both ends of the connection have the same IP address.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[David Allen]

On Tue, Jul 8, 2008 at 2:24 AM, Mel [EMAIL PROTECTED] wrote:
 On Monday 07 July 2008 18:51:33 David Allen wrote:

 Granted, everything is really happening over the loopback address, but a
 connection originating from the jailhost to a jail should appear to be
 using the jailhost's IP address, or so I'd like to think.  If it doesn't,
 then the scenario is awkward at best when trying to understand or debug
 issues.

 To debug this, you need to 'add jail support to sockstat'. This sounds hard,
 and it is, but you can fake it, since sockstat gives you the PID. With a
 little creative scripting, you can call `ps -o state' for each PID in the
 list, look for the capital 'J' and if it is, add the 'J' to the line.

Been there and done that.  When I first stated working with jails, I
discovered that most standard utilities didn't offer any support for
jails, and chaining commands got to be really old fast.   I ended up
writing a few Perl scripts and routinely use those instead.  IIRC,
there's a jail-related port that offers a collection of something
similar.

Still, we're talking about a very limited subset of tools and
functionality.  What about tcpdump?  Or firewall rules?  Or any other
network tool?

There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.

 The thought occurred to me, however, that I could add a new network card
 and reserve that for the IP aliases needed by the jails.  But I'm not sure
 whether that will work in telling me who's who, or whether I'll discover
 another gotcha.  ;-)

 It will add more gotcha's, unless you put each network card in a different
 network. With the IP's given here, you tell the host that 10.0.1.0/24 is on
 fxp0, so it will never go to fxp1 for 10.0.1.4.

You're probably right.  I'm wondering, though, if by moving the jails
into their own network space and adding routing into the mix, the end
result may be more satisfactory?

Setting aside the fun of mental gymnastics, the conclusion seems to be
don't run anything on the jail host that would initiate a connection
to a service running inside a jail.  Unless, of course, you don't mind
being confused (at least from a networking perspective) by WTF you're
seeing.  ;-)

Either way, thanks very much for the input.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Matthew Seaman]

David Allen wrote:


There was a post recently (Matthew Seaman's name comes to mind) that
suggested binding jails to addresses in the loopback range and then
using firewall rules to redirect the traffic accordingly.  There's a
possibility that may help in this case, but that layer of added
complexity isn't much of an improvement over seeing connections with
seemingly identical endpoints and interpreting the results in my head.


Guilty as charged M'lud.

However what I recommended was a more-than-slightly hacky way to achieve 
three things:


  * Something like a loopback address inside the jail.  It may be
127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
to use it for loopback style things.

  * The ability to map several IPs onto the jailed system by use of
NAT and redirect within firewall rules

  * The ability to have a jail with /no/ external IP for when the
paranoia becomes unbearable[*].

Of course, all this will be immediately obsoleted by Marco Zec's work
on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Cheers,

Matthew

[*] Combine this with a Hardware Load Balancer that does Direct Server
Return and you can have a publicly accessible jailed server with /no 
external IP address/.  


--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Jails and IP Aliasing

[Daniel Gerzo]

Hello,

* Something like a loopback address inside the jail.  It may be
  127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
  to use it for loopback style things.
 
* The ability to map several IPs onto the jailed system by use of
  NAT and redirect within firewall rules
 
* The ability to have a jail with /no/ external IP for when the
  paranoia becomes unbearable[*].

Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 

-- 
Best regards,
  Daniel Gerzo

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Chris St Denis]

Daniel Gerzo wrote:

Hello,

  

   * Something like a loopback address inside the jail.  It may be
 127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
 to use it for loopback style things.

   * The ability to map several IPs onto the jailed system by use of
 NAT and redirect within firewall rules

   * The ability to have a jail with /no/ external IP for when the
 paranoia becomes unbearable[*].



Most of this is actually implemented by [EMAIL PROTECTED] You can find some 
patches
at http://sources.zabbadoz.net/freebsd/jail.html 
  
These patches (in various forms) have been around since version 4.x. Why 
has none of this functionality ever been committed to head?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Mel]

On Tuesday 08 July 2008 11:24:33 Mel wrote:
 On Monday 07 July 2008 18:51:33 David Allen wrote:
  Granted, everything is really happening over the loopback address, but a
  connection originating from the jailhost to a jail should appear to be
  using the jailhost's IP address, or so I'd like to think.  If it doesn't,
  then the scenario is awkward at best when trying to understand or debug
  issues.

 To debug this, you need to 'add jail support to sockstat'. This sounds
 hard, and it is

It's actually not that hard, though it stretches the output width. Diff 
inlined below sig, for RELENG_7. 

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.

Index: sockstat.c
===
RCS file: /home/ncvs/src/usr.bin/sockstat/sockstat.c,v
retrieving revision 1.17
diff -u -r1.17 sockstat.c
--- sockstat.c  16 Jun 2007 20:24:55 -  1.17
+++ sockstat.c  8 Jul 2008 19:40:11 -
@@ -94,6 +94,11 @@
struct sock *next;
 };
 
+struct procinfo {
+   const char *procname;
+   int jid;
+};
+
 #define HASHSIZE 1009
 static struct sock *sockhash[HASHSIZE];
 
@@ -513,13 +518,16 @@
return xprintf(%s:%d, addrstr, port);
 }
 
-static const char *
-getprocname(pid_t pid)
+static int
+getprocinfo(pid_t pid, struct procinfo *pi_ptr)
 {
static struct kinfo_proc proc;
size_t len;
int mib[4];
 
+   if( pi_ptr == NULL )
+   return -1;
+
mib[0] = CTL_KERN;
mib[1] = KERN_PROC;
mib[2] = KERN_PROC_PID;
@@ -529,9 +537,12 @@
/* Do not warn if the process exits before we get its name. */
if (errno != ESRCH)
warn(sysctl());
-   return (??);
+   return -1;
}
-   return (proc.ki_comm);
+   pi_ptr-procname = proc.ki_comm;
+   pi_ptr-jid = proc.ki_jid;
+
+   return (0);
 }
 
 static int
@@ -564,11 +575,12 @@
struct passwd *pwd;
struct xfile *xf;
struct sock *s;
+   struct procinfo pi;
void *p;
int hash, n, pos;
 
-   printf(%-8s %-10s %-5s %-2s %-6s %-21s %-21s\n,
-   USER, COMMAND, PID, FD, PROTO,
+   printf(%-8s %-10s %-5s %-5s %-2s %-6s %-21s %-21s\n,
+   USER, COMMAND, PID, JID, FD, PROTO,
LOCAL ADDRESS, FOREIGN ADDRESS);
setpassent(1);
for (xf = xfiles, n = 0; n  nxfiles; ++n, ++xf) {
@@ -583,33 +595,41 @@
if (!check_ports(s))
continue;
pos = 0;
+   if( -1 == getprocinfo(xf-xf_pid, pi) )
+   {
+   pi.procname = ??;
+   pi.jid = -1;
+   }
if ((pwd = getpwuid(xf-xf_uid)) == NULL)
pos += xprintf(%lu, (u_long)xf-xf_uid);
else
pos += xprintf(%s, pwd-pw_name);
while (pos  9)
pos += xprintf( );
-   pos += xprintf(%.10s, getprocname(xf-xf_pid));
+   pos += xprintf(%.10s, pi.procname);
while (pos  20)
pos += xprintf( );
pos += xprintf(%lu, (u_long)xf-xf_pid);
while (pos  26)
pos += xprintf( );
+   pos += xprintf(%u, pi.jid);
+   while (pos  32)
+   pos += xprintf( );
pos += xprintf(%d, xf-xf_fd);
-   while (pos  29)
+   while (pos  35)
pos += xprintf( );
pos += xprintf(%s, s-protoname);
if (s-vflag  INP_IPV4)
pos += xprintf(4);
if (s-vflag  INP_IPV6)
pos += xprintf(6);
-   while (pos  36)
+   while (pos  42)
pos += xprintf( );
switch (s-family) {
case AF_INET:
case AF_INET6:
pos += printaddr(s-family, s-laddr);
-   while (pos  58)
+   while (pos  64)
pos += xprintf( );
pos += printaddr(s-family, s-faddr);
break;
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[David Allen]

On Tue, Jul 8, 2008 at 9:35 AM, Matthew Seaman
[EMAIL PROTECTED] wrote:
 David Allen wrote:

 There was a post recently (Matthew Seaman's name comes to mind) that
 suggested binding jails to addresses in the loopback range and then
 using firewall rules to redirect the traffic accordingly.  There's a
 possibility that may help in this case, but that layer of added
 complexity isn't much of an improvement over seeing connections with
 seemingly identical endpoints and interpreting the results in my head.

 Guilty as charged M'lud.

Stand up, fool, lest I be forced to lower my knee and acknowledge your presence
in a manner befitting a man as yourself.

 However what I recommended was a more-than-slightly hacky way to achieve
 three things:

  * Something like a loopback address inside the jail.  It may be
127.0.0.2 instead of 127.0.0.1 but most software can be persuaded
to use it for loopback style things.

  * The ability to map several IPs onto the jailed system by use of
NAT and redirect within firewall rules

  * The ability to have a jail with /no/ external IP for when the
paranoia becomes unbearable[*].

It could be said that those three expand into more numerous
achievements.  I'm still debating the more-than-slightly hacky aspects
of such an arrangement, but undeniably it's interesting enough.

 Of course, all this will be immediately obsoleted by Marco Zec's work
 on virtualizing the IP stack.  http://imunes.tel.fer.hr/virtnet/

Promising, even exciting, but I'm having trouble deciding whether I
declare a victory for the  triumph of optimism over experience, or
offer the comment that the Real Soon Now schedule is a disappointment?
Seriously, though, jails can be seen as the greatest thing since slide bread,
but I have this nagging feeling I'm at work writing a small book that details
their niggly shortcomings, a book whose completion, I hope, will be cut
short by the addition of New and Improved features.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Jails and IP Aliasing

[David Allen]

Unless I'm losing my mind, I'm encountering what seems to yet another
gotcha with jails.  The following has been dumbed down for clarity and
brevity.

-
# hostname
jailhost.example.org

# host jailhost
jailhost.example.org has address 10.0.1.2

# ifconfig fxp0
fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=bRXCSUM,TXCSUM,VLAN_MTU
ether 00:07:e9:c8:2e:32
inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
media: Ethernet autoselect (100baseTX full-duplex)
status: active

# grep jail /etc/rc.conf
...
jail_ns_hostname=ns.example.org
jail_ns_ip=10.0.1.3
...
jail_mail_hostname=mail.example.org
jail_mail_ip=10.0.1.4

# sockstat -4l
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   11556 4  tcp4   10.0.1.4:25   *:*
root syslogd10591 6  udp4   10.0.1.4:514  *:*
root sendmail   10438 4  tcp4   10.0.1.3:25   *:*
bind named  4011  20 udp4   10.0.1.3:53   *:*
bind named  4011  21 tcp4   10.0.1.3:53   *:*
bind named  4011  22 tcp4   10.0.1.3:953  *:*
root syslogd897   6  udp4   10.0.1.3:514  *:*
root sshd   715   3  tcp4   10.0.1.2:22   *:*
root syslogd563   6  udp4   127.0.0.1:514 *:*
root sendmail   489   4  tcp4   127.0.0.1:25  *:*

-

If I telnet from the jailhost to mail.example.org 25, for example, both
outgoing and incoming connections appear to sockstat, tcpdump, etc. on the
jailhost as using the jail's IP address!  Similarly, if I perform a DNS
lookup on the jailhost (using the ns.example.org jail for resolution),
both incoming and outgoing connections occur on the jail's IP address.

Granted, everything is really happening over the loopback address, but a
connection originating from the jailhost to a jail should appear to be
using the jailhost's IP address, or so I'd like to think.  If it doesn't,
then the scenario is awkward at best when trying to understand or debug
issues.

The thought occurred to me, however, that I could add a new network card
and reserve that for the IP aliases needed by the jails.  But I'm not sure
whether that will work in telling me who's who, or whether I'll discover
another gotcha.  ;-)

Comments, questions and complaints all welcomed.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Jason Morgan]

Hello,

On 2008.07.07 09:51:33, David Allen wrote:
 Unless I'm losing my mind, I'm encountering what seems to yet another
 gotcha with jails.  The following has been dumbed down for clarity and
 brevity.
 
 -
 # hostname
 jailhost.example.org
 
 # host jailhost
 jailhost.example.org has address 10.0.1.2
 
 # ifconfig fxp0
 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 ether 00:07:e9:c8:2e:32
 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active

This is the output for my jail interface. Notice that your jail
aliases are broadcasting on the jail's IP. I don't know if this is an
issue or not (my jails run on i386 FBSD 6.3), but it's something to
look at. How are you setting the aliases?

sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1)
 status: active

Cheers,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[David Allen]

On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
[EMAIL PROTECTED] wrote:
 On 2008.07.07 09:51:33, David Allen wrote:
 Unless I'm losing my mind, I'm encountering what seems to yet another
 gotcha with jails.  The following has been dumbed down for clarity and
 brevity.

 -
 # hostname
 jailhost.example.org

 # host jailhost
 jailhost.example.org has address 10.0.1.2

 # ifconfig fxp0
 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 ether 00:07:e9:c8:2e:32
 inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
 inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
 inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active

 This is the output for my jail interface. Notice that your jail
 aliases are broadcasting on the jail's IP. I don't know if this is an
 issue or not (my jails run on i386 FBSD 6.3), but it's something to
 look at. How are you setting the aliases?

 sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 options=bRXCSUM,TXCSUM,VLAN_MTU
 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
 inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
 ether xx:xx:xx:xx:xx:xx
 media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1)
 status: active

My own aliases:

# grep fxp0 /etc/rc.conf
ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00
ifconfig_fxp0_alias0=10.0.1.3 netmask 0x
ifconfig_fxp0_alias1=10.0.1.4 netmask 0x
ifconfig_fxp0_alias2=10.0.1.5 netmask 0x

My understanding from the handbook is that the mask should be set to all
ones if the alias is for an address that's part of the same network.  For
a different segment, it's the first alias that should be set to the real
netmask, with any additional aliases using a netmask of all ones.

Granted, the broadcast addresses looks odd.  If I my programming skills
were better, I'd just read through the code and understand what's really
happening, but for now, I'm just taking the FreeBSD folks at their word at
following instructions.  That's a roundabout way of saying I think your
aliases are set up incorrectly.  ;-)

If you're not seeing the behaviour I'm seeing, do let me know.  But to
clarify with a concrete example, the following is what I see on the
jailhost (10.0.1.2) when it connects to port 25 on one of the
jails (10.0.1.5).

# tcpdump -nqti lo0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
IP 10.0.1.5.62110  10.0.1.5.25: tcp 0
IP 10.0.1.5.25  10.0.1.5.62110: tcp 0
IP 10.0.1.5.62110  10.0.1.5.25: tcp 0
IP 10.0.1.5.25  10.0.1.5.62110: tcp 89
IP 10.0.1.5.62110  10.0.1.5.25: tcp 0

# netstat -nf inet
Active Internet connections
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED

# sockstat -4 -p 25
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25

Why the jailhost is suddenly using the jail's IP address is beyond me.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[Jason Morgan]

On 2008.07.07 12:16:44, David Allen wrote:
 On Mon, Jul 7, 2008 at 10:54 AM, Jason Morgan
 [EMAIL PROTECTED] wrote:
  On 2008.07.07 09:51:33, David Allen wrote:
  Unless I'm losing my mind, I'm encountering what seems to yet another
  gotcha with jails.  The following has been dumbed down for clarity and
  brevity.
 
  -
  # hostname
  jailhost.example.org
 
  # host jailhost
  jailhost.example.org has address 10.0.1.2
 
  # ifconfig fxp0
  fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
  options=bRXCSUM,TXCSUM,VLAN_MTU
  ether 00:07:e9:c8:2e:32
  inet 10.0.1.2 netmask 0xff00 broadcast 10.0.1.255
  inet 10.0.1.3 netmask 0x broadcast 10.0.1.3
  inet 10.0.1.4 netmask 0x broadcast 10.0.1.4
  media: Ethernet autoselect (100baseTX full-duplex)
  status: active
 
  This is the output for my jail interface. Notice that your jail
  aliases are broadcasting on the jail's IP. I don't know if this is an
  issue or not (my jails run on i386 FBSD 6.3), but it's something to
  look at. How are you setting the aliases?
 
  sk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  options=bRXCSUM,TXCSUM,VLAN_MTU
  inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
  inet 10.0.0.101 netmask 0xff00 broadcast 10.0.0.255
  inet 10.0.0.201 netmask 0xff00 broadcast 10.0.0.255
  ether xx:xx:xx:xx:xx:xx
  media: Ethernet autoselect (1000baseTX full-duplex,flag0,flag1)
  status: active
 
 My own aliases:
 
 # grep fxp0 /etc/rc.conf
 ifconfig_fxp0=inet 10.0.1.2 netmask 0xff00
 ifconfig_fxp0_alias0=10.0.1.3 netmask 0x
 ifconfig_fxp0_alias1=10.0.1.4 netmask 0x
 ifconfig_fxp0_alias2=10.0.1.5 netmask 0x
 
 My understanding from the handbook is that the mask should be set to all
 ones if the alias is for an address that's part of the same network.  For
 a different segment, it's the first alias that should be set to the real
 netmask, with any additional aliases using a netmask of all ones.
 
 Granted, the broadcast addresses looks odd.  If I my programming skills
 were better, I'd just read through the code and understand what's really
 happening, but for now, I'm just taking the FreeBSD folks at their word at
 following instructions.  That's a roundabout way of saying I think your
 aliases are set up incorrectly.  ;-)

That it quite possible (I do notice the newer documentation calling
for netmask 0x). But I have never had any trouble over the
last three years so, you know how it is, if it ain't (too) broke ...

 If you're not seeing the behaviour I'm seeing, do let me know.  But to
 clarify with a concrete example, the following is what I see on the
 jailhost (10.0.1.2) when it connects to port 25 on one of the
 jails (10.0.1.5).
 
 # tcpdump -nqti lo0 port 25
 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
 IP 10.0.1.5.62110  10.0.1.5.25: tcp 0
 IP 10.0.1.5.25  10.0.1.5.62110: tcp 0
 IP 10.0.1.5.62110  10.0.1.5.25: tcp 0
 IP 10.0.1.5.25  10.0.1.5.62110: tcp 89
 IP 10.0.1.5.62110  10.0.1.5.25: tcp 0
 
 # netstat -nf inet
 Active Internet connections
 Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
 tcp4   0  0  10.0.1.5.2510.0.1.5.62110 ESTABLISHED
 tcp4   0  0  10.0.1.5.62110 10.0.1.5.25ESTABLISHED
 
 # sockstat -4 -p 25
 USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
 root sendmail   16594 1  tcp4   10.0.1.5:25   10.0.1.5:62110
 root sendmail   16594 4  tcp4   10.0.1.5:25   10.0.1.5:62110
 root sendmail   16594 7  tcp4   10.0.1.5:25   10.0.1.5:62110
 root telnet 16593 3  tcp4   10.0.1.5:6211010.0.1.5:25
 
 Why the jailhost is suddenly using the jail's IP address is beyond me.

I am actually getting the same results when telnetting to port 25 on
my mailserver jail. Someone else here should be able to offer better
advice. Sorry, I couldn't help.

Good luck,
~Jason
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Jails and IP Aliasing

[George Hartzell]

Did you take the necessary steps to restrict the IP addresses on which
sendmail on the host and the jail listen?  The jail man page only
says:

 To configure sendmail(8), it is necessary to modify
 /etc/mail/sendmail.cf.

but you'll probably end up adjusting the DAEMON_OPTIONS lines of your
sendmail.mc (freebsd.mc, freebsd.submit.mc) and recreating your cf
files.

g.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]