Re: Re : How to connect a jail to the web ?
Brice ERRANDONEA wrote: > I tried all of this without any result. But I won't give up. > > What I want is a jail with an Apache http server running inside. > So, the jail must have a public IPv4 and access to the web. Not necessarily. Of course, the jail _can_ have a public IP address. This will make things easier. But some people prefer to give their jails private addresses or even aliases on lo0 (e.g. 127.0.0.2). In order to access such a jail from the outside, the host has to forward packets from and to the private address. This can be done with IPFW "fwd" rules, for example. > What I'd understood of the jails' role (but I must have > misunderstood) is that it will have a different public ip than the > host, so that if a pirate manage to crack the server, he will only > have access to the jail (the real public ip of the host remaining > secret). Yes, it has advantages to give a jail its own IP address, but it's not strictly necessary. The IP address can be shared with the host and with other IP addresses if you prefer. It's also possible to give the jail the host's IP address during installation, so things like portsnap, pkg_add -r and similar will run without trouble, and then switch the jail to its final IP address. > Then I'm surprised to learn that such traffic will be routed > through the host. Routing happens globally (unless you use VIMAGE and/or multiple FIBs, but let's forget about these for now because they make things even more complicated, and you probably don't need them). By default there is only one routing table inside the kernel, through which all packets go. So, packets from your jails go through the same routing table as packets from yur host. > The jail is created. The next step now is to install the ports > collection inside with portsnap fetch. But each time I try to run > this command inside the jail (with jexec), I get the same answer : > > Looking up portsnap.FreeBSD.org mirrors... none found. Fetching > public key from portsnap.FreeBSD.org... failed. No mirrors > remaining, giving up. > > This makes me think my jail is not connected to the web. This has nothing to do with the web. Maybe you confuse web and internet or network? Obviously your jail cannot do DNS lookups, i.e. it cannot resolve host names. > So, I can't contact DNS servers able to translate www.freebsd.org to > its ip. Since I know this ip, I tried : "ping 69.147.83.33". This > time, the error message is : > > ping: socket: Operation not permitted ping(1) uses raw sockets in order to be able to send and receive ICMP packets. By default, raw sopckets or disallowed in jails. To change that, use this command on the host: sysctl security.jail.allow_raw_sockets=1 Add an entry to /etc/sysctl.conf so the setting will survive reboots. > It seems that the local ip given to the jail has to be an alias > of an existing one. No, it must simply be an existing address, i.e. it must be configured on one of your interfaces (whether alias or not). > I'm not on a local network so I only have 2 > real network interfaces : rl0 (192.168.1.38) and the loopack lo0 > (127.0.0.1). So you can use one of those two addresses, or you can add aliases (e.g. 192.168.1.39) and then use that one. Of course you can only use addresses that you "own" and that will work on your network. If addresses are assigned to you by an ISP or administrator, then you can only use those. > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. Well, localnet addresses are not routed. If you give your jail a localnet address, it won't be able to access the network outside of the host. (Unless you take measures to rewrite/translate the addresses and forward them.) That's why DNS and portsnap don't work. I suggest using the address 192.168.1.38 for the jail, at least during installation. Make sure that the file /etc/resolv.conf inside the jail is correct, so DNS will work. Copying it from the host should be sufficient. By the way, you don't have to build ports inside the jail. Of course you *can* do that, but there are other ways, too. For example, you could build packages (apache etc.) on the host, or in a different jail, or even on a different machine, and then use pkg_add(8) inside your jail to install them. > By the way, I wonder which one I will be able to choose if I ever > have to create a second jail. Multiple jails can share the same address if required. > And also how the computer knows which data is for the jail and which > one is for the loopback. Services (such as apache) listen on certain ports for connections. For example, the default port for the HTTP protocol is 80. So, when someone is trying to open a connection to your IP address on port 80, your kernel looks it up in its table of listening TCP sockets and find the apache process which is running inside the jail. So the connection is handed to the jail. (This is a bit oversimplifying, but basically that's h
Re : Re : How to connect a jail to the web ?
Thank you very much for your answer. It helped me understand some elements. But portsnap still doesn't work. >> So, I can't contact DNS servers able to translate www.freebsd.org to >> its ip. Since I know this ip, I tried : "ping 69.147.83.33". This >> time, the error message is : >> >> ping: socket: Operation not permitted >ping(1) uses raw sockets in order to be able to send and >receive ICMP packets. By default, raw sopckets or disallowed >in jails. To change that, use this command on the host: >sysctl security.jail.allow_raw_sockets=1 >Add an entry to /etc/sysctl.conf so the setting will survive >reboots. I did it but ping still doesn't work. >> 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. >Well, localnet addresses are not routed. If you give your >jail a localnet address, it won't be able to access the >network outside of the host. (Unless you take measures >to rewrite/translate the addresses and forward them.) >That's why DNS and portsnap don't work. >I suggest using the address 192.168.1.38 for the jail, >at least during installation. Make sure that the file >/etc/resolv.conf inside the jail is correct, so DNS will >work. Copying it from the host should be sufficient. Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public ip of my computer here ? > By the way, you don't have to build ports inside the jail. > Of course you *can* do that, but there are other ways, too. > For example, you could build packages (apache etc.) on > the host, or in a different jail, or even on a different > machine, and then use pkg_add(8) inside your jail to > install them. I prefer doing that way. I will use apache later so I will have to connect the jail to internet anyway. >> And also how the computer knows which data is for the jail and which >> one is for the loopback. >Services (such as apache) listen on certain ports for >connections. For example, the default port for the HTTP >protocol is 80. So, when someone is trying to open a >connection to your IP address on port 80, your kernel >looks it up in its table of listening TCP sockets and >find the apache process which is running inside the jail. >So the connection is handed to the jail. >(This is a bit oversimplifying, but basically that's how >it works.) OK. This is clear. And it explains how multiple jails can share the same address. >> Despite the sshd_enable="YES" line, I can't ssh from the host to the >> jail. Well, I can... The first time I did it, I was asked if I wanted >> to add the jail to the list of known hosts. I did it. No problem >> there. But, immediatly after that, instead of displaying "login :", >> the system displayed "passwd :". >That's normal. ssh never asks for the login. You can use the -l >option if you need to specify a different user name (or put it in your >~/.ssh/config). Of course. I'm loosing my mind with all that jail trouble. It works perfectly well with le -l option. > Some paranoid people have a special "login jail". They > ssh into the login jail, then log into the host or into > other jails from there. The host accepts ssh only from > localhost. But please forget this immediately; we don't > want to make things more complicated than necessary. I thought it was intended to be impossible to access the host from the jail. But you're right : I'll forget that. So, we're progressing. But the problem is not over yet. Any other idea ? Have a good evening, anyway. Brice -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "Above all, they contribute to the genetic diversity in the operating system pool. Which is a good thing." -- Ruben van Staveren, on the question which BSD OS is the best one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Re : How to connect a jail to the web ?
On 8/11/2010 8:35 AM, Brice ERRANDONEA wrote: I tried all of this without any result. But I won't give up. What I want is a jail with an Apache http server running inside. So, the jail must have a public IPv4 and access to the web. I've been in the same boat as you and there isn't a lot of clear documentation that works in all situations. After reading tons of stuff on the subject I finally figured out what should work in almost every situation. Rather than fit everything in an email I put together a HOWTO on the freebsd forums. This should get you up and running quickly and if you have any problems or questions don't hesitate to ask. http://forums.freebsd.org/showthread.php?t=16860 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Re : How to connect a jail to the web ?
Brice ERRANDONEA wrote:
> 192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the
> public one. I tried both as the jail's address. With the private one,
> neither
> portsnap nor ping work at all.
>
> With the public one, I get this result :
> [...]
> FreeBSD# jexec 2 ping www.yahoo.fr
> ping: cannot resolve www.yahoo.fr: Host name lookup failure
> FreeBSD# jexec 2 ping 69.147.83.33
> PING 69.147.83.33 (69.147.83.33): 56 data bytes
> [...]
> 32 packets transmitted, 0 packets received, 100.0% packet loss
Please show the _complete_ output from "ifconfig" and "netstat -rnfinet".
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
PI:
int f[9814],b,c=9814,g,i;long a=1e4,d,e,h;
main(){for(;b=c,c-=14;i=printf("%04d",e+d/a),e=d%a)
while(g=--b*2)d=h*b+a*(i?f[b]:a/5),h=d/--g,f[b]=d%g;}
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : Re : How to connect a jail to the web ?
Here they are. On the host, when the jail is not running : %ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3 %netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS16 434rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 1 98rl0 192.168.1.38 link#1 UHS 00lo0 On the host when the jail is running : FreeBSD# jls JID IP Address Hostname Path 1 93.0.168.242MaPrison /usr/prison FreeBSD# ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 nd6 options=3 FreeBSD# netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 474rl0 93.0.168.242 link#1 UHS 0 20lo0 => 93.0.168.242/32link#1 U 00rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 0 102rl0 192.168.1.38 link#1 UHS 00lo0 In the jail (running, of course) : FreeBSD# jexec 1 ifconfig rl0: flags=8843 metric 0 mtu 1500 options=8 ether 00:11:09:15:72:6a inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 media: Ethernet autoselect (100baseTX ) status: active fwe0: flags=8802 metric 0 mtu 1500 options=8 ether 02:11:06:99:8a:ff ch 1 dma -1 fwip0: flags=8802 metric 0 mtu 1500 lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0 plip0: flags=8810 metric 0 mtu 1500 lo0: flags=8049 metric 0 mtu 16384 options=3 FreeBSD# jexec 1 netstat -rnfinet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.1UGS 0 480rl0 93.0.168.242 link#1 UHS 0 20lo0 => 93.0.168.242/32link#1 U 00rl0 127.0.0.1 link#5 UH 0 20lo0 192.168.1.0/24 link#1 U 0 102rl0 192.168.1.38 link#1 UHS 00lo0 Do you find what's wrong ? Brice De : Oliver Fromme À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Jeu 12 août 2010, 14h 52min 00s Objet : Re: Re : How to connect a jail to the web ? Brice ERRANDONEA wrote: > 192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the > public one. I tried both as the jail's address. With the private one, neither > portsnap nor ping work at all. > > With the public one, I get this result : > [...] > FreeBSD# jexec 2 ping www.yahoo.fr > ping: cannot resolve www.yahoo.fr: Host name lookup failure > FreeBSD# jexec 2 ping 69.147.83.33 > PING 69.147.83.33 (69.147.83.33): 56 data bytes > [...] > 32 packets transmitted, 0 packets received, 100.0% packet loss Please show the _complete_ output from "ifconfig" and "netstat -rnfinet". Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: htt
Re: Re : Re : How to connect a jail to the web ?
Brice ERRANDONEA wrote: > On the host, when the jail is not running : > > %ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX ) OK, so 192.168.1.38 is the only (non-localnet) IP address that you have. You should use that one for your jail. > On the host when the jail is running : > > FreeBSD# jls >JID IP Address Hostname Path > 1 93.0.168.242MaPrison /usr/prison > FreeBSD# ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 > media: Ethernet autoselect (100baseTX ) Where did you get that second IP address from? Did you just add it manually? Or is that the address that your gateway (DSL router, whatever) got assigned from your ISP? I assume that IP address is not really routed to your host, but that NAT (Network Address Translation) is used on your router. So you cannot use that address on the host. (If that's not true, please exlain the structure of your network in more detail.) So, if my assumptions are true, you must use the address 192.168.1.38 for your jail. Make sure that DNS is working inside the jail ... It should be sufficient to copy /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf If it still doesn't work: Are you using any packet filter (ipfw, ipf, pf)? If so, please show the complete list of rules. Otherwise, it might help to run tcpdump(1) on the host, so you can see the actual packets that are transmitted and received. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is the only current language making COBOL look good." -- Bertrand Meyer ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : Re : Re : How to connect a jail to the web ?
> Where did you get that second IP address from? Did you just > add it manually? Or is that the address that your gateway > (DSL router, whatever) got assigned from your ISP? I added it manually in rc.conf (on the host) : hostname="FreeBSD.ici" ifconfig_rl0="DHCP" keymap="fr.iso.acc" (yes, I'm french) moused_enable="YES" saver="dragon" hald_enable="YES" dbus_enable="YES" devfs_system_ruleset="localrules" jail_enable="NO" jail_list="MaPrison" jail_interface="rl0" jail_devfs_ruleset="devfsrules_jail" jail_devfs_enable="YES" jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="93.0.168.242" I choosed it because that's my computer's public ip, at least according to this website : http://whatismyipaddress.com/ > I assume that IP address is not really routed to your host, > but that NAT (Network Address Translation) is used on your > router. So you cannot use that address on the host. > (If that's not true, please exlain the structure of your > network in more detail.) My "network" is VERY simple. I've got a modem (or "box") provided by my phone company. It's called a "neufbox" and acts as a gateway. The computer with FreeBSD is connected to this "box" through an ethernet cable. Two other computers are connected to it via wifi. > So, if my assumptions are true, you must use the address > 192.168.1.38 for your jail. Make sure that DNS is working > inside the jail ... It should be sufficient to copy > /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf OK, I'll try this. > If it still doesn't work: Are you using any packet filter > (ipfw, ipf, pf)? If so, please show the complete list of > rules. No, I don't. I've tried pf but you told it was not necessary. > Otherwise, it might help to run tcpdump(1) on the host, so > you can see the actual packets that are transmitted and > received. Allright. I try it too. Good bye for the moment and thanks for your help. Brice ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re : Re : Re : How to connect a jail to the web ?
.302933 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 343 09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 325 09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 24445+ PTR? 250.255.255.239.in-addr.arpa. (46) 09:08:50.906882 IP neufbox.domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103) 09:08:50.917164 IP FreeBSD.59750 > neufbox.domain: 24446+ PTR? 1.1.168.192.in-addr.arpa. (42) 09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|domain] 09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR? 38.1.168.192.in-addr.arpa. (43) 09:08:51.918870 IP neufbox.domain > FreeBSD.32837: 24447* 1/0/0 (64) ^C 14 packets captured 14 packets received by filter 0 packets dropped by kernel FreeBSD# Then, I started the jail. Firefox immediatly stopped being able to browse websites. I tried a tcpdump on the host while running portsnap fetch in the jail : FreeBSD# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:43:50.334499 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:43:50.334966 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:43:50.335402 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:43:50.335944 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:43:50.336560 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.41 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:44:20.333807 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:44:20.334246 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:44:20.334684 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:44:20.335165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:44:20.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 ^C 16 packets captured 16 packets received by filter 0 packets dropped by kernel FreeBSD# If you compare these two tcpdump, you can see that the word "neufbox" is replaced by 192.168.1.1. It confirms that DNS is no longer running. Not easy... Brice De : Oliver Fromme À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Jeu 12 août 2010, 17h 52min 24s Objet : Re: Re : Re : How to connect a jail to the web ? Brice ERRANDONEA wrote: > On the host, when the jail is not running : > > %ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX ) OK, so 192.168.1.38 is the only (non-localnet) IP address that you have. You should use that one for your jail. > On the host when the jail is running : > > FreeBSD# jls >JID IP Address Hostname Path > 1 93.0.168.242MaPrison /usr/prison > FreeBSD# ifconfig > rl0: flags=8843 metric 0 mtu 1500 > options=8 > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255 > inet 93.0.168.242 netmask 0x broadcast 93.0.168.242 > media: Ethernet autoselect (100baseTX ) Where did you get that second IP address from? Did you just add it manually? Or is that the address that your gateway (DSL router, whatever) got assigned from your ISP? I assume that IP address is not really routed to your host, but that NAT (Network Address Translation) is used on your router. So you cannot use that address on the host. (If that's not true, please exlain the structure of your network in more detail.) So, if my assumptions are true, you must use the address 192.168.1.38 for your jail. Make sure that DNS is working inside the jail ... It should be sufficient to copy /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf If it still doesn't work: Are you using any packet filter (ipfw, ipf, pf)? If so, please show the complete list of rules. Otherwise, it might help to run tcpdump(1) on the host, so you can see the actual packets that are transmitted and received. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsreg
