Re: Static Routes, gateways and the end of my sanity
Reuben A. Popp wrote: Hello everyone, can someone please (_please_!!) let me know what I'm doing wrong in the following example? I am near my wits end on implementing this, any suggestions are greatly appreciated! The scenario is that I have a server here with twin nics, bce0 and bce1; I would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 would be on our internal network. A jail will reside on the ip assigned to bce0, while the regular base system will bind to bce1. My current rc.conf consists of the following: --- defaultrouter="10.228.228.254" ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex netmask 255.255.255.0" # Enable Jails for multi-homed box (video) jail_enable="YES" jail_list="video" jail_video_rootdir="/usr/local/jail/video" jail_video_hostname="video.eastcentral.edu" jail_video_ip="192.168.4.80" jail_named_exec_start="/bin/sh /etc/rc" jail_video_devfs_enable="YES" # Routed and gateway settings static_routes="net1" route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" -- Of course there's other things in there like binding various services (inetd, syslog, et al) to the internal ip. On bringing the machine up, I can ping both ips just fine; what I can't do is ssh to the dmz address. Yes, sshd is running inside the jail ;). The output of tcpdump shows a connect to that ip on bce0, but all responses appear to be going out on bce1. Again, any suggestions or comments are welcome and appreciated. For the record, the machine is a Dell PowerEdge 2950 running the amd64 6.2-RELEASE-p4 branch. I will gladly supply more info if this isn't enough. You can't bind both host and jail to the same IP. I'd suggest the following re-arrangement: ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" ifconfig_bce0_alias0="inet 192.168.4.81 netmask 255.255.255.255" ^^ ^ ^^^ ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex jail_enable="YES" jail_list="video" jail_interface="bce0" ^ jail_video_rootdir="/usr/local/jail/video" jail_video_hostname="video.eastcentral.edu" jail_video_ip="192.168.4.81" ^ jail_named_exec_start="/bin/sh /etc/rc" jail_video_devfs_enable="YES" In other words: Your host binds to bce0 (192.168.4.80) and bce1 (10.228.228.228). The jail binds to bce0_alias0 (192.168.4.81). Also jails will always try to bind to bce0 interface (jail_interface="bce0"). You don't need any routes if your machine acts as a gateway. All traffic from 10.0.0.0/8 will find its way to 192.168.0.0/16 through bc1 and from other net via bc0. Hopefully I didn't misinterpret your problem. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Fwd: Static Routes, gateways and the end of my sanity
On Tue, 29 May 2007, Reuben A. Popp spaketh thusly: -} -}Hello everyone, can someone please (_please_!!) let me know what I'm doing -}wrong in the following example? I am near my wits end on implementing this, -}any suggestions are greatly appreciated! -} -}The scenario is that I have a server here with twin nics, bce0 and bce1; I -}would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 -}would be on our internal network. A jail will reside on the ip assigned to -}bce0, while the regular base system will bind to bce1. -} -}My current rc.conf consists of the following: -}--- -}defaultrouter="10.228.228.254" -}ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" -}ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex -}netmask 255.255.255.0" -} -}# Enable Jails for multi-homed box (video) -}jail_enable="YES" -}jail_list="video" -}jail_video_rootdir="/usr/local/jail/video" -}jail_video_hostname="video.eastcentral.edu" -}jail_video_ip="192.168.4.80" -}jail_named_exec_start="/bin/sh /etc/rc" -}jail_video_devfs_enable="YES" -} -}# Routed and gateway settings -}static_routes="net1" -}route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" -}-- -} -}Of course there's other things in there like binding various services (inetd, -}syslog, et al) to the internal ip. -} -}On bringing the machine up, I can ping both ips just fine; what I can't do is -}ssh to the dmz address. Yes, sshd is running inside the jail ;). The output -}of tcpdump shows a connect to that ip on bce0, but all responses appear to be -}going out on bce1. Are you remembering to edit /etc/ssh/sshd_config for both the jail and the parent system to listen on the appropriate addresses? The jail's /etc/ssh/sshd_config needs a line that says "ListenAddress 192.168.4.80", the parent's sshd_config needs to say "ListenAddress 10.228.228.228". Also, crank up the debugging for sshd with something like "LogLevel DEBUG3" and watch your log files. -- Randy([EMAIL PROTECTED]) 765.983.1283 <*> Rain puts a hole in stone because of its constancy, not its force. - H. Joseph Gerber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Static Routes, gateways and the end of my sanity
In response to "Reuben A. Popp" <[EMAIL PROTECTED]>: > Hello everyone, can someone please (_please_!!) let me know what I'm doing > wrong in the following example? I am near my wits end on implementing this, > any suggestions are greatly appreciated! > > The scenario is that I have a server here with twin nics, bce0 and bce1; I > would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 > would be on our internal network. A jail will reside on the ip assigned to > bce0, while the regular base system will bind to bce1. > > My current rc.conf consists of the following: > --- > defaultrouter="10.228.228.254" > ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" > ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex > netmask 255.255.255.0" > > # Enable Jails for multi-homed box (video) > jail_enable="YES" > jail_list="video" > jail_video_rootdir="/usr/local/jail/video" > jail_video_hostname="video.eastcentral.edu" > jail_video_ip="192.168.4.80" > jail_named_exec_start="/bin/sh /etc/rc" > jail_video_devfs_enable="YES" > > # Routed and gateway settings > static_routes="net1" > route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" > -- > > Of course there's other things in there like binding various services (inetd, > syslog, et al) to the internal ip. > > On bringing the machine up, I can ping both ips just fine; what I can't do is > ssh to the dmz address. Yes, sshd is running inside the jail ;). The output > of tcpdump shows a connect to that ip on bce0, but all responses appear to be > going out on bce1. I don't believe that what you're attempting is possible. The system only has 1 routing table, and despite the traffic coming from the jail, it still gets routed by the host routing table. There's some work in progress to improve this, but AFAIK, what you're trying to do isn't currently possible. FYI: there is now a freebsd-jail@ mailing list -- you may find better answers there. -- Bill Moran http://www.potentialtech.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Fwd: Static Routes, gateways and the end of my sanity
Hmm... first time didn't appear to go though, going to try this again. Hello everyone, can someone please (_please_!!) let me know what I'm doing wrong in the following example? I am near my wits end on implementing this, any suggestions are greatly appreciated! The scenario is that I have a server here with twin nics, bce0 and bce1; I would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 would be on our internal network. A jail will reside on the ip assigned to bce0, while the regular base system will bind to bce1. My current rc.conf consists of the following: --- defaultrouter="10.228.228.254" ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex netmask 255.255.255.0" # Enable Jails for multi-homed box (video) jail_enable="YES" jail_list="video" jail_video_rootdir="/usr/local/jail/video" jail_video_hostname="video.eastcentral.edu" jail_video_ip="192.168.4.80" jail_named_exec_start="/bin/sh /etc/rc" jail_video_devfs_enable="YES" # Routed and gateway settings static_routes="net1" route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" -- Of course there's other things in there like binding various services (inetd, syslog, et al) to the internal ip. On bringing the machine up, I can ping both ips just fine; what I can't do is ssh to the dmz address. Yes, sshd is running inside the jail ;). The output of tcpdump shows a connect to that ip on bce0, but all responses appear to be going out on bce1. Again, any suggestions or comments are welcome and appreciated. For the record, the machine is a Dell PowerEdge 2950 running the amd64 6.2-RELEASE-p4 branch. I will gladly supply more info if this isn't enough. Cheers, and thanks in advance Reuben A. Popp -- Reuben A. Popp Systems Administrator Information Technology Department East Central College 1+ 636 583 5195 x2480 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Static Routes, gateways and the end of my sanity
Hello everyone, can someone please (_please_!!) let me know what I'm doing wrong in the following example? I am near my wits end on implementing this, any suggestions are greatly appreciated! The scenario is that I have a server here with twin nics, bce0 and bce1; I would like bce0 to be connected to our dmz network (192.168.x.x), while bce1 would be on our internal network. A jail will reside on the ip assigned to bce0, while the regular base system will bind to bce1. My current rc.conf consists of the following: --- defaultrouter="10.228.228.254" ifconfig_bce0="inet 192.168.4.80 netmask 255.255.255.0" ifconfig_bce1="inet 10.228.228.228 media 100BaseTX mediaopt full-duplex netmask 255.255.255.0" # Enable Jails for multi-homed box (video) jail_enable="YES" jail_list="video" jail_video_rootdir="/usr/local/jail/video" jail_video_hostname="video.eastcentral.edu" jail_video_ip="192.168.4.80" jail_named_exec_start="/bin/sh /etc/rc" jail_video_devfs_enable="YES" # Routed and gateway settings static_routes="net1" route_net1="-net 192.168.4.80/24 -netmask 255.255.255.0 192.168.4.254" -- Of course there's other things in there like binding various services (inetd, syslog, et al) to the internal ip. On bringing the machine up, I can ping both ips just fine; what I can't do is ssh to the dmz address. Yes, sshd is running inside the jail ;). The output of tcpdump shows a connect to that ip on bce0, but all responses appear to be going out on bce1. Again, any suggestions or comments are welcome and appreciated. For the record, the machine is a Dell PowerEdge 2950 running the amd64 6.2-RELEASE-p4 branch. I will gladly supply more info if this isn't enough. Cheers, and thanks in advance Reuben A. Popp -- Reuben A. Popp Systems Administrator Information Technology Department East Central College 1+ 636 583 5195 x2480 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
