strange routing (?) issues with a jail

tsuraan tsuraan at gmail.com
Thu Sep 29 06:51:08 PDT 2005


On 28/09/05, Glenn Dawson <glenn at antimatter.net> wrote:
> At 04:08 PM 9/28/2005, tsuraan wrote:
> >I have a freebsd 5.3 machine, with a jailed off machine running in it.
> >  Let's call them host and slave (they have seperate IP addresses and
> >hostnames).  Within the slave, I have sshd and apache running.  In the
> >host, I just have sshd running.   From within the slave machine, I can
> >connect to localhost ports 80 and 22, with the expected results.  From
> >within the host machine, I can connect to the slave's ports 80 and 22
> >correctly as well.  From outside that machine, I can only connect to
> >port 22 on the slave.  Attempts to connect to port 80 on the slave
> >time out.
> >
> >The slave is running apache version 1.33+modssl from ports.  I have it
> >configured with a basic vhosting setup, and it seems to work perfectly
> >from within the physical machine the jail is running on.  Pf is
> >totally disabled, and it's a fresh install with no strange services
> >running or unnecessary packages installed.  Can anyone give a hint as
> >to why someone external would be unable to connect to port 80, but
> >able to connect to port 22?
>
> Are the IP's for the host and the jail on the same network?  A look
> at the relevant portions of rc.conf from both the host and the jail
> would be most helpful in troubleshooting the problem.

The rc.conf for the host looks like this:

hostname="host.domain.dom"
sendmail_enable="NO"
inetd_flags="-wW -a 192.168.240.104"
rpcbind_enable="NO"
#ifconfig_fxp0="inet 192.168.240.104 netmask 255.255.127.0"
ifconfig_fxp0="DHCP"
ifconfig_fxp0_alias0="inet 192.168.240.224 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 192.168.240.225 netmask 255.255.255.255"
linux_enable="NO"
moused_enable="NO"
sshd_enable="YES"

And the jail looks like this:

rpcbind_enable="NO"
network_interfaces=""
sendmail_enable="NONE"
sshd_enable="YES"
apache_enable="YES"
apache_flags=""

>
> You'll also want to make sure that sshd in the host is being told to
> listen only to it's IP.  If you don't and there's no sshd running in
> the jail, you'll get a connection to the host instead of the jail.

When I log into the jail through ssh from an external computer, I am
logging in to the correct machine:

my-box:~ $ ssh 192.168.240.104
host:~ $ hostname
host
host:~ $

--

my-box:~ $ ssh 192.168.240.224
$ hostname
slave
$

But if I try to telnet to port 80 on the slave, it only works from the
host machine:

my-box:~ $ telnet 192.168.240.224 80
Trying 192.168.240.224
telnet: connect to address 192.168.240.224: Operation timed out
telnet: Unable to connect to remote host

--

host:~ $ telnet 192.168.240.224 80
Trying 192.168.240.224...
Connected to 224-240-168-192.domain.dom.
Escape character is '^]'.

So, apache is clearly running, but not answering to external queries. 
Running ifconfig from within the jail gives me:

$ ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.240.224 netmask 0xffffff00 broadcast 192.168.240.255
        ether 00:0e:0c:4e:62:31
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

And I can ping google from within the jail, and that works.  So, any ideas?


More information about the freebsd-questions mailing list