strange routing (?) issues with a jail
tsuraan
tsuraan at gmail.com
Thu Sep 29 06:51:08 PDT 2005
On 28/09/05, Glenn Dawson <glenn at antimatter.net> wrote:
> At 04:08 PM 9/28/2005, tsuraan wrote:
> >I have a freebsd 5.3 machine, with a jailed off machine running in it.
> > Let's call them host and slave (they have seperate IP addresses and
> >hostnames). Within the slave, I have sshd and apache running. In the
> >host, I just have sshd running. From within the slave machine, I can
> >connect to localhost ports 80 and 22, with the expected results. From
> >within the host machine, I can connect to the slave's ports 80 and 22
> >correctly as well. From outside that machine, I can only connect to
> >port 22 on the slave. Attempts to connect to port 80 on the slave
> >time out.
> >
> >The slave is running apache version 1.33+modssl from ports. I have it
> >configured with a basic vhosting setup, and it seems to work perfectly
> >from within the physical machine the jail is running on. Pf is
> >totally disabled, and it's a fresh install with no strange services
> >running or unnecessary packages installed. Can anyone give a hint as
> >to why someone external would be unable to connect to port 80, but
> >able to connect to port 22?
>
> Are the IP's for the host and the jail on the same network? A look
> at the relevant portions of rc.conf from both the host and the jail
> would be most helpful in troubleshooting the problem.
The rc.conf for the host looks like this:
hostname="host.domain.dom"
sendmail_enable="NO"
inetd_flags="-wW -a 192.168.240.104"
rpcbind_enable="NO"
#ifconfig_fxp0="inet 192.168.240.104 netmask 255.255.127.0"
ifconfig_fxp0="DHCP"
ifconfig_fxp0_alias0="inet 192.168.240.224 netmask 255.255.255.255"
ifconfig_fxp0_alias1="inet 192.168.240.225 netmask 255.255.255.255"
linux_enable="NO"
moused_enable="NO"
sshd_enable="YES"
And the jail looks like this:
rpcbind_enable="NO"
network_interfaces=""
sendmail_enable="NONE"
sshd_enable="YES"
apache_enable="YES"
apache_flags=""
>
> You'll also want to make sure that sshd in the host is being told to
> listen only to it's IP. If you don't and there's no sshd running in
> the jail, you'll get a connection to the host instead of the jail.
When I log into the jail through ssh from an external computer, I am
logging in to the correct machine:
my-box:~ $ ssh 192.168.240.104
host:~ $ hostname
host
host:~ $
--
my-box:~ $ ssh 192.168.240.224
$ hostname
slave
$
But if I try to telnet to port 80 on the slave, it only works from the
host machine:
my-box:~ $ telnet 192.168.240.224 80
Trying 192.168.240.224
telnet: connect to address 192.168.240.224: Operation timed out
telnet: Unable to connect to remote host
--
host:~ $ telnet 192.168.240.224 80
Trying 192.168.240.224...
Connected to 224-240-168-192.domain.dom.
Escape character is '^]'.
So, apache is clearly running, but not answering to external queries.
Running ifconfig from within the jail gives me:
$ ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.240.224 netmask 0xffffff00 broadcast 192.168.240.255
ether 00:0e:0c:4e:62:31
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
And I can ping google from within the jail, and that works. So, any ideas?
More information about the freebsd-questions
mailing list