Problem with jail connecting out
Nikos Vassiliadis
nvass9573 at gmx.com
Wed Jun 17 18:28:16 UTC 2009
Erik Norgaard wrote:
> Steve Bertrand wrote:
>> Erik Norgaard wrote:
>>> Erik Norgaard wrote:
>>>
>>>> I have no problem connecting from the host to the jail, but the other
>>>> way around doesn't work.
>>>>
>>>> Also, related, how do I configure multiple interfaces in a jail?
>>> Second problem solved, starting jail with
>>>
>>> # jail /var/jail jail 127.0.0.2,172.16.0.2 /bin/sh /etc/rc
>>>
>>> So, now I have:
>>>
>>> vr1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
>>> mtu 1500
>>> options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
>>> ether 00:40:63:ee:97:f1
>>> inet 172.16.0.2 netmask 0xffffffff broadcast 172.16.0.2
>>> media: Ethernet autoselect (100baseTX <full-duplex>)
>>> status: active
>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>> inet 127.0.0.2 netmask 0xffffffff
>>>
>>> Now, I can connect out on vr1 to 172.16.0.1, but not on lo0 to
>>> 127.0.0.1. Any suggestions what might be wrong?
>>
>> I don't think that it is a wise idea to be using the loopback address
>> space to route packets outside of the OS, and it is even possible that
>> some implementations forbid this behaviour (don't quote me on that).
>
> I have read some recommendations not to use the loopback interface
> without any real explanation, I don't see why it shouldn't work with a
> different IP as for other interfaces - or a cloned loopback.
It's the 127/8 that is special, that is, it's treated specially by the
network stack and is dropped when coming from an interface other
than a loopback one. In general, packets that coming into/leave
the box that have a loopback source/destination address have nothing
special and can be used as any other address.
>> If you want a loopback to be a receive interface, you should clone off a
>> second one (lo1), and assign an IP address to it that was not designed
>> to be short circuited within the host, like this:
>>
>> % grep lo10 /etc/rc.conf
>>
>> cloned_interfaces="lo1 lo3 lo10 ...etc
>>
>> # lo10 (IPv4 iBGP loopback, advertised by OSPF)
>> ifconfig_lo10="UP"
>> ifconfig_lo10="inet 172.16.104.8 netmask 255.255.255.255"
>>
>>>> From RFC 1700:
>>
>> (g) {127, <any>}
>>
>> Internal host loopback address. Should never appear outside
>> a host.
>
> It won't. It's intended to be stricly local on the internal loopback
> interface.
>
> The idea is to use the loopback interface for connecting between the
> jail and the host while not exposing the jail to the exterior.
>
> Basically, I'm trying to setup a jail for my imap server to migrate my
> mail from the existing server, a last resort clumsy way of upgrading the
> Berkeley DB. Then a script connecting to both services can create
> accounts, folders and copy the mail to the new service.
>
> The idea is that this way I could do it transparently - well, that's the
> theory.
Your theory is correct, and it really works that way in -HEAD and 7.1R
that I have available. But, it's not working when the server is bound
specifically to 127.0.0.1 and not any address. Is your server bound
to any address?
I can connect from 127.2 to 127.1:
lab# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1386 4 tcp4 *:22 *:*
Yet, the connection appears to be connected from 127.2 to 127.2
It doesn't work:
lab# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 1286 3 tcp4 127.0.0.1:22 *:*
Hm, just tested with another loopback address from the
172.16.0.0/16 net and it doesn't have the same problem.
Could try using something else other than 127.1?
That looks like a bug...
Nikos
More information about the freebsd-questions
mailing list