Problem with jail connecting out

Nikos Vassiliadis nvass9573 at gmx.com
Wed Jun 17 18:28:16 UTC 2009


Erik Norgaard wrote:
> Steve Bertrand wrote:
>> Erik Norgaard wrote:
>>> Erik Norgaard wrote:
>>>
>>>> I have no problem connecting from the host to the jail, but the other
>>>> way around doesn't work.
>>>>
>>>> Also, related, how do I configure multiple interfaces in a jail?
>>> Second problem solved, starting jail with
>>>
>>>   # jail /var/jail jail 127.0.0.2,172.16.0.2 /bin/sh /etc/rc
>>>
>>> So, now I have:
>>>
>>> vr1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
>>> mtu 1500
>>>     options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
>>>     ether 00:40:63:ee:97:f1
>>>     inet 172.16.0.2 netmask 0xffffffff broadcast 172.16.0.2
>>>     media: Ethernet autoselect (100baseTX <full-duplex>)
>>>     status: active
>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>>     inet 127.0.0.2 netmask 0xffffffff
>>>
>>> Now, I can connect out on vr1 to 172.16.0.1, but not on lo0 to
>>> 127.0.0.1. Any suggestions what might be wrong?
>>
>> I don't think that it is a wise idea to be using the loopback address
>> space to route packets outside of the OS, and it is even possible that
>> some implementations forbid this behaviour (don't quote me on that).
> 
> I have read some recommendations not to use the loopback interface 
> without any real explanation, I don't see why it shouldn't work with a 
> different IP as for other interfaces - or a cloned loopback.

It's the 127/8 that is special, that is, it's treated specially by the
network stack and is dropped when coming from an interface other
than a loopback one. In general, packets that coming into/leave
the box that have a loopback source/destination address have nothing
special and can be used as any other address.

>> If you want a loopback to be a receive interface, you should clone off a
>> second one (lo1), and assign an IP address to it that was not designed
>> to be short circuited within the host, like this:
>>
>> % grep lo10 /etc/rc.conf
>>
>> cloned_interfaces="lo1 lo3 lo10 ...etc
>>
>> # lo10 (IPv4 iBGP loopback, advertised by OSPF)
>> ifconfig_lo10="UP"
>> ifconfig_lo10="inet 172.16.104.8 netmask 255.255.255.255"
>>
>>>> From RFC 1700:
>>
>>       (g)   {127, <any>}
>>
>>          Internal host loopback address.  Should never appear outside
>>          a host.
> 
> It won't. It's intended to be stricly local on the internal loopback 
> interface.
> 
> The idea is to use the loopback interface for connecting between the 
> jail and the host while not exposing the jail to the exterior.
> 
> Basically, I'm trying to setup a jail for my imap server to migrate my 
> mail from the existing server, a last resort clumsy way of upgrading the 
> Berkeley DB. Then a script connecting to both services can create 
> accounts, folders and copy the mail to the new service.
> 
> The idea is that this way I could do it transparently - well, that's the 
> theory.

Your theory is correct, and it really works that way in -HEAD and 7.1R
that I have available. But, it's not working when the server is bound
specifically to 127.0.0.1 and not any address. Is your server bound
to any address?

I can connect from 127.2 to 127.1:
lab# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       1386  4  tcp4   *:22                  *:*
Yet, the connection appears to be connected from 127.2 to 127.2

It doesn't work:
lab# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd       1286  3  tcp4   127.0.0.1:22          *:*

Hm, just tested with another loopback address from the
172.16.0.0/16 net and it doesn't have the same problem.
Could try using something else other than 127.1?
That looks like a bug...

Nikos


More information about the freebsd-questions mailing list