How to connect a jail to the web ?
berrandonea at yahoo.fr
Wed Aug 11 18:24:55 UTC 2010
Thank you very much for your answer. It helped me understand some elements. But
portsnap still doesn't work.
>> So, I can't contact DNS servers able to translate www.freebsd.org to
>> its ip. Since I know this ip, I tried : "ping 22.214.171.124". This
>> time, the error message is :
>> ping: socket: Operation not permitted
>ping(1) uses raw sockets in order to be able to send and
>receive ICMP packets. By default, raw sopckets or disallowed
>in jails. To change that, use this command on the host:
>Add an entry to /etc/sysctl.conf so the setting will survive
I did it but ping still doesn't work.
>> 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.
>Well, localnet addresses are not routed. If you give your
>jail a localnet address, it won't be able to access the
>network outside of the host. (Unless you take measures
>to rewrite/translate the addresses and forward them.)
>That's why DNS and portsnap don't work.
>I suggest using the address 192.168.1.38 for the jail,
>at least during installation. Make sure that the file
>/etc/resolv.conf inside the jail is correct, so DNS will
>work. Copying it from the host should be sufficient.
Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public
ip of my computer here ?
> By the way, you don't have to build ports inside the jail.
> Of course you *can* do that, but there are other ways, too.
> For example, you could build packages (apache etc.) on
> the host, or in a different jail, or even on a different
> machine, and then use pkg_add(8) inside your jail to
> install them.
I prefer doing that way. I will use apache later so I will have to connect the
jail to internet anyway.
>> And also how the computer knows which data is for the jail and which
>> one is for the loopback.
>Services (such as apache) listen on certain ports for
>connections. For example, the default port for the HTTP
>protocol is 80. So, when someone is trying to open a
>connection to your IP address on port 80, your kernel
>looks it up in its table of listening TCP sockets and
>find the apache process which is running inside the jail.
>So the connection is handed to the jail.
>(This is a bit oversimplifying, but basically that's how
OK. This is clear. And it explains how multiple jails can share the same
>> Despite the sshd_enable="YES" line, I can't ssh from the host to the
>> jail. Well, I can... The first time I did it, I was asked if I wanted
>> to add the jail to the list of known hosts. I did it. No problem
>> there. But, immediatly after that, instead of displaying "login :",
>> the system displayed "passwd :".
>That's normal. ssh never asks for the login. You can use the -l
>option if you need to specify a different user name (or put it in your
Of course. I'm loosing my mind with all that jail trouble. It works perfectly
well with le -l option.
> Some paranoid people have a special "login jail". They
> ssh into the login jail, then log into the host or into
> other jails from there. The host accepts ssh only from
> localhost. But please forget this immediately; we don't
> want to make things more complicated than necessary.
I thought it was intended to be impossible to access the host from the jail. But
you're right : I'll forget that.
So, we're progressing. But the problem is not over yet. Any other idea ?
Have a good evening, anyway.
More information about the freebsd-questions