How to connect a jail to the web ?
Brice ERRANDONEA
berrandonea at yahoo.fr
Sat Aug 14 10:02:32 UTC 2010
I had a break with this yesterday. I've just tried your suggestions. It still
doesn't work but the error message has changed.
>> On the host when the jail is running :
>>
>> FreeBSD# jls
>> JID IP Address Hostname Path
>> 1 93.0.168.242 MaPrison /usr/prison
>> FreeBSD# ifconfig
>> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>> options=8<VLAN_MTU>
>> ether 00:11:09:15:72:6a
>> inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255
>> inet 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242
>> media: Ethernet autoselect (100baseTX <full-duplex>)
> Where did you get that second IP address from? Did you just
> add it manually? Or is that the address that your gateway
> (DSL router, whatever) got assigned from your ISP?
I added it manually in rc.conf (on the host) :
jail_server_rootdir="/usr/prison"
jail_server_hostname="MaPrison"
jail_server_ip="93.0.168.242"
I choosed it because that's my computer's public ip, at least according to this
website : http://whatismyipaddress.com/
> I assume that IP address is not really routed to your host,
> but that NAT (Network Address Translation) is used on your
> router. So you cannot use that address on the host.
> (If that's not true, please exlain the structure of your
> network in more detail.)
My network is very simple. I've got a kind of modem provided by my phone
company. It's called a "neufbox" and acts as a gateway. Its address is
192.168.1.1. This "neufbox" is connected to :
- the phone network
- a phone
- the FreeBSD computer through an ethernet wire
- two other computers via wifi
When I browse address 192.168.1.1 with firefox, I can see a page telling this
the neufbox, that internet and the phone are working, that the tv is not
connected (that's true) and that it's public ip address is 93.0.168.242. It also
gives its MAC address and various other infos.
> So, if my assumptions are true, you must use the address
> 192.168.1.38 for your jail.
OK. In /etc/rc.conf, I changed this line (see above) :
jail_server_ip="198.168.1.38"
> Make sure that DNS is working
> inside the jail ... It should be sufficient to copy
> /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf
/etc/resolv.conf only contains this single line : nameserver 192.168.1.1
I placed a copy of this file in the jail.
After these changes and a complete reboot, I launched the jail and tried a
portsnap fetch :
FreeBSD# /etc/rc.d/jail onestart server
Configuring jails:.
Starting jails: MaPrison.
FreeBSD# jls
JID IP Address Hostname Path
1 192.168.1.38 MaPrison /usr/prison
FreeBSD# jexec 1 portsnap fetch
Looking up portsnap.FreeBSD.org mirrors...
/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1699:
internal_send: 192.168.1.1#53: Invalid argument
/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1699:
internal_send: 192.168.1.1#53: Invalid
argument
none
found.
Fetching public key from portsnap.FreeBSD.org...
failed.
No mirrors remaining, giving
up.
FreeBSD#
Then, firefox (on the host) was no longer able to browse. I tried this on the
host :
FreeBSD# ping www.freebsd.org
ping: cannot resolve www.freebsd.org: Host name lookup failure
In other words, it appeared that DNS was no longer working, even on the host.
I rebooted again. This time, I didn't launch the jail. ping and Firefox worked
perfectly well on the host as they had always did before.
> If it still doesn't work: Are you using any packet filter
> (ipfw, ipf, pf)? If so, please show the complete list of
> rules.
No, I don't. You told me it was not necessary.
> Otherwise, it might help to run tcpdump(1) on the host, so
> you can see the actual packets that are transmitted and
> received.
Here's what tcpdump says when the jail is NOT running (but Firefox is) :
FreeBSD# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
09:08:50.300910 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 263
09:08:50.301378 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 335
09:08:50.301822 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 331
09:08:50.302275 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 311
09:08:50.302933 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 343
09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 325
09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327
09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327
09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 24445+ PTR?
250.255.255.239.in-addr.arpa. (46)
09:08:50.906882 IP neufbox.domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103)
09:08:50.917164 IP FreeBSD.59750 > neufbox.domain: 24446+ PTR?
1.1.168.192.in-addr.arpa. (42)
09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|domain]
09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR?
38.1.168.192.in-addr.arpa. (43)
09:08:51.918870 IP neufbox.domain > FreeBSD.32837: 24447* 1/0/0 (64)
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel
FreeBSD#
Then, I started the jail. Firefox immediatly stopped being able to browse
websites. I tried a tcpdump on the host while running portsnap fetch in the jail
:
FreeBSD# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263
09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335
09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331
09:43:50.334499 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311
09:43:50.334966 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343
09:43:50.335402 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325
09:43:50.335944 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327
09:43:50.336560 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327
09:44:20.333341 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263
09:44:20.333807 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335
09:44:20.334246 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331
09:44:20.334684 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311
09:44:20.335165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343
09:44:20.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325
09:44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327
09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel
FreeBSD#
If you compare these two tcpdump, you can see that the word "neufbox" is
replaced by 192.168.1.1. It confirms that DNS is no longer running.
Not easy...
Brice
________________________________
De : Oliver Fromme <olli at lurza.secnetix.de>
À : freebsd-questions at FreeBSD.ORG; berrandonea at yahoo.fr
Envoyé le : Jeu 12 août 2010, 17h 52min 24s
Objet : Re: Re : Re : How to connect a jail to the web ?
Brice ERRANDONEA <berrandonea at yahoo.fr> wrote:
> On the host, when the jail is not running :
>
> %ifconfig
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=8<VLAN_MTU>
> ether 00:11:09:15:72:6a
> inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255
> media: Ethernet autoselect (100baseTX <full-duplex>)
OK, so 192.168.1.38 is the only (non-localnet) IP address that
you have. You should use that one for your jail.
> On the host when the jail is running :
>
> FreeBSD# jls
> JID IP Address Hostname Path
> 1 93.0.168.242 MaPrison /usr/prison
> FreeBSD# ifconfig
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
> options=8<VLAN_MTU>
> ether 00:11:09:15:72:6a
> inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255
> inet 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242
> media: Ethernet autoselect (100baseTX <full-duplex>)
Where did you get that second IP address from? Did you just
add it manually? Or is that the address that your gateway
(DSL router, whatever) got assigned from your ISP?
I assume that IP address is not really routed to your host,
but that NAT (Network Address Translation) is used on your
router. So you cannot use that address on the host.
(If that's not true, please exlain the structure of your
network in more detail.)
So, if my assumptions are true, you must use the address
192.168.1.38 for your jail. Make sure that DNS is working
inside the jail ... It should be sufficient to copy
/etc/resolv.conf from the host to /usr/prison/etc/resolv.conf
If it still doesn't work: Are you using any packet filter
(ipfw, ipf, pf)? If so, please show the complete list of
rules.
Otherwise, it might help to run tcpdump(1) on the host, so
you can see the actual packets that are transmitted and
received.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"C++ is the only current language making COBOL look good."
-- Bertrand Meyer
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list