ezjail

[Aiza]

Mark Shroyer wrote:
> On 3/21/2010 8:21 PM, Aiza wrote:
>> Does the ip address notation for the jail include the port number?
>> Like 10.0.20.2:80 Nat port forwarding is the long way around just to get
>> the correct port number to the jail ip address.
> 
> Nope, jails are assigned one (or more) specific IP addresses, but not
> specific port numbers.  So if you don't have a separate public IP for
> your jail, you'll be relying on some sort of packet filter to redirect
> traffic to its private IP address.
> 
> This isn't as big a deal as it may sound, especially if you're already
> using PF, which has built-in packet redirection capabilities that do not
> require you to run a separate NAT daemon.
> 
> 

My host 8.0 system is the gateway to the public internet.
I have ipfilter running blocking all inbound request for service.
I only allow out bound request from the LAN behind the gateway and use 
keep state to allow the packet conversation to continue. All this has 
worked fine for years across many releases of Freebsd.

Now comes playing with jails. I created 3 jails, www, ftp, telnet and 
used ip address of 10.0.20.20, 10.0.20.30, 10.0.20.40. The goal is to 
target those jails from other PC on the private LAN who are using ip 
address in the 10.0.10.2 through 10.0.10.8 range.

I used ezjail-admin onestart and all the jails start. Then did 
ezjail-admin console ftp.local.com and got logged into that jail. Edited 
/etc/inetd.conf and uncommented the ftp line. Edited /etc/rc.conf adding 
inetd_enable="YES" exited the ftp jail. Did ezjail-admin onestop 
followed by ezjail-admin onestart to cycle the ftp jail to activate the 
ftp function. ezjail-admin console ftp.local.com to get logged into that 
jail again. From within the jail did ping -c 2 10.0.10.6 which is a pc 
on the lan gives me no sockets mesg. And ftp from 10.0.10.6 to 
10.0.20.30 the ftp jail gives me no connection error.

What is the problem here?