Jails on FreeBSD 9.0

Herbert J. Skuhra h.skuhra at gmail.com
Tue Jul 17 09:46:36 UTC 2012


On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller
<freebsd-questions at k-moeller.dk> wrote:
> On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra <h.skuhra at gmail.com> wrote:
>> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu <joris.dedieu at gmail.com> wrote:
>>> 2012/7/12 Herbert J. Skuhra <h.skuhra at gmail.com>:
>>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra <h.skuhra at gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> although I've followed the instructions in jail(8) and jail.conf(5) I
>>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>>>>>
>>>>> The symptons:
>>>>>
>>>>> * ssh'ing to jail works, but it takes about 20 seconds until password
>>>>>   prompt appears
>>>
>>> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?
>>
>> No, I can login instantly.
>>
>>>>> * netstat -r in the jail takes about 150 seconds to finish
>>>
>>> Does netstat -rn does the same ?
>>
>> No, the output appears immediately.
>>
>>>>> * connections to the internet time out; with tcpdump I see that
>>>>>   packets leave and enter the public interface on the host, but never
>>>>>   reach the jail
>>>>>
>>>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
>>>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned.
>>>>> Of course, nat is enable via pf on the public interface.
>>>
>>> Can you post your PF configuration ?
>>>>
>>>> After switching to ipfw/natd networking in the jail works.
>>>> Could this be a bug?
>>>
>>> I think you had an issue with firewall that block name resolution and
>>> makes everything goes slow. At least you need one single line on your
>>> pf.conf :
>>>
>>> nat on $public_interface form $jail_ip to any -> ($public_interface)
>>
>> Even when loading only the nat rule it doesn't work:
>>
>> nat on fxp0 from  192.168.1.0/24 to any -> $ext_addr
>>
>> Thanks.
>> Herbert
>
>
> As Mark Felder wrote
>
> You don't have anything in /etc/resolv.conf, in the jail do you? :-)

I have two nameservers listed!
If I boot a kernel with ipfirewall/ipdivert and run natd the network
in the jail works!

With pf:

I see the packets going out/coming in on fxp0 but somehow the jail
does not "see" them.

A 'dig www.google.com' in the jail fails with "connection timed out;
no servers could be reached", but

11:39:45.666630 IP xxx.yyy.zzz.64452 >
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:45.694045 IP google-public-dns-a.google.com.domain >
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180,
A 173.194.35.178 (132)
11:39:50.667799 IP xxx.yyy.zzz.64452 >
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:50.687083 IP google-public-dns-a.google.com.domain >
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180,
A 173.194.35.176 (132)
11:39:55.668783 IP xxx.yyy.zzz.64452 >
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:55.675917 IP google-public-dns-a.google.com.domain >
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176,
A 173.194.35.178 (132)

And 'nc 173.194.35.177 80':

11:41:52.176904 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0
11:41:53.382320 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0
11:41:54.088585 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 8596173 ecr 0], length 0
11:41:54.098838 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0
11:41:55.796638 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0
11:41:57.288596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 8599373 ecr 0], length 0
11:41:57.299125 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0
11:42:00.488595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol],
length 0
11:42:00.498606 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0
11:42:00.621724 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6], length 0
11:42:03.688596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol],
length 0
11:42:03.698762 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445670018 ecr 8593173,nop,wscale 6], length 0
11:42:06.888595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol],
length 0
11:42:06.899032 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445673202 ecr 8593173,nop,wscale 6], length 0
11:42:13.088586 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol],
length 0
[...]

% uname -rms
FreeBSD 9.1-PRERELEASE amd64

Regards,
Herbert


More information about the freebsd-questions mailing list