Re: IPv4 addresses clash / jails not working after reboot…

Yoann Gini yoann.gini at gmail.com
Thu Mar 7 12:29:48 UTC 2013 

Le 7 mars 2013 à 10:58, Boris Samorodov <bsam at passap.ru> a écrit :

> 07.03.2013 12:48, Yoann Gini пишет:
> 
>> I need to share this IP, I’ve only one and I would like to avoid playing with NAT…
> 
> One IP may be shared but for different services (ports).

That what I’ve understand and what I’ve planned.

>> If someone have a idea…
> 
> Give some more information:
> 1. OS version, OS arch.

FreeBSD srv0.public.example.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec  4 09:23:10 UTC 2012     root at farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

> 2. Jail configuration (at least one) from /etc and LOCALBASE/etc/ezjail.

What do you want in /etc ? Except the fstab, I don’t see any config here, the fstab look like that:

/home/jails/basejail /home/jails/front0.public.example.com/basejail nullfs ro 0 0
/usr/ports      /home/jails/front0.public.example.com/usr/ports         nullfs ro 0 0

And here is the ezjail config

export jail_front0_public_example_com_hostname="front0.public.example.com"
export jail_front0_public_example_com_ip=« IPv6Prefix::80,SharedIPv4,10.42.0.2"
export jail_front0_public_example_com_rootdir="/home/jails/front0.public.example.com"
export jail_front0_public_example_com_exec_start="/bin/sh /etc/rc"
export jail_front0_public_example_com_exec_stop=""
export jail_front0_public_example_com_mount_enable="YES"
export jail_front0_public_example_com_devfs_enable="YES"
export jail_front0_public_example_com_devfs_ruleset="devfsrules_jail"
export jail_front0_public_example_com_procfs_enable="YES"
export jail_front0_public_example_com_fdescfs_enable="YES"
export jail_front0_public_example_com_image=""
export jail_front0_public_example_com_imagetype=""
export jail_front0_public_example_com_attachparams=""
export jail_front0_public_example_com_attachblocking=""
export jail_front0_public_example_com_forceblocking=""
export jail_front0_public_example_com_zfs_datasets=""
export jail_front0_public_example_com_cpuset=""
export jail_front0_public_example_com_fib=""

> 3. What do you want to achieve.

I want a setup with:
— srv0 listen only for SSH on a alternate port for supervision on public IPv4/6 ;
— front0 to handle any public services (web, DNS, e-mail) on public IPv4/6 ;
— service0 to handle internal services (git, redmine, AFP sharepoints…) on private IP and SSH on a other alternate port on public IPv4/6 ;
— gateway0 to act as a VPN server and webproxy to secure access to private services on service0 and act as a secure gateway to encrypt network traffic for road-warriors on public network.

In the end, I will dispatch those services on different server but for now I only access to one system, so I would like to prepare the setup to be dispatched on different hardware when the budget come.

Actually, if I remove the SharedIPv4 from the jails, it works.

I’ve investigate more on the open socket area and I think the problem come from Apache who still lisent on *:* even if I’ve set a Listen directive…

More information about the freebsd-jail mailing list