jailed "system" needs ipv4 access
Kris Kennaway
kris at obsecurity.org
Tue Feb 17 14:23:49 PST 2004
On Tue, Feb 17, 2004 at 12:49:51PM +0000, John wrote:
> Hello
>
> I made a jail for a domain I host, according to the man page for jail.
> It runs great and I can ssh and telnet on port 25 into it from the host.
>
> What I would like the root user to be able to do inside the jail is to
> ssh to other boxes and use the ports collection. I have set the
> following sysctls:
>
> jail.set_hostname_allowed=0
> jail.socket_unixiproute_only=0
>
> (the man page says:
> cesses within jails may only access protocols in the following
> domains: PF_LOCAL, PF_INET, and PF_ROUTE, permitting
> them access to UNIX domain sockets, IPv4 addresses, and
> routing sockets. To enable access to other domains, this
> MIB variable may be set to 0.)
>
> I wanted it to access as much as possible ipv4-wise from inside the
> jail.
>
> I have set the 2nd MIB to 0 for this reason, but to no avail.
>
> Is it possible for ssh and ftp to work from inside? I want root to
> install ports from within.
Yes, that's one of the features of jail. You know that IP address you
assigned to the jail when you created it? You just need to make that
routable to your destination machine, as you would for any other IP
address (turn on IP forwarding on the machine that hosts the jail,
make sure the route table is set up correctly, etc).
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040217/df333f8c/attachment.bin
More information about the freebsd-questions
mailing list