problems with jail
Jim Stapleton
stapleton.41 at gmail.com
Sat Feb 24 13:05:51 UTC 2007
OK, I managed to get it so something else wasn't grabbing *.*, dunno
what made that happen. What you said made me think "Hey, there was
something in the man pages about starting services", I figured I ought
test that out. So I did:
Pre-Jail process/netstat:
root at elrond 07:52:14 (0) /usr/ports > ps -A | grep syslog
2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84
root at elrond 07:52:17 (0) /usr/ports > ps -A | grep send
5489 p2 S+ 0:00.00 grep send
root at elrond 07:52:25 (0) /usr/ports > ps -A | grep name
root at elrond 07:52:29 (0) /usr/ports > ps -A | grep inet
root at elrond 07:52:31 (0) /usr/ports > ps -A | grep ssh
2474 ?? Is 0:00.01 /usr/sbin/sshd
5498 p2 R+ 0:00.00 grep ssh
sjss at elrond 07:51:08 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.84.syslog *.*
starting jail
root at elrond 07:52:50 (0) /usr/ports > jail /jail/
legolas at ameritech.net 192.168.1.85 /bin/sh /etc/rc
Loading configuration files.
legolas at ameritech.net
Setting hostname: legolas at ameritech.net.
Creating and/or trimming log files:.
ln: /dev/log: Operation not permitted
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Clearing /tmp (X related).
Starting local daemons:.
Updating motd.
Starting sshd.
Starting cron.
Local package initialization:.
Sat Feb 24 07:54:40 UTC 2007
Jailed port/binding list:
sjss at elrond 07:54:05 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.85.smtp *.* LISTEN
tcp4 0 0 192.168.1.85.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.85.syslog *.*
udp4 0 0 192.168.1.84.syslog *.*
Issue not confused, but it did give me some "try this" tests.
Unfortunately I still cant connect to anything outside of the jail,
not even to the host.
SSHing into jail does not work, into host does.
root at elrond 07:54:40 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh
%ssh -x 192.168.1.84
^C
And as a last test I should have thought of before:
root at elrond 07:59:13 (0) /usr/ports > sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1
root at elrond 07:59:26 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh
%ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
^C
--- 127.0.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
%ifconfig
nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:13:d4:2e:2f:62
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
oh, and for testing purposes, I unhid everything in /jail/dev
root at elrond 08:04:20 (0) /usr/ports > devfs rule -s 666 show
100 path acd* hide
200 path ad10* hide
300 path audio* hide
400 path dsp* hide
500 path apm* hide
600 path dev* hide
700 path geom* hide
800 path kmem* hide
900 path mem* hide
1000 path nfs* hide
1100 path pci* hide
1200 path nvidia* hide
1300 path snd* hide
1400 path sysmouse* hide
1500 path ukbd0* hide
1600 path usb* hide
1700 path ums* hide
1800 path net* mode 755
1900 path ata* hide
2000 path atkbd* hide
2100 path kbd* hide
2200 path fd* hide
2300 path fid* hide
2400 path net* mode 777
2500 path show
2600 path * unhide
Still no luck. Thanks everyone for all the help, hopefully this is
enough information to indicate the problem.
-Jim Stapleton
> sockstat (referenced at the end of the netstat man page) will show you
> process names/ports.
>
> To get any given service to work inside the jail, that IP:Port must
> not be bound anywhere else, but it must be bound within the jail.
> That is, you need an sshd listening on the host machine port 22, and
> a separate sshd listening on the jail port 22. The same applies for
> every service you want to run in both machines.
>
> This can get confusing, too. It's generally best to always explicitly
> limit services by IP on the host, even if you have no intention of
> running the same service in a jail. This will prevent
> confusion--imagine that you are wanting to run a webserver on the
> host, but not the jail (for some weird reason). If apache is
> listening on all IPs that the host has, it will be listening on the
> jail IP, using the host filesystem.
>
> Hope that didn't confuse the issue or anything.
>
>
>
> On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote:
> > addendum, I fixed syslogd by adding this to my rc.conf:
> > syslogd_flags="-b 192.168.1.84"
> >
> > However, looking through netstat's man page, I couldn't find the name
> > of the flag (if it exists) that will show the process name. Does that
> > require a different tool?
> >
> > Thank you,
> > -Jim Stapleton
> >
> >
> >
> > On 2/24/07, Jim Stapleton <stapleton.41 at gmail.com> wrote:
> > >OK, I have a fairly sizeable list, but it looks like most stuff is
> > >bound to 192.168.1.84 except two things, one is closed, and the other
> > >is syslog (guess I have to look at it's man page). It also looks like
> > >there is something else there. I guess I'll be looking at the netstat
> > >man page to figure out how to get the name of the daemon touch it:
> > >
> > > > netstat -f inet -a; netstat -f inet6 -a
> > >Active Internet connections (including servers)
> > >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> > >tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http
> > >ESTABLISHED
> > >tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol
> > >TIME_WAIT
> > >tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol
> > >TIME_WAIT
> > >tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol
> > >TIME_WAIT
> > >tcp4 0 0 192.168.1.84.ssh *.* LISTEN
> > >tcp4 0 0 *.* *.* CLOSED
> > >tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http
> > >ESTABLISHED
> > >tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http
> > >ESTABLISHED
> > >udp4 0 0 *.syslog *.*
> > >Active Internet connections (including servers)
> > >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> > >udp6 0 0 *.syslog *.*
> > >
> > >
> > >
> > >On 2/24/07, Harald Schmalzbauer <h.schmalzbauer at omnisec.de> wrote:
> > >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton:
> > >> > I did the ssh after you did the previous mail, but it didn't fix the
> > >> > problem.
> > >> >
> > >> > I'm not having problems senmail or named, they were simply mentioned
> > >> > in the man page. I never had named running, and I didn't realize
> > >> > sendmail was running. The latter was my problem with sendmail. That
> > >> > problem as I said is fixed. Beyond that I don't even know which
> > >> > process on my system are daemons at this point, except usbd and devd,
> > >> > neither of which (to my knowledge) should be listening to any sockets.
> > >> > Actually there are a couple of kernel processes (pagedaemon, vmdaemon,
> > >> > and bufdaemon), but I don't know where to find documentation on them,
> > >> > X, and KDM. I can't find anything on limiting sockets of these to a
> > >> > specific IP only.
> > >>
> > >> To see what daemons are listening you can use 'netstat -f inet -a'. Then
> > >you
> > >> see if you have to limit some other daemons (use -f inet6 for IPv6 if
> > >> configured).
> > >>
> > >> Please post the output of the command above to see why you get ssh
> > >connections
> > >> to your jail IP answered by the host's ssh daemon.
> > >>
> > >> -Harry
> > >>
> > >> --
> > >> OmniSEC - UNIX und Windows Netzwerke - Sicher
> > >> Harald Schmalzbauer
> > >> Flintsbacher Str. 3
> > >> 80686 München
> > >> +49 (0) 89 18947781
> > >> +49 (0) 160 93860101
> > >>
> > >
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list