Problem with jail connecting out

Nikos Vassiliadis nvass9573 at
Wed Jun 17 18:28:16 UTC 2009

Erik Norgaard wrote:
> Steve Bertrand wrote:
>> Erik Norgaard wrote:
>>> Erik Norgaard wrote:
>>>> I have no problem connecting from the host to the jail, but the other
>>>> way around doesn't work.
>>>> Also, related, how do I configure multiple interfaces in a jail?
>>> Second problem solved, starting jail with
>>>   # jail /var/jail jail, /bin/sh /etc/rc
>>> So, now I have:
>>> mtu 1500
>>>     options=2808<VLAN_MTU,WOL_UCAST,WOL_MAGIC>
>>>     ether 00:40:63:ee:97:f1
>>>     inet netmask 0xffffffff broadcast
>>>     media: Ethernet autoselect (100baseTX <full-duplex>)
>>>     status: active
>>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>>     inet netmask 0xffffffff
>>> Now, I can connect out on vr1 to, but not on lo0 to
>>> Any suggestions what might be wrong?
>> I don't think that it is a wise idea to be using the loopback address
>> space to route packets outside of the OS, and it is even possible that
>> some implementations forbid this behaviour (don't quote me on that).
> I have read some recommendations not to use the loopback interface 
> without any real explanation, I don't see why it shouldn't work with a 
> different IP as for other interfaces - or a cloned loopback.

It's the 127/8 that is special, that is, it's treated specially by the
network stack and is dropped when coming from an interface other
than a loopback one. In general, packets that coming into/leave
the box that have a loopback source/destination address have nothing
special and can be used as any other address.

>> If you want a loopback to be a receive interface, you should clone off a
>> second one (lo1), and assign an IP address to it that was not designed
>> to be short circuited within the host, like this:
>> % grep lo10 /etc/rc.conf
>> cloned_interfaces="lo1 lo3 lo10 ...etc
>> # lo10 (IPv4 iBGP loopback, advertised by OSPF)
>> ifconfig_lo10="UP"
>> ifconfig_lo10="inet netmask"
>>>> From RFC 1700:
>>       (g)   {127, <any>}
>>          Internal host loopback address.  Should never appear outside
>>          a host.
> It won't. It's intended to be stricly local on the internal loopback 
> interface.
> The idea is to use the loopback interface for connecting between the 
> jail and the host while not exposing the jail to the exterior.
> Basically, I'm trying to setup a jail for my imap server to migrate my 
> mail from the existing server, a last resort clumsy way of upgrading the 
> Berkeley DB. Then a script connecting to both services can create 
> accounts, folders and copy the mail to the new service.
> The idea is that this way I could do it transparently - well, that's the 
> theory.

Your theory is correct, and it really works that way in -HEAD and 7.1R
that I have available. But, it's not working when the server is bound
specifically to and not any address. Is your server bound
to any address?

I can connect from 127.2 to 127.1:
lab# sockstat -4l
root     sshd       1386  4  tcp4   *:22                  *:*
Yet, the connection appears to be connected from 127.2 to 127.2

It doesn't work:
lab# sockstat -4l
root     sshd       1286  3  tcp4          *:*

Hm, just tested with another loopback address from the net and it doesn't have the same problem.
Could try using something else other than 127.1?
That looks like a bug...


More information about the freebsd-questions mailing list