How to connect a jail to the web ?

Wed Aug 11 02:23:45 UTC 2010

Rocky Borg wrote:
> On 8/10/2010 5:02 PM, Fbsd8 wrote:
>> 1. ping is a security risk from within a jail and is disabled by 
>> design.  (read jail(8) for details). No use using a jail if the first 
>> thing you do is re-enable ping in the jail. To test for public 
>> internet connection from within a jail use dig or whois commands.
>>
> 
> There is a vast difference between testing a network connection and 
> leaving something in for live deployment. Tools like ping and traceroute 
> are for network diagnostics. You can easily run into a situation where 
> dig and whois don't work but ping/traceroute will in which case you 
> quickly realize hostnames aren't resolving in a jail (or you can find 
> out where exactly packets stopped at). Meanwhile the person using only 
> dig and whois might be spinning their wheels trying to fix problems that 
> aren't really problems. They might of created a jail and have everything 
> setup except they forgot to create an /etc/resolv.conf in the jail. 
> There is nothing wrong with allowing raw sockets to get up and running 
> and then changing it back (the jail man page states to use caution with 
> raw sockets not a blatant don't do it).
> 

The key verbiage here is "and then changing it back". Giving advice 
without also saying why its disabled or that you should disable it when 
completed testing is giving the op the wrong info.

> 
>> 2. Using the hosts firewall to drive traffic to a jail is a sign you 
>> have your jail incorrectly configured or do not understand how jails 
>> are intended to work.
>>
> 
> If you have jails assigned to non routable ip's (i.e. 10.0.0.2, 
> 10.0.0.3) how else would you redirect traffic coming in from your hosts 
> ip:(http_port, dns_port, etc..) to the corresponding jail that handles 
> it. I've read a bunch of stuff on jails and unless I missed something 
> (which is totally possible) using a NAT that's part of a firewall seems 
> like pretty standard fare. How else would you go about it?

man 8 ifconfig

alias option

> 
> 
>> 3. Jail do not have a network stack of their own, so they cant have a 
>> firewall. The host's firewall and and network stack are in control.
>>
> 
> The documentation is rather sparse since it's so new and I personally 
> haven't used it but FreeBSD 8 has VIMAGE (network stack virtualization).
> 
> http://wiki.freebsd.org/Image/VNETSamples
> http://bsdbased.com/2009/12/06/freebsd-8-vimage-epair-howto
> http://wiki.polymorf.fr/index.php/Howto:FreeBSD_jail_vnet

This is pretty much experimental and nothing a sane person would think 
of using in production.

Maybe in 9.0 the bugs will be worked out. Just have to wait and see.
> 
>> 4. There are 2 utilities for creating jails. Qjail the better 
>> documented of the 2, is designed for the novice which clearly you are. 
>> I strongly suggest you checkout
>> http://sourceforge.net/projects/qjail
> 
> You should probably preface this by saying you're the author of Qjail 
> and have been actively promoting it in a few places including the fbsd 
> forums. Nothing wrong with that I guess, but I still haven't been able 
> to figure out how it's any different(better?) than ezjail(which has both 
> an excellent website and man page).

If you had really read both ezjail and qjail man pages you would not be 
making this statement. They are as different as night and day. Qjail is 
written for the novice with examples and includes many functions missing 
from ezjail. Like the auto alias function that has been part of the jail 
command since day one.