How to connect a jail to the web ?

Brice ERRANDONEA berrandonea at yahoo.fr
Wed Aug 11 15:35:19 UTC 2010 

I tried all of this without any result. But I won't give up.

What I want is a jail with an Apache http server running inside. So, the jail 
must have a public IPv4 and access to the web.

What I'd understood of the jails' role (but I must have misunderstood) is that 
it will have a different public ip than the host, so that if a pirate manage to 
crack the server, he will only have access to the jail (the real public ip of 
the host remaining secret). Then I'm surprised to learn that such traffic will 
be routed through the host.

The jail is created. The next step now is to install the ports collection inside 
with portsnap fetch. But each time I try to run this command inside the jail 
(with jexec), I get the same answer :

Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.

This makes me think my jail is not connected to the web. To check this, I tried 
to ping various know websites. When I tried domain names, like "ping 
www.freebsd.org", this error message appears :

ping: cannot resolve www.freebsd.org : Host name lookup failure

So, I can't contact DNS servers able to translate www.freebsd.org to its ip. 
Since I know this ip, I tried : "ping 69.147.83.33". This time, the error 
message is :

ping: socket: Operation not permitted

From this, I concluded my jail was not connected to the web. Meanwhile, I've 
understood that, anyway, the ping command is forbidden inside a jail. But the 
"portsnap fetch" one is not.

It seems that the local ip given to the jail has to be an alias of an existing 
one. I'm not on a local network so I only have 2 real network interfaces : rl0 
(192.168.1.38) and the loopack lo0 (127.0.0.1).

192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. By the way, I 
wonder which one I will be able to choose if I ever have to create a second 
jail. And also how the computer knows which data is for the jail and which one 
is for the loopback.

I also added the line "net.inet.ip.forwarding=1" to sysctl.conf (on the host). 
And here is the rc.conf of my jail :

devfs_system_ruleset="devfsrules_jail"
network_interfaces=""
sshd_enable="YES"
sendmail_enable="NO"
rpcbind_enable="NO"

Despite the sshd_enable="YES" line, I can't ssh from the host to the jail. Well, 
I can... The first time I did it, I was asked if I wanted to add the jail to the 
list of known hosts. I did it. No problem there. But, immediatly after that, 
instead of displaying "login :", the system displayed "passwd :". And none of 
the passwords I had set with sysinstall (for the root and the common user) were 
accepted. That's why I can only run commands inside the jail running jexec. It's 
not that big problem for the moment but one purpose of the jail is also (I 
believe) to ssh into them from a distant computer without accessing to the host.

It was not clear after the various answers I received if I had to use a firewall 
or not so I tried both ways.

Without the firewall, the rc.conf of my host is :

hostname="FreeBSD.ici"
ifconfig_rl0="DHCP"
keymap="fr.iso.acc"       (yes, I'm french)
moused_enable="YES"
saver="dragon"
hald_enable="YES"
dbus_enable="YES"
devfs_system_ruleset="localrules"

jail_enable="NO"
jail_list="MaPrison"
jail_interface="lo0"        (I also tried rl0 here)
jail_devfs_ruleset="devfsrules_jail"
jail_devfs_enable="YES"

jail_server_rootdir="/usr/prison"
jail_server_hostname="MaPrison"
jail_server_ip="127.0.0.1"

gateway_enable="YES"
router_enable="YES"

Since I've added this last line (router_enable="YES"), I have to press Enter at 
the end of the bootup process to obtain the "login :". Again, it's not a big 
problem but nonetheless a strange one.

With this configuration, portsnap fetch continues to give me the same error 
message I told before.

With the firewall (pf), now, the rc.conf of my host becomes :

hostname="FreeBSD.ici"
ifconfig_rl0="DHCP"
keymap="fr.iso.acc"
moused_enable="YES"
saver="dragon"
hald_enable="YES"
dbus_enable="YES"
devfs_system_ruleset="localrules"

jail_enable="NO"
jail_list="MaPrison"
jail_interface="lo0"
jail_devfs_ruleset="devfsrules_jail"
jail_devfs_enable="YES"

jail_server_rootdir="/usr/prison"
jail_server_hostname="MaPrison"
jail_server_ip="127.0.0.1"

gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

And here's the /etc/pf.conf :

ext_if="rl0"
int_if="rl0"

Same result for portsnap fetch.


A lot of questions, isn't it. I guess I must have made a lot of mistakes. But I 
can't believe I'm the first one who tries to install a web server in a jail. 
This must be a well known process.

Thanks to those who helped me and to those who will !

Good evening

Brice




________________________________
De : Roland Smith <rsmith at xs4all.nl>
À : Brice ERRANDONEA <berrandonea at yahoo.fr>
Envoyé le : Mer 11 août 2010, 13h 23min 34s
Objet : Re: Re : Re : How to connect a jail to the web ?

On Wed, Aug 11, 2010 at 11:07:59AM +0000, Brice ERRANDONEA wrote:

>  OK, I'll try this. And, as you suggested, I switch my jail's IP to
>  192.168.1.1. Why do you use age0 as ext_if and not rl0 ?

Because rl(4) is just not the best quality network chip. It's really windows
quality hardware. The age(4) is on the motherboard, and I couldn't find a
fxp(4) or em(4) based network card.

>  Here's my ifconfig. Which interfaces should I use for ext_if in pf.conf ?
> 
>  rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>          options=8<VLAN_MTU>
>          ether 00:11:09:15:72:6a
>          inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255
>          media: Ethernet autoselect (100baseTX <full-duplex>)
>          status: active

In your case, the above rl0 is the only _real_ network chip. As you can see
from the "UP" flag, only rl0 and lo0 are actually active (and the loopback
interface is always there). They also are the only ones that have an actual IP
address.

If you don't want to run a firewall, you can alternatively add
'router_enable="YES"' to /etc/rc.conf. This will start the routed(8) daemon
which by default forwards packets between interfaces.

>  fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>          options=8<VLAN_MTU>
>          ether 02:11:06:99:8a:ff
>          ch 1 dma -1
>  fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>          lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0
>  plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
>  lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>          options=3<RXCSUM,TXCSUM>
>          inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
>          inet6 ::1 prefixlen 128
>          inet 127.0.0.1 netmask 0xff000000
>          nd6 options=3<PERFORMNUD,ACCEPT_RTADV>

You could alias your jail to lo0.

Roland
-- 
R.F.Smith                                  http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)

More information about the freebsd-questions mailing list