How to connect a jail to the web ?

[Oliver Fromme]

Brice ERRANDONEA <berrandonea at yahoo.fr> wrote:
 > I tried all of this without any result. But I won't give up.
 > 
 > What I want is a jail with an Apache http server running inside.
 > So, the jail must have a public IPv4 and access to the web.

Not necessarily.  Of course, the jail _can_ have a public
IP address.  This will make things easier.

But some people prefer to give their jails private addresses
or even aliases on lo0 (e.g. 127.0.0.2).  In order to access
such a jail from the outside, the host has to forward packets
from and to the private address.  This can be done with IPFW
"fwd" rules, for example.

 > What I'd understood of the jails' role (but I must have
 > misunderstood) is that it will have a different public ip than the
 > host, so that if a pirate manage to crack the server, he will only
 > have access to the jail (the real public ip of the host remaining
 > secret).

Yes, it has advantages to give a jail its own IP address,
but it's not strictly necessary.  The IP address can be
shared with the host and with other IP addresses if you
prefer.

It's also possible to give the jail the host's IP address
during installation, so things like portsnap, pkg_add -r
and similar will run without trouble, and then switch the
jail to its final IP address.

 > Then I'm surprised to learn that such traffic will be routed
 > through the host.

Routing happens globally (unless you use VIMAGE and/or
multiple FIBs, but let's forget about these for now
because they make things even more complicated, and
you probably don't need them).  By default there is only
one routing table inside the kernel, through which all
packets go.  So, packets from your jails go through the
same routing table as packets from yur host.

 > The jail is created. The next step now is to install the ports
 > collection inside with portsnap fetch. But each time I try to run
 > this command inside the jail (with jexec), I get the same answer :
 >
 > Looking up portsnap.FreeBSD.org mirrors... none found.  Fetching
 > public key from portsnap.FreeBSD.org... failed.  No mirrors
 > remaining, giving up.
 >
 > This makes me think my jail is not connected to the web.

This has nothing to do with the web.  Maybe you confuse
web and internet or network?

Obviously your jail cannot do DNS lookups, i.e. it cannot
resolve host names.

 > So, I can't contact DNS servers able to translate www.freebsd.org to
 > its ip.  Since I know this ip, I tried : "ping 69.147.83.33". This
 > time, the error message is :
 >
 > ping: socket: Operation not permitted

ping(1) uses raw sockets in order to be able to send and
receive ICMP packets.  By default, raw sopckets or disallowed
in jails.  To change that, use this command on the host:

sysctl security.jail.allow_raw_sockets=1

Add an entry to /etc/sysctl.conf so the setting will survive
reboots.

 > It seems that the local ip given to the jail has to be an alias
 > of an existing one.

No, it must simply be an existing address, i.e. it must be
configured on one of your interfaces (whether alias or not).

 > I'm not on a local network so I only have 2
 > real network interfaces : rl0 (192.168.1.38) and the loopack lo0
 > (127.0.0.1).

So you can use one of those two addresses, or you can add
aliases (e.g. 192.168.1.39) and then use that one.

Of course you can only use addresses that you "own" and
that will work on your network.  If addresses are assigned
to you by an ISP or administrator, then you can only use
those.

 > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.

Well, localnet addresses are not routed.  If you give your
jail a localnet address, it won't be able to access the
network outside of the host.  (Unless you take measures
to rewrite/translate the addresses and forward them.)
That's why DNS and portsnap don't work.

I suggest using the address 192.168.1.38 for the jail,
at least during installation.  Make sure that the file
/etc/resolv.conf inside the jail is correct, so DNS will
work.  Copying it from the host should be sufficient.

By the way, you don't have to build ports inside the jail.
Of course you *can* do that, but there are other ways, too.
For example, you could build packages (apache etc.) on
the host, or in a different jail, or even on a different
machine, and then use pkg_add(8) inside your jail to
install them.

 > By the way, I wonder which one I will be able to choose if I ever
 > have to create a second jail.

Multiple jails can share the same address if required.

 > And also how the computer knows which data is for the jail and which
 > one is for the loopback.

Services (such as apache) listen on certain ports for
connections.  For example, the default port for the HTTP
protocol is 80.  So, when someone is trying to open a
connection to your IP address on port 80, your kernel
looks it up in its table of listening TCP sockets and
find the apache process which is running inside the jail.
So the connection is handed to the jail.

(This is a bit oversimplifying, but basically that's how
it works.)

 > I also added the line "net.inet.ip.forwarding=1" to sysctl.conf
 > (on the host).

You don't need that one.  It's only required when your
machine should act as a router, i.e. forward packets to
other hosts.

 > Despite the sshd_enable="YES" line, I can't ssh from the host to the
 > jail. Well, I can... The first time I did it, I was asked if I wanted
 > to add the jail to the list of known hosts. I did it. No problem
 > there. But, immediatly after that, instead of displaying "login :",
 > the system displayed "passwd :".

That's normal. ssh never asks for the login.  You can use the -l
option if you need to specify a different user name (or put it in your
~/.ssh/config).

 > And none of the passwords I had set with sysinstall (for the root and
 > the common user) were accepted.

Are you sure that those passwords are set *inside* the jail?
You can go into the jail with jexec (or even chroot) and
then set a new password.

 > It's not that big problem for the moment but one purpose of the jail
 > is also (I believe) to ssh into them from a distant computer without
 > accessing to the host.

That's not a good idea.  ssh access should not be open to
the public.  It's better to log into the host first, then
log into the jail from there.

Some paranoid people have a special "login jail".  They
ssh into the login jail, then log into the host or into
other jails from there.  The host accepts ssh only from
localhost.  But please forget this immediately; we don't
want to make things more complicated than necessary.

 > It was not clear after the various answers I received if I had to use
 > a firewall or not so I tried both ways.

If your just starting with jails, it's better not to use
a firewall for the jail.  First get the jail running.
When it's running, you can think about adding firewall
rules to make it more secure.

A firewall is *not* required to get jails working.

 > gateway_enable="YES"
 > router_enable="YES"

Remove both.  You don't need either of those.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"Above all, they contribute to the genetic diversity in the
operating system pool.  Which is a good thing."
  -- Ruben van Staveren, on the question which BSD OS is the best one.