How to connect a jail to the web ?

[Brice ERRANDONEA]

Thank you very much for your answer. It helped me understand some elements. But 
portsnap still doesn't work.

>> So, I can't contact DNS servers able to translate www.freebsd.org to
>> its ip.  Since I know this ip, I tried : "ping 69.147.83.33". This
>> time, the error message is :
>>
>> ping: socket: Operation not permitted

>ping(1) uses raw sockets in order to be able to send and
>receive ICMP packets.  By default, raw sopckets or disallowed
>in jails.  To change that, use this command on the  host:

>sysctl security.jail.allow_raw_sockets=1

>Add an entry to /etc/sysctl.conf so the setting will survive
>reboots.

I did it but ping still doesn't work.

>> 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.

>Well, localnet addresses are not routed.  If you give your
>jail a localnet address, it won't be able to access the
>network outside of the host.  (Unless you take measures
>to rewrite/translate the addresses and forward them.)
>That's why DNS and portsnap don't work.

>I suggest using the address 192.168.1.38 for the jail,
>at least during installation.  Make sure that the file
>/etc/resolv.conf inside the jail is correct, so DNS will
>work.  Copying it from the host should be sufficient.

Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public 
ip of my computer here  ?

> By the way, you don't have to build ports inside the jail.
> Of course you *can* do that, but there are other ways, too.
> For example, you could build packages (apache etc.) on
> the host, or in a different jail, or even on a different
> machine, and then use pkg_add(8) inside your jail to
> install them.

I prefer doing that way. I will use apache later so I will have to connect the 
jail to internet anyway.

>> And also how the computer knows which data is for the jail and which
>> one is for the loopback.

>Services (such as apache) listen on certain ports for
>connections.  For example, the default port for the HTTP
>protocol is 80.  So, when someone is trying to open a
>connection to your IP address on port 80, your kernel
>looks it up in its table of listening TCP sockets and
>find the apache process which is running inside the  jail.
>So the connection is handed to the jail.

>(This is a bit oversimplifying, but basically that's how
>it works.)

OK. This is clear. And it explains how multiple jails can share the same 
address.

>> Despite the sshd_enable="YES" line, I can't ssh from the host to the
>> jail. Well, I can... The first time I did it, I was asked if I wanted
>> to add the jail to the list of known hosts. I did it. No problem
>> there. But, immediatly after that, instead of displaying "login :",
>> the system displayed "passwd :".

>That's normal. ssh never asks for the login.  You can use the -l
>option if you need to specify a different user name (or put it in your
>~/.ssh/config).

Of course. I'm loosing my mind with all that jail trouble. It works perfectly 
well with le -l option.

> Some paranoid people have a special "login jail".   They
> ssh into the login jail, then log into the host or into
> other jails from there.  The host accepts ssh only from
> localhost.  But please forget this immediately; we don't
> want to make things more complicated than necessary.

I thought it was intended to be impossible to access the host from the jail. But 
you're right : I'll forget that.

So, we're progressing. But the problem is not over yet. Any other idea ?

Have a good evening, anyway.

Brice