How to connect a jail to the web ?

Oliver Fromme olli at
Wed Aug 11 20:55:29 UTC 2010

Brice ERRANDONEA <berrandonea at> wrote:
 > Oliver Fromme wrote:
 > > sysctl security.jail.allow_raw_sockets=1
 > I did it but ping still doesn't work.

Which IP address are you using for the jail now?

If you're using, you can only ping the host's
own IP addresses, because packets with a localnet IP
never leave a machine.

If you're using the "real" address ( for
the jail, then you should be able to ping all addresses
that you can ping from the host.  I just did a quick
test on my machine; it has the IP address
(which is being translated with NAT on my router, but
that doesn't matter):

HOST# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
HOST# jail / testjail /bin/sh -E
# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=54 time=31.196 ms
64 bytes from icmp_seq=1 ttl=54 time=25.553 ms
64 bytes from icmp_seq=2 ttl=54 time=27.086 ms

 > > > is the host's ip so I use for the jail.
 > > Well, localnet addresses are not routed.  If you give your
 > > jail a localnet address, it won't be able to access the
 > > network outside of the host.  (Unless you take measures
 > > to rewrite/translate the addresses and forward them.)
 > > That's why DNS and portsnap don't work.
 > > I suggest using the address for the jail,
 > > at least during installation.  Make sure that the file
 > > /etc/resolv.conf inside the jail is correct, so DNS will
 > > work.  Copying it from the host should be sufficient.
 > Isn't a localnet address too ?

It's a private address (RFC 1918).  I assume that you've got
a NAT router that translates it to a public IP address.

 > Do you mean I should use the public ip of my computer here  ?

Do you have one?  So far you only mentioned

 > I thought it was intended to be impossible to access the host from the jail.

It depends on what you want to do with the jail.  Jails can
be used for vastly different purposes.

 > But you're right : I'll forget that.

Good.  :-)

Best regards

Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:

"Clear perl code is better than unclear awk code; but NOTHING
comes close to unclear perl code"  (taken from comp.lang.awk FAQ)

More information about the freebsd-questions mailing list