How to connect a jail to the web ?

Oliver Fromme olli at lurza.secnetix.de
Wed Aug 11 20:55:29 UTC 2010 

Brice ERRANDONEA <berrandonea at yahoo.fr> wrote:
 > Oliver Fromme wrote:
 > > sysctl security.jail.allow_raw_sockets=1
 > 
 > I did it but ping still doesn't work.

Which IP address are you using for the jail now?

If you're using 127.0.0.1, you can only ping the host's
own IP addresses, because packets with a localnet IP
never leave a machine.

If you're using the "real" address (192.168.1.38) for
the jail, then you should be able to ping all addresses
that you can ping from the host.  I just did a quick
test on my machine; it has the IP address 172.20.0.2
(which is being translated with NAT on my router, but
that doesn't matter):

HOST# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
HOST# jail / testjail 172.20.0.2 /bin/sh -E
# ping www.google.com
PING www.l.google.com (66.102.13.105): 56 data bytes
64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms
64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms
64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms

 > > > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.
 > 
 > > Well, localnet addresses are not routed.  If you give your
 > > jail a localnet address, it won't be able to access the
 > > network outside of the host.  (Unless you take measures
 > > to rewrite/translate the addresses and forward them.)
 > > That's why DNS and portsnap don't work.
 > 
 > > I suggest using the address 192.168.1.38 for the jail,
 > > at least during installation.  Make sure that the file
 > > /etc/resolv.conf inside the jail is correct, so DNS will
 > > work.  Copying it from the host should be sufficient.
 > 
 > Isn't 192.168.1.38 a localnet address too ?

It's a private address (RFC 1918).  I assume that you've got
a NAT router that translates it to a public IP address.

 > Do you mean I should use the public ip of my computer here  ?

Do you have one?  So far you only mentioned 192.168.1.38.

 > I thought it was intended to be impossible to access the host from the jail.

It depends on what you want to do with the jail.  Jails can
be used for vastly different purposes.

 > But you're right : I'll forget that.

Good.  :-)

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"Clear perl code is better than unclear awk code; but NOTHING
comes close to unclear perl code"  (taken from comp.lang.awk FAQ)

More information about the freebsd-questions mailing list