How to connect a jail to the web ?

Brice ERRANDONEA berrandonea at yahoo.fr
Thu Aug 12 08:03:13 UTC 2010 

192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the 
public one. I tried both as the jail's address. With the private one, neither 
portsnap nor ping work at all.

With the public one, I get this result :


FreeBSD# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
FreeBSD# /etc/rc.d/jail onestart server
Configuring jails:.
Starting jails: MaPrison.
FreeBSD# jexec 1 portsnap fetch
jexec: jail_attach(1): Invalid argument
FreeBSD# jls
   JID  IP Address      Hostname                      Path
     2  93.0.168.242    MaPrison                      /usr/prison
FreeBSD# jexec 2 portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.
FreeBSD# jexec 2 ping www.yahoo.fr
ping: cannot resolve www.yahoo.fr: Host name lookup failure
FreeBSD# jexec 2 ping 69.147.83.33
PING 69.147.83.33 (69.147.83.33): 56 data bytes

Then, nothing during a few minutes, so I used :

^C  
--- 69.147.83.33 ping statistics ---
32 packets transmitted, 0 packets received, 100.0% packet loss

Data can be sent to the net now but it seems they can't come back.

I also tried after opening the jail the same way you do :

FreeBSD# jail /usr/prison MaPrison 93.0.168.242 /bin/sh -E
# ping 69.147.83.33
PING 69.147.83.33 (69.147.83.33): 56 data bytes
^C
--- 69.147.83.33 ping statistics ---
30 packets transmitted, 0 packets received, 100.0% packet loss
# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.
#




________________________________
De : Oliver Fromme <olli at lurza.secnetix.de>
À : freebsd-questions at FreeBSD.ORG; berrandonea at yahoo.fr
Envoyé le : Mer 11 août 2010, 22h 55min 11s
Objet : Re: How to connect a jail to the web ?

Brice ERRANDONEA <berrandonea at yahoo.fr> wrote:
> Oliver Fromme wrote:
> > sysctl security.jail.allow_raw_sockets=1
> 
> I did it but ping still doesn't work.

Which IP address are you using for the jail now?

If you're using 127.0.0.1, you can only ping the host's
own IP addresses, because packets with a localnet IP
never leave a machine.

If you're using the "real" address (192.168.1.38) for
the jail, then you should be able to ping all addresses
that you can ping from the host.  I just did a quick
test on my machine; it has the IP address 172.20.0.2
(which is being translated with NAT on my router, but
that doesn't matter):

HOST# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 -> 1
HOST# jail / testjail 172.20.0.2 /bin/sh -E
# ping www.google.com
PING www.l.google.com (66.102.13.105): 56 data bytes
64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms
64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms
64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms

> > > 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.
> 
> > Well, localnet addresses are not routed.  If you give your
> > jail a localnet address, it won't be able to access the
> > network outside of the host.  (Unless you take measures
> > to rewrite/translate the addresses and forward them.)
> > That's why DNS and portsnap don't work.
> 
> > I suggest using the address 192.168.1.38 for the jail,
> > at least during installation.  Make sure that the file
> > /etc/resolv.conf inside the jail is correct, so DNS will
> > work.  Copying it from the host should be sufficient.
> 
> Isn't 192.168.1.38 a localnet address too ?

It's a private address (RFC 1918).  I assume that you've got
a NAT router that translates it to a public IP address.

> Do you mean I should use the public ip of my computer here  ?

Do you have one?  So far you only mentioned 192.168.1.38.

> I thought it was intended to be impossible to access the host from the jail.

It depends on what you want to do with the jail.  Jails can
be used for vastly different purposes.

> But you're right : I'll forget that.

Good.  :-)

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

"Clear perl code is better than unclear awk code; but NOTHING
comes close to unclear perl code"  (taken from comp.lang.awk FAQ)
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list