Jail with public IP alias

Frank Leonhardt frank2 at fjl.co.uk
Thu Aug 29 09:03:43 UTC 2013

On 29/08/2013 09:52, Frank Leonhardt wrote:
> On 29/08/2013 02:08, Alejandro Imass wrote:
>> On Wed, Aug 28, 2013 at 4:11 PM, Frank Leonhardt <frank2 at fjl.co.uk> 
>> wrote:
>>> On 28/08/2013 19:42, Patrick wrote:
>>>> On Wed, Aug 28, 2013 at 7:25 AM, Alejandro Imass <aimass at yabarana.com>
>>>> wrote:
>>>>> On Wed, Aug 28, 2013 at 5:42 AM, Frank Leonhardt <frank2 at fjl.co.uk>
>>>>> wrote:
>> [...]
>>> Sorry guys - I had not intention of upsetting the EzJail fan club!
>> No worries there I just think it's an awesome tool. We used plain old
>> jails before, and we even went through the "service jail" path once,
>> but EzJail is a lot more than just lightweight easy-to-use jailing.
>>> The fact remains that I've tried to recreate this problem on what 
>>> comes to a
>>> similar set-up, but without EzJail, and I can't. I've only tested it on
>>> FreeBSD 8.2 so far, and I've only tested it from INSIDE a jail. I 
>>> completely
>>> understood what you were saying about it doing weird stuff outside a 
>>> jail,
>>> but my point is that this may or may not be related.
>> Actually you can replicate it easily. Assign a number of IPs to any
>> interface but that the interface has a default route. It will always
>> use the "primary" or default IP on the other end. You can probably see
>> this effect even on a private network provided all the aliases route
>> through the same gateway. You will not be able to see this effect
>> using aliases on the loopback AFAIK.
>>> You don't say what version you're running. I can try and recreate it on
>>> another version.
>> It doesn't matter, it's a very basic network issue with aliases in
>> FreeBSD, Linux and other OSs. Look here:
>> http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour 
>> I would like to know how people deal with this on FBSD
> Okay, I'm trying here. I tried to recreate it thus:
> b1# ifconfig
> bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 
> 1500
>         ether 00:21:9b:fd:30:8b
>         inet xx.yy.41.196 netmask 0xffffffc0 broadcast xx.yy.41.255
>         inet xx.yy.41.197 netmask 0xffffffff broadcast xx.yy.41.197
>         inet xx.yy.41.198 netmask 0xffffffff broadcast xx.yy.41.198
>         inet xx.yy.41.199 netmask 0xffffffff broadcast xx.yy.41.199
>         inet xx.yy.41.200 netmask 0xffffffff broadcast xx.yy.41.200
>         inet xx.yy.41.201 netmask 0xffffffff broadcast xx.yy.41.201
>         inet xx.yy.41.202 netmask 0xffffffff broadcast xx.yy.41.202
>         inet xx.yy.41.203 netmask 0xffffffff broadcast xx.yy.41.203
>         inet xx2.yy2.76.62 netmask 0xffffffc0 broadcast xx2.yy2.76.63
>         inet xx.yy.41.207 netmask 0xffffffff broadcast xx.yy.41.207
>         inet xx.yy.41.206 netmask 0xffffffff broadcast xx.yy.41.206
>         media: Ethernet autoselect (100baseTX 
> <full-duplex,flowcontrol,rxpause,txpause>)
>         status: active
> <etc...>
> Then:
>  b1# ssh -b xx.yy.41.197 b2 -l myname
> Open new session and...
>  b1# ssh -b xx.yy.41.198 b2 -l myname
> Open new session and...
>  b1# ssh -b xx.yy.41.199 b2 -l myname
> An so on....
> Then on b2:
> b2# w -n
>  9:43AM  up 803 days, 22:47, 5 users, load averages: 0.07, 0.06, 0.02
> USER             TTY      FROM              LOGIN@  IDLE WHAT
> myname p0       ns0.domainname.org.uk    9:28AM    14 -csh (csh)
> myname p1       ns1.domainname.net      9:29AM    14 -csh (csh)
> myname p5       xx.yy.41.199      9:29AM    13 -csh (csh)
> myname p6       xx.yy.41.201      9:30AM     - w -n
> myname p7       xx.yy.41.207      9:30AM    11 -csh (csh)
> The only problem I can see there is that the -n option isn't working 
> on w! I'll look in to that. The reverse lookups match the IP addressed 
> dialled in on. b2 has the same sshd bound to all IP addresses, 
> incidentally. b1 has more than one interface, but all the IP addresses 
> I used are on the same one.
> My guess, if you're not getting this, is that you're configuring the 
> aliases in a different way, so the output of ipconfig might help, even 
> if it just convinces me the netmask is correct and stops me worrying. 
> I've obviously obfuscated the first part of mine.
> Or have I misunderstood the problem?
> Regards, Frank.

P.S. Just for completeness:

b1# netstat -r
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            xx.yy.41.193       UGS    112374 7203472736 bge0

The default route does go through that interface.

More information about the freebsd-questions mailing list