jails, subnets and etc?

[Jeff Tipton]

Hello,

On 03/23/2014 06:11, Littlefield, Tyler wrote:
> hello all:
> I'm curious if I'm doing this right, and would like some advice from 
> someone.
> First, I created a jail with ezjails and set it's IP to 192.168.0.2, 
> then bound mysql to that address.
> The idea is that mysql can run in its own jail while not being 
> accessible to the outside world. I set the gateway (defaultrouter in 
> the jail's rc.conf) to the IP address of my machine so the system can 
> access the network.
Basically, you don't have to do that; you may do without the 
"defaultrouter" line there at all.
> This is where I run into a bit of fun: I am unable to ping/telnet to 
> 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I 
> have a few questions:
By default, ping doesn't work with jails. If you want to enable it, you 
have to set the security.jail.allow_raw_sockets sysctl value to 1. But 
telnet should work without this setting.
> 1) what needs to happen on the pf side to forward ports from x.x.x.x 
> (my external-facing interface), to a specific address and port on the 
> subnet? the idea is that I will just use pf to forward ports to 
> public-facing jailed services.
Example destination NAT in pf.conf
rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2
(where bge0 is the device name of your external interface; replace it 
with your own)
> 2) Do I need to do something special to get this subnet set up? What 
> needs to happen to get the jail and the host talking to each other?
> thanks in advance,
>
Jail and host should talk to each other without special settings. Maybe 
you have some restrictions in pf? Try to flush all rules (pfctl -Fa).
How did you set up the network interface in your host machine -- is it 
accessible to your jails?

-Jeff