Jails and networks

Norman Gray norman.gray at glasgow.ac.uk
Fri Aug 24 15:55:02 UTC 2018

Alejandro, hello.

Thanks for your further comments.

On 24 Aug 2018, at 16:10, Alejandro Imass wrote:

> Try by IP to the outside first.

I should have mentioned that I tried that, too, but

# telnet 80
telnet: connect to address Operation timed out
telnet: Unable to connect to remote host

(and I can telnet to that machine -- a web server -- normally from 

> Make sure you have a resolv.conf in your jail. Copy the one from
> outside or use something like:
> nameserver

I thought of that -- my resolv.conf is sane.

>> There's something important about jail networking that I'm not
>> understanding, but I haven't a clue what it is.  Most frustrating.
> It usually works pretty much automatic, especially with ezjail.

That's the very strong impression I've gleaned from elsewhere -- it 
should Just Work.  It must be that I've messed up _something_ in the 
host's networking, though it's a pretty fresh install on a machine where 
I'm experimenting only with this.  (and yes, it's installed on bare 
metal, not a VM).

I know that the jail's networking will look slightly different from the 
host's but I'm not sure in just what respect.  The routing table looks 

     # netstat -rn
     Routing tables

     Destination        Gateway            Flags     Netif Expire     link#3             UHS         lo0

But since none of the ezjail guides have mentioned having to adjust 
routing, even in passing, I don't _think_ that's wrong.  In any case, 
since the jail doesn't have its own networking stack, it's the host's 
routing table that matters.  Or at least I think so -- this is what I 
mean when I say that I'm suddenly doubting what I think I know about 

>> That is:
>>     # ezjail-admin onestart norman
>>     Starting jails:/etc/rc.d/jail: WARNING: /var/run/jail.norman.conf 
>> is
>> created and used for jail norman.
>>     /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* 
>> variables  is
>> obsolete.  Please consider migrating to /etc/jail.conf.
> Yeah, I've seen that for a long time now and I've seen some discussion
> around it. Not sure it makes any real difference and has never been a
> problem for me.
> Maybe you can try a the ezjail mailing list:
> https://erdgeist.org/arts/software/ezjail/#author-contact
> Dirk is usually very friendly and fast in responding. Qjail says they
> work on 11 and beyond but I've never tried it.

I think I should indeed try there.  It sounds as if this might need some 
specialised knowledge.

> There's been some
> friction over the years and I sided with Dirk and continue to use
> ezjail.

That's also very useful to know.  As with all of these things, it'd be 
interesting to know more about the grounds and nature of the split, but 
that's not always easy to find.

Best wishes,


Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
SUPA School of Physics and Astronomy, University of Glasgow, UK
// My current template week for IT Management tasks is: Monday, Tuesday, 
and Friday

More information about the freebsd-questions mailing list