EZJAIL and ping on FreeBSD-11.
sysadmin at grouchysysadmin.com
Thu Feb 1 16:13:49 UTC 2018
On 02/01/2018 09:23 AM, James B. Byrne via freebsd-questions wrote:
> I have read the various 'howtos' respecting this issue and I cannot
> see where I have failed to properly follow the instructions. But
> clearly I have not done it right.
> I have setup a jail named hll124. it is configured and running. It
> can connect to the network and the Internet without issue. DNS
> resolution works fine using local_unbound.
> In /etc/sysctl.conf on the host I have this:
> # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
> # This file is read when going to multi-user and its contents piped thru
> # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for
> # Uncomment this to prevent users from seeing information about
> processes that
> # are being run under another UID.
> # Required for Chrome/Chromium
> # Add to allow jails to create sockets - 2018-01-31 JBB
> The host system shows this:
> $ sudo sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
> In the ezjail configuration file I have this:
> # Allow ping, traceroute and other things 2018-01-31 JBB
> export jail_hll124_allow_raw_sockets="YES"
> When I connect to the ezjail instance with ezjail-admin console and
> run ping then I see this:
> # ping 192.168.71.44
> ping: ssend socket: Operation not permitted
> What else am I missing?
You don't need to allow raw sockets globally. I'd leave it set as,
Then allow raw sockets on a per jail basis by changing the parameters in
the ezjail configuration. For example, add this to the
Stop the jail, and then start it for the setting to take effect.
More information about the freebsd-questions