FreeBSD 11.2-RELEASE-p9 jail ping: ssend socket: Operation not permitted
David Christensen
dpchrist at holgerdanske.com
Fri Feb 15 02:49:24 UTC 2019
freebsd-questions:
I have a FreeBSD machine:
root at beastie:~ # freebsd-version ; uname -a
11.2-RELEASE-p9
FreeBSD beastie 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 #0: Tue Feb 5
15:30:36 UTC 2019
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
It has one network interface with one alias:
root at beastie:~ # grep ifconfig /etc/rc.conf
ifconfig_em0="inet 192.168.5.9 netmask 255.255.255.0"
ifconfig_em0_alias0="inet 192.168.5.8 netmask 255.255.255.255"
I have created a jail that I plan to use for Samba:
root at beastie:~ # cat /etc/jail.conf
samba {
host.hostname="samba.tracy.holgerdanske.com";
ip4.addr="192.168.5.8";
path="/jail/samba";
mount.devfs;
exec.clean;
exec.start="sh /etc/rc";
exec.stop="sh /etc/rc.shutdown";
}
I have copied resolv.conf into the jail:
root at beastie:~ # cat /jail/samba/etc/resolv.conf
search tracy.holgerdanske.com
nameserver 192.168.5.1
I have created rc.conf inside the jail:
root at beastie:~ # cat /jail/samba/etc/rc.conf
defaultrouter="192.168.5.1"
ntpd_enable="YES"
sshd_enable="YES"
I have create a dummy fstab inside the jail:
root at beastie:~ # ll /jail/samba/etc/fstab
-rw-r--r-- 1 root wheel 0 2019/02/14 16:16:13 /jail/samba/etc/fstab
I have enabled jails at host startup:
root at beastie:~ # grep jail /etc/rc.conf
jail_enable="YES"
I have enabled jail raw sockets on both the host and inside the jail:
root at beastie:~ # grep jail /etc/sysctl.conf
security.jail.allow_raw_sockets=1
root at beastie:~ # cat /jail/samba/etc/sysctl.conf | grep -v #
security.jail.allow_raw_sockets=1
When I reboot the host:
root at beastie:~ # shutdown -r now
The jail is running:
root at beastie:~ # service jail status
JID IP Address Hostname Path
samba 192.168.5.8 samba.tracy.holgerdanske.com /jail/samba
Jail raw sockets are enabled on the host:
root at beastie:~ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1
But they are disabled in the jail:
root at samba:/ # sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 0
The jail network interfaces look good:
root at samba:/ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
ether 54:bf:64:72:38:db
hwaddr 54:bf:64:72:38:db
inet 192.168.5.8 netmask 0xffffffff broadcast 192.168.5.8
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
But the jail cannot ping itself, the host, or any other host:
root at beastie:~ # jexec samba /bin/csh -l
root at samba:/ # ping localhost
ping: ssend socket: Operation not permitted
root at samba:/ # ping 192.168.5.9
ping: ssend socket: Operation not permitted
root at samba:/ # ping 192.168.5.1
ping: ssend socket: Operation not permitted
Suggestions?
David
More information about the freebsd-questions
mailing list