From owner-freebsd-questions@FreeBSD.ORG Tue Feb 17 14:23:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 982AC16A4CE for ; Tue, 17 Feb 2004 14:23:49 -0800 (PST) Received: from mta7.pltn13.pbi.net (mta7.pltn13.pbi.net [64.164.98.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9184443D39 for ; Tue, 17 Feb 2004 14:23:49 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (c86a22f6024832338b5c5374e1b151dd@adsl-67-119-53-169.dsl.lsan03.pacbell.net [67.119.53.169])i1HMNmbF009132; Tue, 17 Feb 2004 14:23:49 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 17A8766D0E; Tue, 17 Feb 2004 14:23:43 -0800 (PST) Date: Tue, 17 Feb 2004 14:23:43 -0800 From: Kris Kennaway To: John Message-ID: <20040217222342.GA23014@xor.obsecurity.org> References: <20040217124951.GA43293@itconsultuk.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="x+6KMIRAuhnl3hBn" Content-Disposition: inline In-Reply-To: <20040217124951.GA43293@itconsultuk.net> User-Agent: Mutt/1.4.1i cc: freebsd-questions@freebsd.org Subject: Re: jailed "system" needs ipv4 access X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Feb 2004 22:23:49 -0000 --x+6KMIRAuhnl3hBn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 17, 2004 at 12:49:51PM +0000, John wrote: > Hello >=20 > I made a jail for a domain I host, according to the man page for jail. > It runs great and I can ssh and telnet on port 25 into it from the host. >=20 > What I would like the root user to be able to do inside the jail is to > ssh to other boxes and use the ports collection. I have set the > following sysctls: >=20 > jail.set_hostname_allowed=3D0 > jail.socket_unixiproute_only=3D0 =20 >=20 > (the man page says: > cesses within jails may only access protocols in the following > domains: PF_LOCAL, PF_INET, and PF_ROUTE, permitting > them access to UNIX domain sockets, IPv4 addresses, and > routing sockets. To enable access to other domains, this > MIB variable may be set to 0.) >=20 > I wanted it to access as much as possible ipv4-wise from inside the > jail. >=20 > I have set the 2nd MIB to 0 for this reason, but to no avail. >=20 > Is it possible for ssh and ftp to work from inside? I want root to > install ports from within. Yes, that's one of the features of jail. You know that IP address you assigned to the jail when you created it? You just need to make that routable to your destination machine, as you would for any other IP address (turn on IP forwarding on the machine that hosts the jail, make sure the route table is set up correctly, etc). Kris --x+6KMIRAuhnl3hBn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAMpRuWry0BWjoQKURAsVlAJ0X136m0d6gZWpTaB5MnKFdJ6moEwCgtLdU IJhL7doF4vwdGEc1slVvnpg= =A7m5 -----END PGP SIGNATURE----- --x+6KMIRAuhnl3hBn--