Date: Sat, 14 Aug 2010 10:02:29 +0000 (GMT) From: Brice ERRANDONEA <berrandonea@yahoo.fr> To: freebsd-questions@FreeBSD.ORG Subject: Re : Re : Re : How to connect a jail to the web ? Message-ID: <782917.75146.qm@web24605.mail.ird.yahoo.com> In-Reply-To: <201008121552.o7CFqOIM097376@lurza.secnetix.de> References: <201008121552.o7CFqOIM097376@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
=0A=0AI had a break with this yesterday. I've just tried your suggestions. =
It still =0Adoesn't work but the error message has changed.=0A=0A>> On the =
host when the jail is running :=0A>>=0A>> FreeBSD# jls=0A>> JID IP Addr=
ess Hostname Path=0A>> 1 93.0.168.242 Ma=
Prison /usr/prison=0A>> FreeBSD# ifconfig=0A>> rl0: fl=
ags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500=0A>> =
options=3D8<VLAN_MTU>=0A>> ether 00:11:09:15:72:6a=0A>> =
inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255=0A>> i=
net 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242=0A>> medi=
a: Ethernet autoselect (100baseTX <full-duplex>)=0A=0A> Where did you get t=
hat second IP address from? Did you just=0A> add it manually? Or is that =
the address that your gateway=0A> (DSL router, whatever) got assigned from =
your ISP?=0A=0AI added it manually in rc.conf (on the host) :=0A=0Ajail_ser=
ver_rootdir=3D"/usr/prison"=0Ajail_server_hostname=3D"MaPrison"=0Ajail_serv=
er_ip=3D"93.0.168.242" =0A=0AI choosed it because that's my computer's publ=
ic ip, at least according to this =0Awebsite : http://whatismyipaddress.com=
/=0A=0A> I assume that IP address is not really routed to your host,=0A> bu=
t that NAT (Network Address Translation) is used on your=0A> router. So yo=
u cannot use that address on the host.=0A> (If that's not true, please exla=
in the structure of your=0A> network in more detail.)=0A=0AMy network is ve=
ry simple. I've got a kind of modem provided by my phone =0Acompany. It's c=
alled a "neufbox" and acts as a gateway. Its address is =0A192.168.1.1. Thi=
s "neufbox" is connected to :=0A=0A- the phone network=0A- a phone=0A- the =
FreeBSD computer through an ethernet wire=0A- two other computers via wifi=
=0A=0AWhen I browse address 192.168.1.1 with firefox, I can see a page tell=
ing this =0Athe neufbox, that internet and the phone are working, that the =
tv is not =0Aconnected (that's true) and that it's public ip address is 93.=
0.168.242. It also =0Agives its MAC address and various other infos.=0A=0A>=
So, if my assumptions are true, you must use the address=0A> 192.168.1.38 =
for your jail. =0A=0AOK. In /etc/rc.conf, I changed this line (see above) :=
=0Ajail_server_ip=3D"198.168.1.38"=0A=0A> Make sure that DNS is working=0A=
> inside the jail ... It should be sufficient to copy=0A> /etc/resolv.conf=
from the host to /usr/prison/etc/resolv.conf=0A=0A/etc/resolv.conf only co=
ntains this single line : nameserver 192.168.1.1=0A=0AI placed a copy of th=
is file in the jail.=0A=0AAfter these changes and a complete reboot, I laun=
ched the jail and tried a =0Aportsnap fetch :=0A=0AFreeBSD# /etc/rc.d/jail =
onestart server=0AConfiguring jails:. =0AStarting jails: =
MaPrison. =0AFreeBSD# jls =0A JID I=
P Address Hostname Path=0A 1 192.168.1.38 =
MaPrison /usr/prison=0AFreeBSD# jexec 1 portsnap fetc=
h =0ALooking up portsnap.FreeBSD.org mirror=
s... =0A/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:=
1699: =0Ainternal_send: 192.168.1.1#53: Invalid argument =
=0A=0A/usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c=
:1699: =0Ainternal_send: 192.168.1.1#53: Invalid =0Aargument =
=0A=0Anone =0Afound. =
=
=0A =0AFetching public key from portsnap.FreeBSD.org... =0Afailed. =
=0A=0ANo mirrors remaining, giving =0Aup. =
=0A=0AFreeBSD#=0A=0ATh=
en, firefox (on the host) was no longer able to browse. I tried this on the=
=0Ahost :=0A=0AFreeBSD# ping www.freebsd.org=0Aping: cannot resolve www.fr=
eebsd.org: Host name lookup failure=0A=0AIn other words, it appeared that D=
NS was no longer working, even on the host.=0A=0AI rebooted again. This tim=
e, I didn't launch the jail. ping and Firefox worked =0Aperfectly well on t=
he host as they had always did before.=0A=0A> If it still doesn't work: Ar=
e you using any packet filter=0A> (ipfw, ipf, pf)? If so, please show the =
complete list of=0A> rules.=0A=0ANo, I don't. You told me it was not necess=
ary.=0A=0A> Otherwise, it might help to run tcpdump(1) on the host, so=0A> =
you can see the actual packets that are transmitted and=0A> received.=0A=0A=
Here's what tcpdump says when the jail is NOT running (but Firefox is) :=0A=
=0AFreeBSD# tcpdump=0Atcpdump: verbose output suppressed, use -v or -vv for=
full protocol decode=0Alistening on rl0, link-type EN10MB (Ethernet), capt=
ure size 96 bytes=0A09:08:50.300910 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 263=0A09:08:50.301378 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 335=0A09:08:50.301822 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 331=0A09:08:50.302275 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 311=0A09:08:50.302933 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 343=0A09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 325=0A09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 327=0A09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900=
: UDP, length 327=0A09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 2444=
5+ PTR? =0A250.255.255.239.in-addr.arpa. (46)=0A09:08:50.906882 IP neufbox.=
domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103)=0A09:08:50.917164 IP Fre=
eBSD.59750 > neufbox.domain: 24446+ PTR? =0A1.1.168.192.in-addr.arpa. (42)=
=0A09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|dom=
ain]=0A09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR? =0A38=
.1.168.192.in-addr.arpa. (43)=0A09:08:51.918870 IP neufbox.domain > FreeBSD=
.32837: 24447* 1/0/0 (64)=0A^C=0A14 packets captured=0A14 packets received =
by filter=0A0 packets dropped by kernel=0AFreeBSD#=0A=0AThen, I started the=
jail. Firefox immediatly stopped being able to browse =0Awebsites. I tried=
a tcpdump on the host while running portsnap fetch in the jail =0A:=0A=0AF=
reeBSD# tcpdump=0Atcpdump: verbose output suppressed, use -v or -vv for ful=
l protocol decode=0Alistening on rl0, link-type EN10MB (Ethernet), capture =
size 96 bytes=0A09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900=
: UDP, length 263=0A09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.=
1900: UDP, length 335=0A09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.=
250.1900: UDP, length 331=0A09:43:50.334499 IP 192.168.1.1.32774 > 239.255.=
255.250.1900: UDP, length 311=0A09:43:50.334966 IP 192.168.1.1.32774 > 239.=
255.255.250.1900: UDP, length 343=0A09:43:50.335402 IP 192.168.1.1.32774 > =
239.255.255.250.1900: UDP, length 325=0A09:43:50.335944 IP 192.168.1.1.3277=
4 > 239.255.255.250.1900: UDP, length 327=0A09:43:50.336560 IP 192.168.1.1.=
32774 > 239.255.255.250.1900: UDP, length 327=0A09:44:20.333341 IP 192.168.=
1.1.32774 > 239.255.255.250.1900: UDP, length 263=0A09:44:20.333807 IP 192.=
168.1.1.32774 > 239.255.255.250.1900: UDP, length 335=0A09:44:20.334246 IP =
192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331=0A09:44:20.334684=
IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311=0A09:44:20.33=
5165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343=0A09:44:2=
0.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325=0A09:=
44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327=
=0A09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length=
327=0A^C=0A16 packets captured=0A16 packets received by filter=0A0 packets=
dropped by kernel=0AFreeBSD#=0A=0AIf you compare these two tcpdump, you ca=
n see that the word "neufbox" is =0Areplaced by 192.168.1.1. It confirms th=
at DNS is no longer running.=0A=0ANot easy...=0A=0ABrice=0A=0A=0A=0A_______=
_________________________=0ADe : Oliver Fromme <olli@lurza.secnetix.de>=0A=
=C0 : freebsd-questions@FreeBSD.ORG; berrandonea@yahoo.fr=0AEnvoy=E9 le : J=
eu 12 ao=FBt 2010, 17h 52min 24s=0AObjet : Re: Re : Re : How to connect a j=
ail to the web ?=0A=0ABrice ERRANDONEA <berrandonea@yahoo.fr> wrote:=0A> On=
the host, when the jail is not running :=0A> =0A> %ifconfig=0A> rl0: flags=
=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500=0A> =
options=3D8<VLAN_MTU>=0A> ether 00:11:09:15:72:6a=0A> in=
et 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255=0A> medi=
a: Ethernet autoselect (100baseTX <full-duplex>)=0A=0AOK, so 192.168.1.38 i=
s the only (non-localnet) IP address that=0Ayou have. You should use that =
one for your jail.=0A=0A> On the host when the jail is running :=0A> =0A> F=
reeBSD# jls=0A> JID IP Address Hostname Path=
=0A> 1 93.0.168.242 MaPrison /usr/prison=0A> =
FreeBSD# ifconfig=0A> rl0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTIC=
AST> metric 0 mtu 1500=0A> options=3D8<VLAN_MTU>=0A> ether =
00:11:09:15:72:6a=0A> inet 192.168.1.38 netmask 0xffffff00 broadcas=
t 192.168.1.255=0A> inet 93.0.168.242 netmask 0xffffffff broadcast =
93.0.168.242=0A> media: Ethernet autoselect (100baseTX <full-duplex=
>)=0A=0AWhere did you get that second IP address from? Did you just=0Aadd =
it manually? Or is that the address that your gateway=0A(DSL router, whate=
ver) got assigned from your ISP?=0A=0AI assume that IP address is not reall=
y routed to your host,=0Abut that NAT (Network Address Translation) is used=
on your=0Arouter. So you cannot use that address on the host.=0A(If that'=
s not true, please exlain the structure of your=0Anetwork in more detail.)=
=0A=0ASo, if my assumptions are true, you must use the address=0A192.168.1.=
38 for your jail. Make sure that DNS is working=0Ainside the jail ... It =
should be sufficient to copy=0A/etc/resolv.conf from the host to /usr/priso=
n/etc/resolv.conf=0A=0AIf it still doesn't work: Are you using any packet =
filter=0A(ipfw, ipf, pf)? If so, please show the complete list of=0Arules.=
=0A=0AOtherwise, it might help to run tcpdump(1) on the host, so=0Ayou can =
see the actual packets that are transmitted and=0Areceived.=0A=0ABest regar=
ds=0A Oliver=0A=0A-- =0AOliver Fromme, secnetix GmbH & Co. KG, Marktplatz=
29, 85567 Grafing b. M.=0AHandelsregister: Registergericht Muenchen, HRA 7=
4606, Gesch=E4ftsfuehrung:=0Asecnetix Verwaltungsgesellsch. mbH, Handelsre=
gister: Registergericht M=FCn-=0Achen, HRB 125758, Gesch=E4ftsf=FChrer: Ma=
ik Bachmann, Olaf Erb, Ralf Gebhart=0A=0AFreeBSD-Dienstleistungen, -Produkt=
e und mehr: http://www.secnetix.de/bsd=0A=0A"C++ is the only current langu=
age making COBOL look good."=0A -- Bertrand Meyer=0A________________=
_______________________________=0Afreebsd-questions@freebsd.org mailing lis=
t=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-questions=0ATo unsubs=
cribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A=
=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?782917.75146.qm>