From owner-freebsd-questions@FreeBSD.ORG Sun Mar 23 08:16:15 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B3EC411F for ; Sun, 23 Mar 2014 08:16:15 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [74.208.4.200]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6410FDD7 for ; Sun, 23 Mar 2014 08:16:14 +0000 (UTC) Received: from blazon-pc.rw.local ([78.84.244.14]) by mail.gmx.com (mrgmxus001) with ESMTPSA (Nemesis) id 0MY7pW-1WevFN24IK-00Uo2y for ; Sun, 23 Mar 2014 09:16:13 +0100 Message-ID: <532E984B.3060209@mail.com> Date: Sun, 23 Mar 2014 10:16:11 +0200 From: Jeff Tipton User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: jails, subnets and etc? References: <532E5F05.2040207@tysdomain.com> In-Reply-To: <532E5F05.2040207@tysdomain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:2l6+H9VfoM20On7lZr0OYYIIVbLLIzknd4+ueQiuDXF98KnnzYv 98Zb1c9yGVB5YoD/r7uLoE1xkeN4h6NtsNf7MI4Iiq+vLD/8lDbOzPxxJp4S0SkCwBvG8uq dsZ61VjMN+of3UTfYAvOqVyYMrpIAA4WvEP+Pv5slX5eywRWWdWt6L5159WrG09VoWHLxCz LQ2co+NRyu01RWn5hQ3hA== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 08:16:15 -0000 Hello, On 03/23/2014 06:11, Littlefield, Tyler wrote: > hello all: > I'm curious if I'm doing this right, and would like some advice from > someone. > First, I created a jail with ezjails and set it's IP to 192.168.0.2, > then bound mysql to that address. > The idea is that mysql can run in its own jail while not being > accessible to the outside world. I set the gateway (defaultrouter in > the jail's rc.conf) to the IP address of my machine so the system can > access the network. Basically, you don't have to do that; you may do without the "defaultrouter" line there at all. > This is where I run into a bit of fun: I am unable to ping/telnet to > 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I > have a few questions: By default, ping doesn't work with jails. If you want to enable it, you have to set the security.jail.allow_raw_sockets sysctl value to 1. But telnet should work without this setting. > 1) what needs to happen on the pf side to forward ports from x.x.x.x > (my external-facing interface), to a specific address and port on the > subnet? the idea is that I will just use pf to forward ports to > public-facing jailed services. Example destination NAT in pf.conf rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2 (where bge0 is the device name of your external interface; replace it with your own) > 2) Do I need to do something special to get this subnet set up? What > needs to happen to get the jail and the host talking to each other? > thanks in advance, > Jail and host should talk to each other without special settings. Maybe you have some restrictions in pf? Try to flush all rules (pfctl -Fa). How did you set up the network interface in your host machine -- is it accessible to your jails? -Jeff