From owner-freebsd-questions@FreeBSD.ORG Sun Mar 23 17:58:35 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 33B195A3 for ; Sun, 23 Mar 2014 17:58:35 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [74.208.4.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0C4C8285 for ; Sun, 23 Mar 2014 17:58:34 +0000 (UTC) Received: from blazon-pc.rw.local ([78.84.244.14]) by mail.gmx.com (mrgmxus001) with ESMTPSA (Nemesis) id 0McEYj-1WhXAC2X7X-00JajH for ; Sun, 23 Mar 2014 18:58:27 +0100 Message-ID: <532F20C1.20700@mail.com> Date: Sun, 23 Mar 2014 19:58:25 +0200 From: Jeff Tipton User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: jails, subnets and etc? References: <532E5F05.2040207@tysdomain.com> <532E984B.3060209@mail.com> <532EF0FE.8020907@tysdomain.com> In-Reply-To: <532EF0FE.8020907@tysdomain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:6P2bbqrO1IlCx1d7dfTt1gg7DIG6MoXKMELiRbO6FzFk/2vOwPK n+ZHk0lFvn4X0i7P1s+BRT0rtr2nStCj3BAsav6YBa/RTfxhlDuHxskeU6z37nYaWCmzi5f Zn/97R6XoMG04PHXGdjMazpYMIIT6lzPyFQwdnahsqntlhhRfNKEcNYakhZkoO52r5ses01 xFCERZNQyovvyJJLPs99w== X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 17:58:35 -0000 On 03/23/2014 16:34, Littlefield, Tyler wrote: > hello: > On 3/23/2014 4:16 AM, Jeff Tipton wrote: >> Hello, >> >> On 03/23/2014 06:11, Littlefield, Tyler wrote: >>> hello all: >>> I'm curious if I'm doing this right, and would like some advice from >>> someone. >>> First, I created a jail with ezjails and set it's IP to 192.168.0.2, >>> then bound mysql to that address. >>> The idea is that mysql can run in its own jail while not being >>> accessible to the outside world. I set the gateway (defaultrouter in >>> the jail's rc.conf) to the IP address of my machine so the system >>> can access the network. >> Basically, you don't have to do that; you may do without the >> "defaultrouter" line there at all. >>> This is where I run into a bit of fun: I am unable to ping/telnet to >>> 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I >>> have a few questions: >> By default, ping doesn't work with jails. If you want to enable it, >> you have to set the security.jail.allow_raw_sockets sysctl value to >> 1. But telnet should work without this setting. >>> 1) what needs to happen on the pf side to forward ports from x.x.x.x >>> (my external-facing interface), to a specific address and port on >>> the subnet? the idea is that I will just use pf to forward ports to >>> public-facing jailed services. >> Example destination NAT in pf.conf >> rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2 >> (where bge0 is the device name of your external interface; replace it >> with your own) >>> 2) Do I need to do something special to get this subnet set up? What >>> needs to happen to get the jail and the host talking to each other? >>> thanks in advance, >>> >> Jail and host should talk to each other without special settings. >> Maybe you have some restrictions in pf? Try to flush all rules (pfctl >> -Fa). >> How did you set up the network interface in your host machine -- is >> it accessible to your jails? >> > I'm sorry for all the questions, I am fairly new to BSD. The only > configuration of rc.conf is here: > jail_enable="YES" > ezjail_enable="YES" > sshd_enable="YES" > pf_enable="YES" > ntpdate_enable="YES" > ntpdate_hosts="pool.ntp.org" > fsck_y_enable="YES" > named_enable="YES" > dumpdev="NO" > local_unbound_enable=yes > ifconfig_em0="inet 192.99.32.153 netmask 255.255.255.0 broadcast > 192.99.32.255" > defaultrouter="192.99.32.254" > # IPv6 configuration > ipv6_enable="YES" > ipv6_network_interfaces="em0" > ifconfig_em0_ipv6="inet6 2607:5300:60:4799::1 prefixlen 64" > ipv6_static_routes="ovhgw" > ipv6_route_ovhgw="2607:5300:60:47ff:ff:ff:ff:ff -prefixlen 128 > -interface em0" > ipv6_defaultrouter="2607:5300:60:47ff:ff:ff:ff:ff" > hostname="sapphire" > #security > #kern_securelevel_enable="YES" > kern_securelevel=-1 > postfix_enable="YES" > I flushed the firewall and am still unable to connect out from the > jail (using telnet), or connect to the jail using telnet. > > Do I need to do anything else special? Is there a way to track this down? > > Thanks, > > >> -Jeff >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > You have a heap of settings in your rc.conf. Is this machine already doing something? It would be better to comment most of this stuff out and start from scratch -- leaving only the absolutely necessary -- hostname (fully qualified), ifconfig_em0 line and the defaultrouter line. And then go step by step, so you understand what's going on. First, you don't need to enable "jail" if you are enabling "ezjail". And you will need to set up an alias for the em0 network interface, one per jail. Without that you won't have a communication with your ezjail. If you set up a jail with address 192.168.0.2, you need this same address to attach to em0 as an alias. -Jeff