Date: Thu, 30 May 2013 09:49:51 -0400 From: Joe <fbsd8@a1poweruser.com> To: Mogamat Abrahams <lists@tabits.co.za> Cc: freebsd-jail@freebsd.org Subject: Re: Cant reach Jailed services from internet. Message-ID: <51A758FF.4080402@a1poweruser.com> In-Reply-To: <loom.20130530T144859-588@post.gmane.org> References: <loom.20130527T091739-282@post.gmane.org> <cc5f425486d0fc06e1ddc0a8cbe300ad@nanogene.org> <loom.20130527T215634-190@post.gmane.org> <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> <loom.20130528T180339-694@post.gmane.org> <loom.20130529T091557-794@post.gmane.org> <51A5F743.7080307@a1poweruser.com> <loom.20130530T144859-588@post.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mogamat Abrahams wrote: >> Do you have gateway_enable="YES" statement in the host's rc.conf? > Added it and not difference. >> Is the jails /etc/resolv.conf populated with the correct info? >> > Yes, name resolution works ok - i can reach out from the jail to other > services on the internet. > >> You said "Netstat on the host and jail also show services >> listening on those addresses on the correct ports." >> >> If what you mean is the host has processes listening on the SAME >> ip address / ports as the jails are listening on, then your jails >> will never get any unsolicited traffic because the host always gets >> access to that traffic first and processes it without the jail ever >> knowing about it. > I only have sshd configured on the host, that on the 67. ip address. So I > assume those listening ports are coming from the jail as its on the same IP > and ports 80 and 81 > > Any other suggestions? > > M > > Lets find out about those jail ip addresses. You stated those ip address prefixed with 174 were provided by you colo provider. Questions to ask them. Are those 174.x.x.x ip addresses provisioned or said a different way are they true static ip addresses? Read up on the difference. Your 67.205.xx.xx ip address looks like a dynamic ip address that you use dhcp to automatically obtain all the network configuration information needed by your host. Static ip addresses don't work that way. You have to manually configure the static network. If I remember correctly, for a block of 3 assignable ip addresses you need a block of 5 from your provider. The first and last ip address are used to config the network. Best you talk to your provider to find out how those ip addresses are configured at their end and how you should config them at your end. You never said if you have a firewall on your host. The firewall rules maybe dropping unsolicited inbound traffic for those 174 prefixed ip addresses. Try putting a pass all log from that NIC rule or just a log all rule or turn off the firewall all together and see what happens. Verify your NAT is not trying to NAT unsolicited inbound traffic for those 174 prefixed ip addresses.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A758FF.4080402>