From owner-freebsd-questions@FreeBSD.ORG Thu Nov 20 17:15:51 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B7EB6DA8 for ; Thu, 20 Nov 2014 17:15:51 +0000 (UTC) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "ca.infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 436F9A31 for ; Thu, 20 Nov 2014 17:15:50 +0000 (UTC) Received: from ox-dell39.ox.adestra.com (no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged)) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.9/8.14.9) with ESMTP id sAKHFiXF043680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 20 Nov 2014 17:15:45 GMT (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=infracaninophile.co.uk DKIM-Filter: OpenDKIM Filter v2.9.2 smtp.infracaninophile.co.uk sAKHFiXF043680 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1416503745; bh=tfGE7vyCFvnkiOPnY3opd3SePDK7V+4hwbjKDxdntZE=; h=Date:From:To:Subject:References:In-Reply-To; z=Date:=20Thu,=2020=20Nov=202014=2017:15:38=20+0000|From:=20Matthew =20Seaman=20|To:=20freebsd-questi ons@freebsd.org|Subject:=20Re:=20127.0.0.1=20in=20a=20jail|Referen ces:=20<546E08B3.9090906@yahoo.com>=20<546E0EE8.3050102@qeng-ho.or g>|In-Reply-To:=20<546E0EE8.3050102@qeng-ho.org>; b=yYEa2iiWn2sCJ6rA0PjxKuHNNz/xjZC81EdsKdb3DWDNnO+183i2mhEgC5ygTOqk7 f9IiX/CqH4JDpM/N6CDl1Y/Z3vNfdh6p+MagwvT9DEgzz2EbN5kHu2PrjMaSxEJ4sa YL7BuSGblGBAPf3TQ98VLG5lyydnmjVIc9W+vuyY= X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host no-reverse-dns.metronet-uk.com [85.199.232.226] (may be forged) claimed to be ox-dell39.ox.adestra.com Message-ID: <546E21BA.703@infracaninophile.co.uk> Date: Thu, 20 Nov 2014 17:15:38 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: 127.0.0.1 in a jail References: <546E08B3.9090906@yahoo.com> <546E0EE8.3050102@qeng-ho.org> In-Reply-To: <546E0EE8.3050102@qeng-ho.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb" X-Virus-Scanned: clamav-milter 0.98.4 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,RDNS_NONE,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2014 17:15:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/20/14 15:55, Arthur Chance wrote: > I don't think you can do anything to make 127.0.0.1 work as a target fo= r > connecting to - how is the common network stack to decide whether you'r= e > talking to the jail or the main box? It might be possible in VIMAGE > jails, but I have no experience of them. With a VIMAGE jail you certainly can create a loopback interface per jail and set that to use 127.0.0.1 or ::1 as its addresses with a VIMAGE jail. Unfortunately at the moment you need a custom kernel to add the VIMAGE functionality, and you need to avoid some of the various firewall implementations: with VIMAGE you'ld naturally run the firewall code from within the jail, rather than as something controlled by the host system. There are moves to make VIMAGE part of the default kernel config for 11.0-RELEASE, but that isn't expected until sometime next year and there are some pretty nasty crash-bugs which will have to be thoroughly squashed before it is enabled in a release. > You could always add an entry for localhost in the jail's /etc/hosts > that is the jail's address rather than 127.0.0.1. That's not going to > happen automatically though. You can do that -- but a lot of software will try and bind to localhost by one of the well known IP numbers rather than looking up 'localhost'. I've found it is generally possible to configure most software -- particularly server software -- either to bind to a specific IP address or else to use a unix domain socket, and that gives good results in jails. It is a bit of a faff though, and you don't get the intrinsic protection of binding some software to the loopback address if you have to bind it to the jail's IP. (One of the few common daemons you can't do that with is ntpd(8), but that's something it makes no sense at all to run in a jail, seeing as jails use exactly the same time-of-day as the host system) Cheers, Matthew --jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJUbiHAXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnBYQP/2oc5a0Pr9pSIzyxRy45VjIx WFaYZEKv22aHlq/3VlFFdiMvY1Za026vKH9GUkCfm4Oi/qCHdqup8d7/ZJsbrgLg hNnsX/a6Ur0N4HN1acnRt1mh1GcXObDj+rQ4XCJjkU+MX5tAR6x7G50KPzeCCbgA nsblX6xF9Ry5zJrUZQ0nWOGNvrASNxshzj3uhxQKckAoTlZnyVMwSNFc8GbQWxhb 5GUOscQH3hMISEWMBjIZxWaKgru34eO2EpEjWNNVh4RwYeAbwHqdUAk6+N+lJqsE QZkqhBhdDKALqrXWvJ6ioWc+XgVR2bZcmbN+ZdkSllvQlzvcnLgowwLrCXEq9VI7 0ZjEDjV4qfz4PhWeb+FjHPWLjFi8QbpDKUcpPAVoinsJPlVGTUYgL9kiDJBoHYfY D7xc3HIYFmvEXQ50AY2B4YI+TlFq4iFiEJfXg9RnRgWviAyhlKMVGS4Ayy+g/+sO mpxcvmQvH/mRIetJhq5ymMhog64vYmkc70EatD5PdJM75h70llq6+SCZsbNIKK4b f55Pkf6waQ28/8v15SqmTO5lwe77pow65FPIbrCyNzd2VnpV2Jb/F8iBqyvvlIin m9oKM+T0DgQhIwm71dS0udBlKrow6P3yl7SgueVQqAaWFO6rhVNHzqSuJMakIfeU mG0TDZNEzTVZpbc/6tWv =oC3T -----END PGP SIGNATURE----- --jmWc1AA1e1FrGSgxun8v4Jqgcax3phejb--