From owner-freebsd-jail@freebsd.org Fri May 20 11:07:58 2016 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C1EA2B43006 for ; Fri, 20 May 2016 11:07:58 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [185.24.122.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5EB4A16D1 for ; Fri, 20 May 2016 11:07:57 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from crayon2.yoonka.com (crayon2.yoonka.com [192.168.1.20]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id u4KB7sPN036320 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Fri, 20 May 2016 11:07:55 GMT (envelope-from list1@gjunka.com) Subject: Re: jails in different private subnets on the same host References: <07d67bd5-206c-edd8-7f47-ef2b5c538e01@gjunka.com> <3aaa36dc-c658-5760-c4bb-d0f991834194@gjunka.com> <20160519151914.GL15034@home.opsec.eu> From: Grzegorz Junka To: freebsd-jail@freebsd.org Message-ID: <573349b9-b10d-e976-6d41-1118f5de4b2c@gjunka.com> Date: Fri, 20 May 2016 11:07:54 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160519151914.GL15034@home.opsec.eu> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 May 2016 11:07:58 -0000 On 19/05/2016 15:19, Kurt Jaeger wrote: > Hi! > >> Why would it need to use the nameserver if I am telneting through IP? > Use telnet -N to avoid DNS lookups. Oh, great! That worked. It could connect to the web server jail immediately. So it looks like the problem is with connecting to the DNS jail, but why? This is inside the DNS jail: *root@dns1:/ # netstat -an* netstat: kvm not available: /dev/mem: No such file or directory Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.60.53 *.* LISTEN tcp4 0 0 192.168.1.60.25 *.* LISTEN udp4 0 0 192.168.1.60.53 *.* udp4 0 0 192.168.1.60.514 *.* (... IPv6 entries) On the problematic jail: *root@pjp1:/ # cat /etc/resolv.conf * search myserver.mydomain.com nameserver 192.168.1.60 options edns0 *root@pjp1:/ # netstat -an* netstat: kvm not available: /dev/mem: No such file or directory Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.33.1.40.25 *.* LISTEN tcp4 0 0 10.33.1.40.3306 *.* LISTEN tcp4 0 0 10.33.1.40.80 *.* LISTEN udp4 0 0 10.33.1.40.514 *.* *root@pjp1:/ # netstat -rn* Routing tables Internet: Destination Gateway Flags Netif Expire 10.33.1.40 link#4 UHS lo0 This works immediately: *root@pjp1:/ # telnet -N 192.168.1.60 53* Trying 192.168.1.60... Connected to 192.168.1.60. Escape character is '^]'. But this connects after exactly 15 seconds: *root@pjp1:/ # telnet 192.168.1.60 53* Trying 192.168.1.60... Connected to 192.168.1.60. Escape character is '^]'. Grzegorz