Date: Tue, 17 Jul 2012 11:46:34 +0200 From: "Herbert J. Skuhra" <h.skuhra@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Jails on FreeBSD 9.0 Message-ID: <CADfJ1PaaqC6CupoWww5OXy%2BG1b6jXGadXN%2B4L63QVPmCwP2Fgg@mail.gmail.com> In-Reply-To: <CAMaK76HJfvVpn8qURDoUbBVKsowgrqmO7Nv=VXrtU0Yq4VbohA@mail.gmail.com> References: <87fw8yariq.wl%h.skuhra@gmail.com> <CADfJ1PYDaJ-ogJq8ewvzLk3sCjqrE0bw36grVSAn2_16dZHDhw@mail.gmail.com> <CAPd55qAiWO5eQ=KkweuWir%2BgD4C1LSSbiky2VgZwiDpwwUyJaw@mail.gmail.com> <CADfJ1Pa1dpZ5StTTrG=8KVnFNzUuK58MhLXrg4prAqq4cKLK2g@mail.gmail.com> <CAMaK76HJfvVpn8qURDoUbBVKsowgrqmO7Nv=VXrtU0Yq4VbohA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 17, 2012 at 9:59 AM, Kalle M=C3=B8ller <freebsd-questions@k-moeller.dk> wrote: > On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra <h.skuhra@gmail.com> w= rote: >> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu <joris.dedieu@gmail.com> = wrote: >>> 2012/7/12 Herbert J. Skuhra <h.skuhra@gmail.com>: >>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra <h.skuhra@gmail.co= m> wrote: >>>>> Hi, >>>>> >>>>> although I've followed the instructions in jail(8) and jail.conf(5) I >>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). >>>>> >>>>> The symptons: >>>>> >>>>> * ssh'ing to jail works, but it takes about 20 seconds until password >>>>> prompt appears >>> >>> Does it still the same with UseDNS=3Dno in /etc/ssh/sshd_config ? >> >> No, I can login instantly. >> >>>>> * netstat -r in the jail takes about 150 seconds to finish >>> >>> Does netstat -rn does the same ? >> >> No, the output appears immediately. >> >>>>> * connections to the internet time out; with tcpdump I see that >>>>> packets leave and enter the public interface on the host, but never >>>>> reach the jail >>>>> >>>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Publi= c >>>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned. >>>>> Of course, nat is enable via pf on the public interface. >>> >>> Can you post your PF configuration ? >>>> >>>> After switching to ipfw/natd networking in the jail works. >>>> Could this be a bug? >>> >>> I think you had an issue with firewall that block name resolution and >>> makes everything goes slow. At least you need one single line on your >>> pf.conf : >>> >>> nat on $public_interface form $jail_ip to any -> ($public_interface) >> >> Even when loading only the nat rule it doesn't work: >> >> nat on fxp0 from 192.168.1.0/24 to any -> $ext_addr >> >> Thanks. >> Herbert > > > As Mark Felder wrote > > You don't have anything in /etc/resolv.conf, in the jail do you? :-) I have two nameservers listed! If I boot a kernel with ipfirewall/ipdivert and run natd the network in the jail works! With pf: I see the packets going out/coming in on fxp0 but somehow the jail does not "see" them. A 'dig www.google.com' in the jail fails with "connection timed out; no servers could be reached", but 11:39:45.666630 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:45.694045 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180, A 173.194.35.178 (132) 11:39:50.667799 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:50.687083 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180, A 173.194.35.176 (132) 11:39:55.668783 IP xxx.yyy.zzz.64452 > google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32) 11:39:55.675917 IP google-public-dns-a.google.com.domain > xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A 173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176, A 173.194.35.178 (132) And 'nc 173.194.35.177 80': 11:41:52.176904 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0 11:41:53.382320 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0 11:41:54.088585 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8596173 ecr 0], length 0 11:41:54.098838 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0 11:41:55.796638 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0 11:41:57.288596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 8599373 ecr 0], length 0 11:41:57.299125 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0 11:42:00.488595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:00.498606 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0 11:42:00.621724 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6], length 0 11:42:03.688596 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:03.698762 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445670018 ecr 8593173,nop,wscale 6], length 0 11:42:06.888595 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 11:42:06.899032 IP muc03s02-in-f17.1e100.net.http > xxx.yyy.zzz.56936: Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss 1430,sackOK,TS val 1445673202 ecr 8593173,nop,wscale 6], length 0 11:42:13.088586 IP xxx.yyy.zzz.56936 > muc03s02-in-f17.1e100.net.http: Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol], length 0 [...] % uname -rms FreeBSD 9.1-PRERELEASE amd64 Regards, Herbert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADfJ1PaaqC6CupoWww5OXy%2BG1b6jXGadXN%2B4L63QVPmCwP2Fgg>