From owner-freebsd-jail@FreeBSD.ORG Sun Apr 20 20:16:47 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA4CE106564A for ; Sun, 20 Apr 2008 20:16:47 +0000 (UTC) (envelope-from jeffrey.smith@futurecis.com) Received: from mail1.futurecis.com (static-72-66-21-14.washdc.fios.verizon.net [72.66.21.14]) by mx1.freebsd.org (Postfix) with ESMTP id 920538FC1B for ; Sun, 20 Apr 2008 20:16:47 +0000 (UTC) (envelope-from jeffrey.smith@futurecis.com) Received: (qmail 36095 invoked from network); 20 Apr 2008 19:50:10 -0000 Received: from unknown (HELO [10.0.0.97]) ([10.0.0.97]) (envelope-sender ) by mail1.futurecis.com (qmail-ldap-1.03) with SMTP for ; 20 Apr 2008 19:50:10 -0000 From: Jeffrey Smith To: freebsd-jail@freebsd.org Content-Type: text/plain Organization: FutureCIS Date: Sun, 20 Apr 2008 15:49:39 -0400 Message-Id: <1208720979.2082.13.camel@mrwizard.futurecis.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: freebsd-update on jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Apr 2008 20:16:48 -0000 I previously posted a howto to use zfs to manage jails. The first update through freebsd-update has been released. Testing this I get (in jail) ldap1#freebsd-update install Installing updates...chflags: ///usr/lib/libssh.a: Operation not supported After this error I enabled chflags in sysctl on the host system #sysctl security.jail.chflags_allowed=1 This did not not work in fixing the issue after reading the freebsd-update man page I thought this should be possible #freebsd-update -b /jails/ldap1/ -d /jails/ldap1/var/db/freebsd-update/ \ install Installing updates...chflags: /jails/ldap1///usr/lib/libssh.a: Operation not supported But I still get that same error. Does anyone have any idea what would keep this from working? If there is a way to update the host and all subsequent jails vi the host that would be great, as i would prefer not to allow chflags from within the jails. thanks in advance From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 00:13:23 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C34201065672 for ; Mon, 21 Apr 2008 00:13:23 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7CA0A8FC1C for ; Mon, 21 Apr 2008 00:13:23 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BFDE419E023; Mon, 21 Apr 2008 01:53:49 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 5D86619E019; Mon, 21 Apr 2008 01:53:47 +0200 (CEST) Message-ID: <480BD79C.1010903@quip.cz> Date: Mon, 21 Apr 2008 01:54:04 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Jeffrey Smith References: <1208720979.2082.13.camel@mrwizard.futurecis.com> In-Reply-To: <1208720979.2082.13.camel@mrwizard.futurecis.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: freebsd-update on jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 00:13:23 -0000 Jeffrey Smith wrote: > I previously posted a howto to use zfs to manage jails. The first > update through freebsd-update has been released. Testing this I get > > (in jail) > ldap1#freebsd-update install > Installing updates...chflags: ///usr/lib/libssh.a: Operation not > supported > > After this error I enabled chflags in sysctl on the host system > #sysctl security.jail.chflags_allowed=1 > > This did not not work in fixing the issue > after reading the freebsd-update man page I thought this should be > possible > > #freebsd-update -b /jails/ldap1/ -d /jails/ldap1/var/db/freebsd-update/ > \ install > Installing updates...chflags: /jails/ldap1///usr/lib/libssh.a: Operation > not supported > > But I still get that same error. Does anyone have any idea what would > keep this from working? If there is a way to update the host and all > subsequent jails vi the host that would be great, as i would prefer not > to allow chflags from within the jails. Can you tell me your FreeBSD version? I am convinced that I did freebsd-update inside Jail on FreeBSD 6.2, but I am not 100% sure and did not test it on FreeBSD 7. Are you trying update (minor security updates) or upgrade to newer release version? Maybe I was in luck, that my update routine did not change any chflagged files. Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 03:05:11 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B04BF106566B for ; Mon, 21 Apr 2008 03:05:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 654338FC12 for ; Mon, 21 Apr 2008 03:05:11 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 9EAA719E023; Mon, 21 Apr 2008 05:05:09 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id DECC919E019; Mon, 21 Apr 2008 05:05:06 +0200 (CEST) Message-ID: <480C0474.9040806@quip.cz> Date: Mon, 21 Apr 2008 05:05:24 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Jeffrey Smith , freebsd-jail@freebsd.org References: <1208720979.2082.13.camel@mrwizard.futurecis.com> <480BD79C.1010903@quip.cz> <1208736224.2082.16.camel@mrwizard.futurecis.com> In-Reply-To: <1208736224.2082.16.camel@mrwizard.futurecis.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: freebsd-update on jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 03:05:11 -0000 Jeffrey Smith wrote: > On Mon, 2008-04-21 at 01:54 +0200, Miroslav Lachman wrote: > >>Jeffrey Smith wrote: >> >> >>> I previously posted a howto to use zfs to manage jails. The first >>>update through freebsd-update has been released. Testing this I get >>> >>>(in jail) >>>ldap1#freebsd-update install >>>Installing updates...chflags: ///usr/lib/libssh.a: Operation not >>>supported >>> >>>After this error I enabled chflags in sysctl on the host system >>>#sysctl security.jail.chflags_allowed=1 >>> >>>This did not not work in fixing the issue >>>after reading the freebsd-update man page I thought this should be >>>possible >>> >>>#freebsd-update -b /jails/ldap1/ -d /jails/ldap1/var/db/freebsd-update/ >>>\ install >>>Installing updates...chflags: /jails/ldap1///usr/lib/libssh.a: Operation >>>not supported >>> >>>But I still get that same error. Does anyone have any idea what would >>>keep this from working? If there is a way to update the host and all >>>subsequent jails vi the host that would be great, as i would prefer not >>>to allow chflags from within the jails. >> >>Can you tell me your FreeBSD version? >>I am convinced that I did freebsd-update inside Jail on FreeBSD 6.2, but >>I am not 100% sure and did not test it on FreeBSD 7. >>Are you trying update (minor security updates) or upgrade to newer >>release version? Maybe I was in luck, that my update routine did not >>change any chflagged files. >> >>Miroslav Lachman > > > FreeBSD xxxxx.yyyyyyy.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Sun > Feb 24 10:35:36 UTC 2008 > root@driscoll.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 Hmmm... can you show your `mount` output? Do you have jails on NFS exported fs, or plain ufs? As a quick & dirty hack, you can try sysinstall batch: sysinstall _ftpPath=ftp://ftp.FreeBSD.org/pub/FreeBSD/ nonInteractive=yes mediaSetFTP releaseName=7.0-RELEASE dists=base distSetCustom installRoot=/jails/ldap1/ installCommit or better tuned sysinstall command to not install new base, but do binary upgrade. [add function "installUpgrade" in to sysinstall command] (I did not tried this way, so let me know if it works for you) Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 10:30:50 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A06AF106566C for ; Mon, 21 Apr 2008 10:30:50 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 569E18FC1B for ; Mon, 21 Apr 2008 10:30:50 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A57D3F.dip.t-dialin.net [84.165.125.63]) by redbull.bpaserver.net (Postfix) with ESMTP id 9B0D12E168; Mon, 21 Apr 2008 12:30:43 +0200 (CEST) Received: from webmail.leidinger.net (webmail.leidinger.net [192.168.1.102]) by outgoing.leidinger.net (Postfix) with ESMTP id 80D36821D4; Mon, 21 Apr 2008 12:30:39 +0200 (CEST) Received: (from www@localhost) by webmail.leidinger.net (8.14.2/8.13.8/Submit) id m3LAUcJ1071303; Mon, 21 Apr 2008 12:30:38 +0200 (CEST) (envelope-from Alexander@Leidinger.net) Received: from pslux.cec.eu.int (pslux.cec.eu.int [158.169.9.14]) by webmail.leidinger.net (Horde Framework) with HTTP; Mon, 21 Apr 2008 12:30:38 +0200 Message-ID: <20080421123038.42988gk2kqfgng0g@webmail.leidinger.net> X-Priority: 3 (Normal) Date: Mon, 21 Apr 2008 12:30:38 +0200 From: Alexander Leidinger To: Jeffrey Smith References: <1208720979.2082.13.camel@mrwizard.futurecis.com> In-Reply-To: <1208720979.2082.13.camel@mrwizard.futurecis.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.2-RC2) / FreeBSD-8.0 X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, ORDB-RBL, SpamAssassin (not cached, score=-14.823, required 6, BAYES_00 -15.00, RDNS_DYNAMIC 0.10, TW_ZF 0.08) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: freebsd-jail@freebsd.org Subject: Re: freebsd-update on jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 10:30:50 -0000 Quoting Jeffrey Smith (from Sun, 20 Apr 2008 15:49:39 -0400): > I previously posted a howto to use zfs to manage jails. The first > update through freebsd-update has been released. Testing this I get [snip] > But I still get that same error. Does anyone have any idea what would > keep this from working? If there is a way to update the host and all > subsequent jails vi the host that would be great, as i would prefer not > to allow chflags from within the jails. If you have your jail on ZFS I suggest you check that the original file has flags at all. I doubt it (as ZFS doesn't handle flags (yet?)). Bye, Alexander. -- Home on the Range was originally written in beef-flat. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137 From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 11:06:51 2008 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EBF5106564A for ; Mon, 21 Apr 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1DB5D8FC1F for ; Mon, 21 Apr 2008 11:06:51 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3LB6pt7095211 for ; Mon, 21 Apr 2008 11:06:51 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m3LB6ouM095207 for freebsd-jail@FreeBSD.org; Mon, 21 Apr 2008 11:06:50 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 21 Apr 2008 11:06:50 GMT Message-Id: <200804211106.m3LB6ouM095207@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 11:06:51 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- s kern/89528 jail [jail] [patch] impossible to kill a jail o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail 2 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with o kern/68192 jail [quotas] [jail] Cannot use quotas on jailed systems o kern/72498 jail [libc] [jail] timestamp code on jailed SMP machine gen o kern/74314 jail [resolver] [jail] DNS resolver broken under certain ja o kern/84215 jail [jail] [patch] wildcard ip (INADDR_ANY) should not bin o kern/89989 jail [jail] [patch] Add option -I (ASCII 73) PID to specif o kern/97071 jail [jail] [patch] add security.jail.jid sysctl o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/119305 jail [jail] [patch] jexec(8): jexec -n prisonname: selectio o kern/120753 jail [jail] Zombie jails (jailed child process exits while 10 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Apr 21 19:38:29 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4693A1065674 for ; Mon, 21 Apr 2008 19:38:29 +0000 (UTC) (envelope-from jeffrey.smith@futurecis.com) Received: from mail1.futurecis.com (static-72-66-21-14.washdc.fios.verizon.net [72.66.21.14]) by mx1.freebsd.org (Postfix) with ESMTP id E867A8FC32 for ; Mon, 21 Apr 2008 19:38:28 +0000 (UTC) (envelope-from jeffrey.smith@futurecis.com) Received: (qmail 41975 invoked from network); 21 Apr 2008 19:38:32 -0000 Received: from unknown (HELO [10.0.0.97]) ([10.0.0.97]) (envelope-sender ) by mail1.futurecis.com (qmail-ldap-1.03) with SMTP for ; 21 Apr 2008 19:38:32 -0000 From: Jeffrey Smith To: Alexander Leidinger In-Reply-To: <20080421123038.42988gk2kqfgng0g@webmail.leidinger.net> References: <1208720979.2082.13.camel@mrwizard.futurecis.com> <20080421123038.42988gk2kqfgng0g@webmail.leidinger.net> Content-Type: text/plain Organization: FutureCIS Date: Mon, 21 Apr 2008 15:38:08 -0400 Message-Id: <1208806688.2082.23.camel@mrwizard.futurecis.com> Mime-Version: 1.0 X-Mailer: Evolution 2.22.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: freebsd-update on jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2008 19:38:29 -0000 On Mon, 2008-04-21 at 12:30 +0200, Alexander Leidinger wrote: > Quoting Jeffrey Smith (from Sun, 20 Apr > 2008 15:49:39 -0400): > > > I previously posted a howto to use zfs to manage jails. The first > > update through freebsd-update has been released. Testing this I get > [snip] > > But I still get that same error. Does anyone have any idea what would > > keep this from working? If there is a way to update the host and all > > subsequent jails vi the host that would be great, as i would prefer not > > to allow chflags from within the jails. > > If you have your jail on ZFS I suggest you check that the original > file has flags at all. I doubt it (as ZFS doesn't handle flags (yet?)). > > Bye, > Alexander. > Right, I think I rememeber reading that somewhere. Is there a work around so freebsd-update will work, or am I out of luck until ZFS is fixed? From owner-freebsd-jail@FreeBSD.ORG Tue Apr 22 19:44:00 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F68A106567A for ; Tue, 22 Apr 2008 19:44:00 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.freebsd.org (Postfix) with ESMTP id E75A58FC0A for ; Tue, 22 Apr 2008 19:43:59 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by ug-out-1314.google.com with SMTP id y2so245696uge.37 for ; Tue, 22 Apr 2008 12:43:58 -0700 (PDT) Received: by 10.66.254.19 with SMTP id b19mr7314821ugi.7.1208891953799; Tue, 22 Apr 2008 12:19:13 -0700 (PDT) Received: from ?10.50.46.83? ( [213.58.102.135]) by mx.google.com with ESMTPS id d38sm180550ugf.43.2008.04.22.12.19.10 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Apr 2008 12:19:12 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 22 Apr 2008 14:19:08 -0500 X-Mailer: Apple Mail (2.919.2) Sender: Nicolas de Bari Embriz Garcia Rojas Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2008 19:44:00 -0000 I have a ipsec/vpn on FreeBSD 6.3 from one master server to another server the one has multiple jails. each jail has is own public IP and i need to do something like this: vpn point >----------------------< master server with jails <-------> jail (75.76.78.80) 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. I am trying to route trafic using PF but is not working for the tunel only for the non encrypted trafic, example: rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 but if i use the gif0 interface (the one for the tunnel) insted of em1 does not work. Any ideas ? -- > nbari -- > nbari From owner-freebsd-jail@FreeBSD.ORG Tue Apr 22 19:46:16 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DBCA1065673 for ; Tue, 22 Apr 2008 19:46:16 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 10EFE8FC15 for ; Tue, 22 Apr 2008 19:46:15 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by ug-out-1314.google.com with SMTP id y2so246349uge.37 for ; Tue, 22 Apr 2008 12:46:14 -0700 (PDT) Received: by 10.66.220.17 with SMTP id s17mr7302552ugg.20.1208891937981; Tue, 22 Apr 2008 12:18:57 -0700 (PDT) Received: from ?10.50.46.83? ( [213.58.102.135]) by mx.google.com with ESMTPS id d38sm180550ugf.43.2008.04.22.12.18.54 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Apr 2008 12:18:57 -0700 (PDT) Message-Id: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-jail@freebsd.org Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 22 Apr 2008 14:18:48 -0500 X-Mailer: Apple Mail (2.919.2) Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2008 19:46:16 -0000 I have a ipsec/vpn on FreeBSD 6.3 from one master server to another server the one has multiple jails. each jail has is own public IP and i need to do something like this: vpn point >----------------------< master server with jails <-------> jail (75.76.78.80) 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. I am trying to route trafic using PF but is not working for the tunel only for the non encrypted trafic, example: rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 but if i use the gif0 interface (the one for the tunnel) insted of em1 does not work. Any ideas ? -- > nbari From owner-freebsd-jail@FreeBSD.ORG Tue Apr 22 21:08:53 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 970E91065672 for ; Tue, 22 Apr 2008 21:08:53 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 5A4BE8FC17 for ; Tue, 22 Apr 2008 21:08:53 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 842F919E023; Tue, 22 Apr 2008 23:08:51 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 2412419E019; Tue, 22 Apr 2008 23:08:49 +0200 (CEST) Message-ID: <480E53F2.5010502@quip.cz> Date: Tue, 22 Apr 2008 23:09:06 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> In-Reply-To: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2008 21:08:53 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > I have a ipsec/vpn on FreeBSD 6.3 from one master server to another > server the one has multiple jails. each jail has is own public IP and i > need to do something like this: > > vpn point >----------------------< master server with jails <-------> > jail (75.76.78.80) > 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 > > when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that the > jail with ip 75.76.78.80 to respond, and also from jail 75.76.78.80 > been available to telnet the other vpn point 10.10.10.1. > > I am trying to route trafic using PF but is not working for the tunel > only for the non encrypted trafic, example: > rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 > > but if i use the gif0 interface (the one for the tunnel) insted of em1 > does not work. I am using slightly different setup. I have lo1 with IPs 172.16.1.0/24 for jails and public IPs are RDR / NATed from public interface to local (jails). I have one jail, where I need to connect throught OpenVPN on tap0 to the MSSQL database server and from the other and (MS Windows Server) allow connection in to jailed MySQL database server. Apache from this jail is publicly accessible on ports 80 and 443. jail_addr_0="172.16.1.2" jail_tcp_0_inports="{ 80, 443 }" vpn_dtc_if="tap0" vpn_dtc_addr_local="10.0.0.29" vpn_dtc_addr_remote="10.0.0.10" vpn_dtc_inports="{ 3306 }" # let incoming to local mysql # outgoing connections nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> $vpn_dtc_addr_local # incomming connections rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 rdr pass on $vpn_dtc_if inet proto tcp from any to $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Tue Apr 22 22:22:55 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 819AF106566B for ; Tue, 22 Apr 2008 22:22:55 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.185]) by mx1.freebsd.org (Postfix) with ESMTP id 26B258FC13 for ; Tue, 22 Apr 2008 22:22:54 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by gv-out-0910.google.com with SMTP id n40so330449gve.39 for ; Tue, 22 Apr 2008 15:22:53 -0700 (PDT) Received: by 10.67.20.19 with SMTP id x19mr7502229ugi.48.1208902972626; Tue, 22 Apr 2008 15:22:52 -0700 (PDT) Received: from ?89.214.106.52? ( [89.214.106.52]) by mx.google.com with ESMTPS id b39sm1136980ugf.27.2008.04.22.15.22.48 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 22 Apr 2008 15:22:51 -0700 (PDT) Message-Id: <6CC2A206-EC5E-4245-A077-6398AE804462@k9.cx> From: Nicolas de Bari Embriz Garcia Rojas To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <480E53F2.5010502@quip.cz> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 22 Apr 2008 17:22:30 -0500 References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2008 22:22:55 -0000 Thanks, I tried to base my rules on your but still do not have luck. I do not know if maybe is because of the IPSEC vpn, also what i would like to do i to access the the end vpn poing from the jails but still havent made that or know how to doit. any ideas ? regards. On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: > Nicolas de Bari Embriz Garcia Rojas wrote: >> I have a ipsec/vpn on FreeBSD 6.3 from one master server to >> another server the one has multiple jails. each jail has is own >> public IP and i need to do something like this: >> vpn point >----------------------< master server with jails <------- >> > jail (75.76.78.80) >> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that >> the jail with ip 75.76.78.80 to respond, and also from jail >> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. >> I am trying to route trafic using PF but is not working for the >> tunel only for the non encrypted trafic, example: >> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >> but if i use the gif0 interface (the one for the tunnel) insted of >> em1 does not work. > > I am using slightly different setup. I have lo1 with IPs > 172.16.1.0/24 for jails and public IPs are RDR / NATed from public > interface to local (jails). > I have one jail, where I need to connect throught OpenVPN on tap0 to > the MSSQL database server and from the other and (MS Windows Server) > allow connection in to jailed MySQL database server. Apache from > this jail is publicly accessible on ports 80 and 443. > > jail_addr_0="172.16.1.2" > jail_tcp_0_inports="{ 80, 443 }" > vpn_dtc_if="tap0" > vpn_dtc_addr_local="10.0.0.29" > vpn_dtc_addr_remote="10.0.0.10" > vpn_dtc_inports="{ 3306 }" # let incoming to local mysql > > # outgoing connections > nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 > nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> > $vpn_dtc_addr_local > # incomming connections > rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 > rdr pass on $vpn_dtc_if inet proto tcp from any to > $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 > > Miroslav Lachman -- > nbari From owner-freebsd-jail@FreeBSD.ORG Wed Apr 23 10:44:59 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6141106567F for ; Wed, 23 Apr 2008 10:44:59 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7FA918FC24 for ; Wed, 23 Apr 2008 10:44:59 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 809F619E02A; Wed, 23 Apr 2008 12:44:58 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id D283519E027; Wed, 23 Apr 2008 12:44:55 +0200 (CEST) Message-ID: <480F1339.3080605@quip.cz> Date: Wed, 23 Apr 2008 12:45:13 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <6CC2A206-EC5E-4245-A077-6398AE804462@k9.cx> In-Reply-To: <6CC2A206-EC5E-4245-A077-6398AE804462@k9.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2008 10:45:00 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > Thanks, I tried to base my rules on your but still do not have luck. > > I do not know if maybe is because of the IPSEC vpn, also what i would > like to do i to access the the end vpn poing from the jails but still > havent made that or know how to doit. I know nothing about IPSec VPN, so I can't help you any further. You can add keyword "log" in to your block rules in pf.conf, start pflog (pflog_enable="YES" in rc.conf and /etc/rc.d/pflog start) and then watch with tcpdump which rule blocks your needed traffic and what next should be allowed / redirected. http://www.openbsd.org/faq/pf/logging.html Or you can ask some network / PF guru in freebsd-pf@ mailinglist. > On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: > >> Nicolas de Bari Embriz Garcia Rojas wrote: >> >>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to another >>> server the one has multiple jails. each jail has is own public IP >>> and i need to do something like this: >>> vpn point >----------------------< master server with jails <------- >>> > jail (75.76.78.80) >>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that >>> the jail with ip 75.76.78.80 to respond, and also from jail >>> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. >>> I am trying to route trafic using PF but is not working for the >>> tunel only for the non encrypted trafic, example: >>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >>> but if i use the gif0 interface (the one for the tunnel) insted of >>> em1 does not work. >> >> >> I am using slightly different setup. I have lo1 with IPs >> 172.16.1.0/24 for jails and public IPs are RDR / NATed from public >> interface to local (jails). >> I have one jail, where I need to connect throught OpenVPN on tap0 to >> the MSSQL database server and from the other and (MS Windows Server) >> allow connection in to jailed MySQL database server. Apache from this >> jail is publicly accessible on ports 80 and 443. >> >> jail_addr_0="172.16.1.2" >> jail_tcp_0_inports="{ 80, 443 }" >> vpn_dtc_if="tap0" >> vpn_dtc_addr_local="10.0.0.29" >> vpn_dtc_addr_remote="10.0.0.10" >> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql >> >> # outgoing connections >> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 >> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> >> $vpn_dtc_addr_local >> # incomming connections >> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 >> rdr pass on $vpn_dtc_if inet proto tcp from any to >> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 >> >> Miroslav Lachman > > > -- > > nbari From owner-freebsd-jail@FreeBSD.ORG Thu Apr 24 10:34:50 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 833481065672 for ; Thu, 24 Apr 2008 10:34:50 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id 38E668FC2A for ; Thu, 24 Apr 2008 10:34:49 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by fg-out-1718.google.com with SMTP id 16so3273126fgg.35 for ; Thu, 24 Apr 2008 03:34:48 -0700 (PDT) Received: by 10.86.60.14 with SMTP id i14mr837526fga.75.1209033288589; Thu, 24 Apr 2008 03:34:48 -0700 (PDT) Received: from ?10.50.46.71? ( [213.58.102.135]) by mx.google.com with ESMTPS id y6sm737982mug.1.2008.04.24.03.34.44 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 24 Apr 2008 03:34:47 -0700 (PDT) Message-Id: <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> From: Nicolas de Bari Embriz Garcia Rojas To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <480E53F2.5010502@quip.cz> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Thu, 24 Apr 2008 05:34:40 -0500 References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2008 10:34:50 -0000 In your example what values are for ext_addr_3, ect_if? regads. On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: > Nicolas de Bari Embriz Garcia Rojas wrote: >> I have a ipsec/vpn on FreeBSD 6.3 from one master server to >> another server the one has multiple jails. each jail has is own >> public IP and i need to do something like this: >> vpn point >----------------------< master server with jails <------- >> > jail (75.76.78.80) >> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that >> the jail with ip 75.76.78.80 to respond, and also from jail >> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. >> I am trying to route trafic using PF but is not working for the >> tunel only for the non encrypted trafic, example: >> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >> but if i use the gif0 interface (the one for the tunnel) insted of >> em1 does not work. > > I am using slightly different setup. I have lo1 with IPs > 172.16.1.0/24 for jails and public IPs are RDR / NATed from public > interface to local (jails). > I have one jail, where I need to connect throught OpenVPN on tap0 to > the MSSQL database server and from the other and (MS Windows Server) > allow connection in to jailed MySQL database server. Apache from > this jail is publicly accessible on ports 80 and 443. > > jail_addr_0="172.16.1.2" > jail_tcp_0_inports="{ 80, 443 }" > vpn_dtc_if="tap0" > vpn_dtc_addr_local="10.0.0.29" > vpn_dtc_addr_remote="10.0.0.10" > vpn_dtc_inports="{ 3306 }" # let incoming to local mysql > > # outgoing connections > nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 > nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> > $vpn_dtc_addr_local > # incomming connections > rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 > rdr pass on $vpn_dtc_if inet proto tcp from any to > $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 > > Miroslav Lachman From owner-freebsd-jail@FreeBSD.ORG Thu Apr 24 11:20:22 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32706106564A for ; Thu, 24 Apr 2008 11:20:22 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [91.103.162.4]) by mx1.freebsd.org (Postfix) with ESMTP id 11D118FC54 for ; Thu, 24 Apr 2008 11:20:21 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 1FC4019E023; Thu, 24 Apr 2008 13:20:20 +0200 (CEST) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 00F5119E019; Thu, 24 Apr 2008 13:20:17 +0200 (CEST) Message-ID: <48106D04.5040103@quip.cz> Date: Thu, 24 Apr 2008 13:20:36 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Nicolas de Bari Embriz Garcia Rojas References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> In-Reply-To: <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2008 11:20:22 -0000 Nicolas de Bari Embriz Garcia Rojas wrote: > In your example what values are for ext_addr_3, ext_if? Server has external interface bge0 (connected to internet) ext_if="bge0" and 4 public IP addresses, $ext_addr_3 is one of them (dedicated to this jail usage) > On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: > >> Nicolas de Bari Embriz Garcia Rojas wrote: >> >>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to another >>> server the one has multiple jails. each jail has is own public IP >>> and i need to do something like this: >>> vpn point >----------------------< master server with jails <------- >>> > jail (75.76.78.80) >>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want that >>> the jail with ip 75.76.78.80 to respond, and also from jail >>> 75.76.78.80 been available to telnet the other vpn point 10.10.10.1. >>> I am trying to route trafic using PF but is not working for the >>> tunel only for the non encrypted trafic, example: >>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >>> but if i use the gif0 interface (the one for the tunnel) insted of >>> em1 does not work. >> >> >> I am using slightly different setup. I have lo1 with IPs >> 172.16.1.0/24 for jails and public IPs are RDR / NATed from public >> interface to local (jails). >> I have one jail, where I need to connect throught OpenVPN on tap0 to >> the MSSQL database server and from the other and (MS Windows Server) >> allow connection in to jailed MySQL database server. Apache from this >> jail is publicly accessible on ports 80 and 443. >> >> jail_addr_0="172.16.1.2" >> jail_tcp_0_inports="{ 80, 443 }" >> vpn_dtc_if="tap0" >> vpn_dtc_addr_local="10.0.0.29" >> vpn_dtc_addr_remote="10.0.0.10" >> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql >> >> # outgoing connections >> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 >> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote -> >> $vpn_dtc_addr_local >> # incomming connections >> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 >> rdr pass on $vpn_dtc_if inet proto tcp from any to >> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 >> >> Miroslav Lachman > > > From owner-freebsd-jail@FreeBSD.ORG Sat Apr 26 20:59:28 2008 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F939106564A for ; Sat, 26 Apr 2008 20:59:28 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.187]) by mx1.freebsd.org (Postfix) with ESMTP id 0B61B8FC0A for ; Sat, 26 Apr 2008 20:59:27 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id b2so2667132nfb.33 for ; Sat, 26 Apr 2008 13:59:26 -0700 (PDT) Received: by 10.210.47.7 with SMTP id u7mr4096855ebu.14.1209243566610; Sat, 26 Apr 2008 13:59:26 -0700 (PDT) Received: from ?89.214.99.242? ( [89.214.99.242]) by mx.google.com with ESMTPS id g17sm5432146nfd.10.2008.04.26.13.59.20 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 26 Apr 2008 13:59:22 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: Miroslav Lachman <000.fbsd@quip.cz> In-Reply-To: <48106D04.5040103@quip.cz> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sat, 26 Apr 2008 15:59:16 -0500 References: <695A90A5-CB7E-4C5A-AA6C-C4EB148FF320@k9.cx> <480E53F2.5010502@quip.cz> <821C3EED-42A0-4ADA-982E-3A5EABB5E1A4@k9.cx> <48106D04.5040103@quip.cz> X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: Re: routing X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2008 20:59:28 -0000 I used your rules an worked is just that for an know reason if I restart the vpn on the master host it stops working. also takes some time for work. any ideas ? regards On Apr 24, 2008, at 6:20 AM, Miroslav Lachman wrote: > Nicolas de Bari Embriz Garcia Rojas wrote: > >> In your example what values are for ext_addr_3, ext_if? > > Server has external interface bge0 (connected to internet) > ext_if="bge0" > and 4 public IP addresses, $ext_addr_3 is one of them (dedicated to > this jail usage) > > >> On Apr 22, 2008, at 4:09 PM, Miroslav Lachman wrote: >>> Nicolas de Bari Embriz Garcia Rojas wrote: >>> >>>> I have a ipsec/vpn on FreeBSD 6.3 from one master server to >>>> another server the one has multiple jails. each jail has is own >>>> public IP and i need to do something like this: >>>> vpn point >----------------------< master server with jails >>>> <------- > jail (75.76.78.80) >>>> 64.68.69.79/10.10.10.1 75.76.78.79/10.10.10.2 >>>> when doing a telnet to 10.10.10.2 80 from 10.10.10.1 I want >>>> that the jail with ip 75.76.78.80 to respond, and also from >>>> jail 75.76.78.80 been available to telnet the other vpn point >>>> 10.10.10.1. >>>> I am trying to route trafic using PF but is not working for the >>>> tunel only for the non encrypted trafic, example: >>>> rdr on em1 proto tcp from any to any port 80 -> 75.76.78.80 >>>> but if i use the gif0 interface (the one for the tunnel) insted >>>> of em1 does not work. >>> >>> >>> I am using slightly different setup. I have lo1 with IPs >>> 172.16.1.0/24 for jails and public IPs are RDR / NATed from >>> public interface to local (jails). >>> I have one jail, where I need to connect throught OpenVPN on tap0 >>> to the MSSQL database server and from the other and (MS Windows >>> Server) allow connection in to jailed MySQL database server. >>> Apache from this jail is publicly accessible on ports 80 and 443. >>> >>> jail_addr_0="172.16.1.2" >>> jail_tcp_0_inports="{ 80, 443 }" >>> vpn_dtc_if="tap0" >>> vpn_dtc_addr_local="10.0.0.29" >>> vpn_dtc_addr_remote="10.0.0.10" >>> vpn_dtc_inports="{ 3306 }" # let incoming to local mysql >>> >>> # outgoing connections >>> nat on $ext_if from $jail_addr_0 to !$jail_addr_0 -> $ext_addr_3 >>> nat pass on $vpn_dtc_if from $jail_addr_0 to $vpn_dtc_addr_remote - >>> > $vpn_dtc_addr_local >>> # incomming connections >>> rdr on $ext_if proto tcp from any to $ext_addr_3 -> $jail_addr_0 >>> rdr pass on $vpn_dtc_if inet proto tcp from any to >>> $vpn_dtc_addr_local port $vpn_dtc_inports -> $jail_addr_0 >>> >>> Miroslav Lachman