From owner-freebsd-stable@FreeBSD.ORG Wed Jan 28 23:18:34 2009 Return-Path: Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B9461065677 for ; Wed, 28 Jan 2009 23:18:34 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (unknown [IPv6:2a01:170:102f::2]) by mx1.freebsd.org (Postfix) with ESMTP id B06698FC13 for ; Wed, 28 Jan 2009 23:18:33 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (localhost [127.0.0.1]) by lurza.secnetix.de (8.14.3/8.14.3) with ESMTP id n0SNIVv4021936; Thu, 29 Jan 2009 00:18:31 +0100 (CET) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.14.3/8.14.3/Submit) id n0SNIVOd021935; Thu, 29 Jan 2009 00:18:31 +0100 (CET) (envelope-from olli) Date: Thu, 29 Jan 2009 00:18:31 +0100 (CET) Message-Id: <200901282318.n0SNIVOd021935@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG, marck@rinet.ru In-Reply-To: X-Newsgroups: list.freebsd-stable User-Agent: tin/1.8.3-20070201 ("Scotasay") (UNIX) (FreeBSD/6.4-PRERELEASE-20080904 (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Thu, 29 Jan 2009 00:18:32 +0100 (CET) Cc: Subject: Re: jail: external and localhost distinction X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG, marck@rinet.ru List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Jan 2009 23:18:34 -0000 Dmitry Morozovsky wrote: > am I right concluding that under FreeBSD jail there is no way to attach two > processes to the same port of external interface address and localhost? It depends. Do those jailed processes have to communicate with each other, or only with the host system? If they do _not_ have to communicate with each other, it's easy. You have to put the second jail on a locahost IP address (not necessarily 172.1; you can create an alias on lo0 like 127.2 or similar). If they have to communicate with each other, it gets more complicated. If they need to communicate directly, you must put both jails on the same IP address, but then you cannot bind the processes to different IP addresses. Note that locahost is not handled specially within jails: If you try to bind a process to a localhost IP, it is forced to bind to the jail's IP instead. That's what is causing your error message: > [Thu Jan 29 00:09:32 2009] [crit] (48)Address already in use: make_sock: could > not bind to address 127.0.0.1 port 80 If they do have to communicate with each other, but you need the jails to be on different IP addresses, there are several ways to solve the problem, but they all smell a bit like a dirty hack. One way (probably the easiest one) is to forward packets between the jails using IPFW "fwd" rules (or IPF ipnat "rdr" rules, or PF translation rules). Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd I suggested holding a "Python Object Oriented Programming Seminar", but the acronym was unpopular. -- Joseph Strout