From owner-freebsd-jail@FreeBSD.ORG Mon Aug 31 11:07:10 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3538C10656A5 for ; Mon, 31 Aug 2009 11:07:10 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 239758FC18 for ; Mon, 31 Aug 2009 11:07:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n7VB7A8X070618 for ; Mon, 31 Aug 2009 11:07:10 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n7VB79tx070614 for freebsd-jail@FreeBSD.org; Mon, 31 Aug 2009 11:07:09 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 31 Aug 2009 11:07:09 GMT Message-Id: <200908311107.n7VB79tx070614@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2009 11:07:10 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid o bin/32828 jail [jail] w(1) incorrectly handles stale utmp slots with 4 problems total. From owner-freebsd-jail@FreeBSD.ORG Tue Sep 1 20:20:07 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CB071065711; Tue, 1 Sep 2009 20:20:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [195.88.108.3]) by mx1.freebsd.org (Postfix) with ESMTP id 23BF08FC19; Tue, 1 Sep 2009 20:20:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id F108441C66F; Tue, 1 Sep 2009 22:20:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([195.88.108.3]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id NKlTlDCEUk4V; Tue, 1 Sep 2009 22:20:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 7D50A41C67B; Tue, 1 Sep 2009 22:20:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id E4BB24448E6; Tue, 1 Sep 2009 20:15:24 +0000 (UTC) Date: Tue, 1 Sep 2009 20:15:24 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Major Domo In-Reply-To: Message-ID: <20090901200313.J68375@maildrop.int.zabbadoz.net> References: X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@FreeBSD.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Sep 2009 20:20:07 -0000 On Tue, 1 Sep 2009, Major Domo wrote: Hi, > Apologies if this has been discussed already but I searched the web > and the mailing lists and haven't found hints on my problem. > > I've got a jail, I assign it a set of IP addresses, and it just won't > take the IP6 I give it. > > > Uname: > FreeBSD 7.2-STABLE > > jail_ns_ip="192.168.0.252,fe80::c0a8:fc" > > jls -v: > JID Hostname Path > Name State > CPUSetID > IP Address(es) > 23 [snip] /var/jail/ns > ALIVE > 2 > 192.168.0.252 > fe80::c0a8:fc > > > ifconfig lo252 from the host: > lo252: flags=8049 metric 0 mtu 16384 > inet 192.168.0.252 netmask 0xffffffff > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 > > > ifconfig from the jail: > re0: flags=8843 metric 0 mtu 1500 > options=389b > ether 00:e0:f4:19:e9:d2 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > pflog0: flags=141 metric 0 mtu 33204 > lo252: flags=8049 metric 0 mtu 16384 > inet 192.168.0.252 netmask 0xffffffff This is a rather special case. For link-local addresses you have to give the scope as well but it won't take the scope with the %lo252 notation but only in the KAME in-kernel syntax I would assume. Can you try: jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc" Note the added 5 in the second group of hex digits. That five is the interface index. I took it from the "scopeid 0x5". In case your interface index changes you will need to adjust the address. I cannot say if it'll work but it would be worth a try. /bz -- Bjoern A. Zeeb What was I talking about and who are you again? From owner-freebsd-jail@FreeBSD.ORG Wed Sep 2 16:21:20 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 941AB1065672 for ; Wed, 2 Sep 2009 16:21:20 +0000 (UTC) (envelope-from dam@sd-13813.dedibox.fr) Received: from sd-13813.dedibox.fr (my.gd [88.191.78.91]) by mx1.freebsd.org (Postfix) with ESMTP id 5BBE18FC23 for ; Wed, 2 Sep 2009 16:21:20 +0000 (UTC) Received: by sd-13813.dedibox.fr (Postfix, from userid 1001) id 122352C9B801; Wed, 2 Sep 2009 18:04:42 +0200 (CEST) Date: Wed, 2 Sep 2009 18:04:42 +0200 From: FLEURIOT Damien To: "Bjoern A. Zeeb" Message-ID: <20090902160440.GA28417@sd-13813.dedibox.fr> References: <20090901200313.J68375@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090901200313.J68375@maildrop.int.zabbadoz.net> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-jail@FreeBSD.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2009 16:21:20 -0000 On Tue, Sep 01, 2009 at 08:15:24PM +0000 or thereabouts, Bjoern A. Zeeb wrote: > On Tue, 1 Sep 2009, Major Domo wrote: > > Hi, > > >Apologies if this has been discussed already but I searched the web > >and the mailing lists and haven't found hints on my problem. > > > >I've got a jail, I assign it a set of IP addresses, and it just won't > >take the IP6 I give it. > > > > > >Uname: > >FreeBSD 7.2-STABLE > > > >jail_ns_ip="192.168.0.252,fe80::c0a8:fc" > > > >jls -v: > > JID Hostname Path > > Name State > > CPUSetID > > IP Address(es) > > 23 [snip] /var/jail/ns > > ALIVE > > 2 > > 192.168.0.252 > > fe80::c0a8:fc > > > > > >ifconfig lo252 from the host: > >lo252: flags=8049 metric 0 mtu 16384 > > inet 192.168.0.252 netmask 0xffffffff > > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 > > > > > >ifconfig from the jail: > >re0: flags=8843 metric 0 mtu 1500 > > options=389b > > ether 00:e0:f4:19:e9:d2 > > media: Ethernet autoselect (100baseTX ) > > status: active > >lo0: flags=8049 metric 0 mtu 16384 > >pflog0: flags=141 metric 0 mtu 33204 > >lo252: flags=8049 metric 0 mtu 16384 > > inet 192.168.0.252 netmask 0xffffffff > > > This is a rather special case. For link-local addresses you have to > give the scope as well but it won't take the scope with the %lo252 > notation but only in the KAME in-kernel syntax I would assume. > Can you try: > > jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc" > > Note the added 5 in the second group of hex digits. That five is the > interface index. I took it from the "scopeid 0x5". In case your > interface index changes you will need to adjust the address. > > I cannot say if it'll work but it would be worth a try. > > /bz > > -- > Bjoern A. Zeeb What was I talking about and who are you again? Hi list, Bjoern, John, I confirm it is now working with the following line in /etc/rc.conf: jail_ns_ip="192.168.0.252,fec0:5::df:252" along with redirections in /etc/pf.conf: rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 -> $lo252_if port 53 rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 -> $lo252_if port 53 Notice the use of both the interface's index and a site-local ip6 address instead of the old fe80 as suggested. BIND's now happily running in its jail and responding to public queries. Perhaps a small addition to the jails entry in the Handbook to advise people about the use of IP6 addresses on loopback interfaces would be warranted ? I realize how lousy it is to NAT IP6 but my host assigns only 1 IP6 address per server. Thanks for the help ! Regards -- Damien From owner-freebsd-jail@FreeBSD.ORG Wed Sep 2 16:36:08 2009 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B7F0106571C for ; Wed, 2 Sep 2009 16:36:06 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 2AA2D8FC18 for ; Wed, 2 Sep 2009 16:36:05 +0000 (UTC) Received: (qmail 29407 invoked by uid 399); 2 Sep 2009 16:09:23 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 2 Sep 2009 16:09:23 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4A9E98AD.1070202@FreeBSD.org> Date: Wed, 02 Sep 2009 09:09:17 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0.0.23 (X11/20090822) MIME-Version: 1.0 To: FLEURIOT Damien References: <20090901200313.J68375@maildrop.int.zabbadoz.net> <20090902160440.GA28417@sd-13813.dedibox.fr> In-Reply-To: <20090902160440.GA28417@sd-13813.dedibox.fr> X-Enigmail-Version: 0.96.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , freebsd-jail@FreeBSD.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2009 16:36:08 -0000 FLEURIOT Damien wrote: > BIND's now happily running in its jail and responding to public > queries. It's up to you if you choose to do it, but there is no reason to run BIND in a jail. The chroot feature provided by default by rc.d/named is quite adequate security. Doug -- This .signature sanitized for your protection From owner-freebsd-jail@FreeBSD.ORG Wed Sep 2 23:04:36 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3981106566B; Wed, 2 Sep 2009 23:04:35 +0000 (UTC) (envelope-from marka@isc.org) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) by mx1.freebsd.org (Postfix) with ESMTP id 9614D8FC18; Wed, 2 Sep 2009 23:04:35 +0000 (UTC) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id C11C7E6024; Wed, 2 Sep 2009 23:04:33 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n82N4PHe079957; Thu, 3 Sep 2009 09:04:28 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200909022304.n82N4PHe079957@drugs.dv.isc.org> To: FLEURIOT Damien From: Mark Andrews References: <20090901200313.J68375@maildrop.int.zabbadoz.net> <20090902160440.GA28417@sd-13813.dedibox.fr> In-reply-to: Your message of "Wed, 02 Sep 2009 18:04:42 +0200." <20090902160440.GA28417@sd-13813.dedibox.fr> Date: Thu, 03 Sep 2009 09:04:25 +1000 Sender: marka@isc.org Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2009 23:04:36 -0000 In message <20090902160440.GA28417@sd-13813.dedibox.fr>, FLEURIOT Damien writes : > On Tue, Sep 01, 2009 at 08:15:24PM +0000 or thereabouts, Bjoern A. Zeeb wrote > : > > On Tue, 1 Sep 2009, Major Domo wrote: > > > > Hi, > > > > >Apologies if this has been discussed already but I searched the web > > >and the mailing lists and haven't found hints on my problem. > > > > > >I've got a jail, I assign it a set of IP addresses, and it just won't > > >take the IP6 I give it. > > > > > > > > >Uname: > > >FreeBSD 7.2-STABLE > > > > > >jail_ns_ip="192.168.0.252,fe80::c0a8:fc" > > > > > >jls -v: > > > JID Hostname Path > > > Name State > > > CPUSetID > > > IP Address(es) > > > 23 [snip] /var/jail/ns > > > ALIVE > > > 2 > > > 192.168.0.252 > > > fe80::c0a8:fc > > > > > > > > >ifconfig lo252 from the host: > > >lo252: flags=8049 metric 0 mtu 16384 > > > inet 192.168.0.252 netmask 0xffffffff > > > inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 > > > > > > > > >ifconfig from the jail: > > >re0: flags=8843 metric 0 mtu 1500 > > > options=389b UCAST,WOL_MCAST,WOL_MAGIC> > > > ether 00:e0:f4:19:e9:d2 > > > media: Ethernet autoselect (100baseTX ) > > > status: active > > >lo0: flags=8049 metric 0 mtu 16384 > > >pflog0: flags=141 metric 0 mtu 33204 > > >lo252: flags=8049 metric 0 mtu 16384 > > > inet 192.168.0.252 netmask 0xffffffff > > > > > > This is a rather special case. For link-local addresses you have to > > give the scope as well but it won't take the scope with the %lo252 > > notation but only in the KAME in-kernel syntax I would assume. > > Can you try: > > > > jail_ns_ip="192.168.0.252,fe80:5::c0a8:fc" > > > > Note the added 5 in the second group of hex digits. That five is the > > interface index. I took it from the "scopeid 0x5". In case your > > interface index changes you will need to adjust the address. > > > > I cannot say if it'll work but it would be worth a try. > > > > /bz > > > > -- > > Bjoern A. Zeeb What was I talking about and who are you again? > > > Hi list, Bjoern, John, > > > I confirm it is now working with the following line in /etc/rc.conf: > jail_ns_ip="192.168.0.252,fec0:5::df:252" > > along with redirections in /etc/pf.conf: > rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 -> > $lo252_if port 53 > rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 -> > $lo252_if port 53 > > > Notice the use of both the interface's index and a site-local ip6 > address instead of the old fe80 as suggested. > > BIND's now happily running in its jail and responding to public > queries. > > > Perhaps a small addition to the jails entry in the Handbook to > advise people about the use of IP6 addresses on loopback interfaces > would be warranted ? > > I realize how lousy it is to NAT IP6 but my host assigns only 1 > IP6 address per server. Then complain. There is no reason to be miserly with IPv6 addresses. > Thanks for the help ! > > Regards > > -- > Damien > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From owner-freebsd-jail@FreeBSD.ORG Thu Sep 3 05:59:04 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEE8A106566B; Thu, 3 Sep 2009 05:59:04 +0000 (UTC) (envelope-from spry@anarchy.in.the.ph) Received: from mail-px0-f178.google.com (mail-px0-f178.google.com [209.85.216.178]) by mx1.freebsd.org (Postfix) with ESMTP id C84BD8FC1A; Thu, 3 Sep 2009 05:59:04 +0000 (UTC) Received: by pxi8 with SMTP id 8so152909pxi.9 for ; Wed, 02 Sep 2009 22:59:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.115.134.4 with SMTP id l4mr7638935wan.118.1251954840678; Wed, 02 Sep 2009 22:14:00 -0700 (PDT) In-Reply-To: <200909022304.n82N4PHe079957@drugs.dv.isc.org> References: <20090901200313.J68375@maildrop.int.zabbadoz.net> <20090902160440.GA28417@sd-13813.dedibox.fr> <200909022304.n82N4PHe079957@drugs.dv.isc.org> Date: Thu, 3 Sep 2009 13:13:58 +0800 Message-ID: From: Mars G Miro To: Mark Andrews , FLEURIOT Damien , "Bjoern A. Zeeb" , freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 05:59:05 -0000 On Thu, Sep 3, 2009 at 7:04 AM, Mark Andrews wrote: > > In message <20090902160440.GA28417@sd-13813.dedibox.fr>, FLEURIOT Damien = writes > : >> On Tue, Sep 01, 2009 at 08:15:24PM +0000 or thereabouts, Bjoern A. Zeeb = wrote >> : >> > On Tue, 1 Sep 2009, Major Domo wrote: >> > >> > Hi, >> > >> > >Apologies if this has been discussed already but I searched the web >> > >and the mailing lists and haven't found hints on my problem. >> > > >> > >I've got a jail, I assign it a set of IP addresses, and it just won't >> > >take the IP6 I give it. >> > > >> > > >> > >Uname: >> > >FreeBSD 7.2-STABLE >> > > >> > >jail_ns_ip=3D"192.168.0.252,fe80::c0a8:fc" >> > > >> > >jls -v: >> > > =A0JID =A0Hostname =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Path >> > > =A0 =A0 =A0 Name =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= State >> > > =A0 =A0 =A0 CPUSetID >> > > =A0 =A0 =A0 IP Address(es) >> > > =A0 23 =A0[snip] =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0/var/jai= l/ns >> > > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 ALIVE >> > > =A0 =A0 =A0 2 >> > > =A0 =A0 =A0 192.168.0.252 >> > > =A0 =A0 =A0 fe80::c0a8:fc >> > > >> > > >> > >ifconfig lo252 from the host: >> > >lo252: flags=3D8049 metric 0 mtu 16384 >> > > =A0 =A0 =A0 inet 192.168.0.252 netmask 0xffffffff >> > > =A0 =A0 =A0 inet6 fe80::c0a8:fc%lo252 prefixlen 128 scopeid 0x5 >> > > >> > > >> > >ifconfig from the jail: >> > >re0: flags=3D8843 metric 0 mt= u 1500 >> > > =A0 =A0 =A0 options=3D389b> UCAST,WOL_MCAST,WOL_MAGIC> >> > > =A0 =A0 =A0 ether 00:e0:f4:19:e9:d2 >> > > =A0 =A0 =A0 media: Ethernet autoselect (100baseTX ) >> > > =A0 =A0 =A0 status: active >> > >lo0: flags=3D8049 metric 0 mtu 16384 >> > >pflog0: flags=3D141 metric 0 mtu 33204 >> > >lo252: flags=3D8049 metric 0 mtu 16384 >> > > =A0 =A0 =A0 inet 192.168.0.252 netmask 0xffffffff >> > >> > >> > This is a rather special case. =A0For link-local addresses you have to >> > give the scope as well but it won't take the scope with the %lo252 >> > notation but only in the KAME in-kernel syntax I would assume. >> > Can you try: >> > >> > jail_ns_ip=3D"192.168.0.252,fe80:5::c0a8:fc" >> > >> > Note the added 5 in the second group of hex digits. =A0That five is th= e >> > interface index. =A0I took it from the "scopeid 0x5". In case your >> > interface index changes you will need to adjust the address. >> > >> > I cannot say if it'll work but it would be worth a try. >> > >> > /bz >> > >> > -- >> > Bjoern A. Zeeb =A0 =A0 =A0 =A0 =A0 What was I talking about and who ar= e you again? >> >> >> Hi list, Bjoern, John, >> >> >> I confirm it is now working with the following line in /etc/rc.conf: >> jail_ns_ip=3D"192.168.0.252,fec0:5::df:252" >> >> along with redirections in /etc/pf.conf: >> rdr pass log on $ext_if inet proto {tcp,udp} to $ext_if port 53 -> >> $lo252_if port 53 >> rdr pass log on $ext_if inet6 proto {tcp,udp} to $ext_if port 53 -> >> $lo252_if port 53 >> >> >> Notice the use of both the interface's index and a site-local ip6 >> address instead of the old fe80 as suggested. >> >> BIND's now happily running in its jail and responding to public >> queries. >> >> >> Perhaps a small addition to the jails entry in the Handbook to >> advise people about the use of IP6 addresses on loopback interfaces >> would be warranted ? >> >> I realize how lousy it is to NAT IP6 but my host assigns only 1 >> IP6 address per server. > > Then complain. =A0There is no reason to be miserly with IPv6 addresses. > True that. Or just sign up @HE. They can give you up to 4 tunnels w/ a /64 and a /48 (if you opt) for each of these 4 tunnels! All you hafta do is give them your contact info and a public IPv4 and it doesn't hafta be static --- there are tools to update their records.. >> Thanks for the help ! >> >> Regards >> >> -- >> Damien >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org= " > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@is= c.org > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > --=20 cheers mars ----- Marie von Ebner-Eschenbach - "Even a stopped clock is right twice a day." - http://www.brainyquote.com/quotes/authors/m/marie_von_ebnereschenba= c.html From owner-freebsd-jail@FreeBSD.ORG Thu Sep 3 12:21:40 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57E481065676; Thu, 3 Sep 2009 12:21:40 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 281998FC13; Thu, 3 Sep 2009 12:21:40 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id CC6D446B2A; Thu, 3 Sep 2009 08:21:39 -0400 (EDT) Received: from jhbbsd.hudson-trading.com (unknown [209.249.190.8]) by bigwig.baldwin.cx (Postfix) with ESMTPA id 1B6FC8A043; Thu, 3 Sep 2009 08:21:39 -0400 (EDT) From: John Baldwin To: freebsd-stable@freebsd.org Date: Thu, 3 Sep 2009 08:08:07 -0400 User-Agent: KMail/1.9.7 References: <20090902160440.GA28417@sd-13813.dedibox.fr> <4A9E98AD.1070202@FreeBSD.org> In-Reply-To: <4A9E98AD.1070202@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200909030808.08440.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (bigwig.baldwin.cx); Thu, 03 Sep 2009 08:21:39 -0400 (EDT) X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-1.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx Cc: "Bjoern A. Zeeb" , FLEURIOT Damien , Doug Barton , freebsd-jail@freebsd.org Subject: Re: Not getting an IPv6 in a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Sep 2009 12:21:40 -0000 On Wednesday 02 September 2009 12:09:17 pm Doug Barton wrote: > FLEURIOT Damien wrote: > > > BIND's now happily running in its jail and responding to public > > queries. > > It's up to you if you choose to do it, but there is no reason to run > BIND in a jail. The chroot feature provided by default by rc.d/named > is quite adequate security. That is debatable. One of the chief benefits of a jail is that if a server is compromised so that an attacker can gain root access that root access is limited in what it can do compared to a simple chroot. That is true for any server you would run under a jail, not just BIND. -- John Baldwin