From owner-freebsd-jail@FreeBSD.ORG Mon May 27 07:50:09 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 00595DE2 for ; Mon, 27 May 2013 07:50:08 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id B9309A22 for ; Mon, 27 May 2013 07:50:08 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UgsBv-0003Ld-8v for freebsd-jail@freebsd.org; Mon, 27 May 2013 09:50:03 +0200 Received: from 105-236-93-112.access.mtnbusiness.co.za ([105.236.93.112]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 09:50:03 +0200 Received: from lists by 105-236-93-112.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 09:50:03 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Cant reach Jailed services from internet. Date: Mon, 27 May 2013 07:45:06 +0000 (UTC) Lines: 52 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.93.112 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 07:50:09 -0000 Hi, Got a 9.1 machine with two jails on it. webjail (IP=.79), mailjail(IP=.78). I can reach the jailed services from the host, reach the jails from each other, reach the internet from the jails and host, reach the host from the internet BUT I cannot reach the jails from the internet. I've used EZJAIL to set these up and assigned a public IP address to the jails. These IP's are also aliased to the em0 interface of the host(perhaps this is a problem?). I am assuming that the jails inherit the routing of the host. I've seen some posts stating that ports should be forwarded to the jails, but that would defeat the possibility of running duplicate services in separate jails on their own ips. Like have 3 WWW servers on one host, each in its own jail. Some clues from the bigger brains would be appreciated :-) M ==================== HOST ifconfig: em0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:30:48:b0:57:9b inet 67.205.xx.xx netmask 0xffffffe0 broadcast 67.205.74.63 inet 174.xx.xx.76 netmask 0xfffffffc broadcast 174.x.x.79 inet 174.xx.xx.79 netmask 0xfffffffc broadcast 174.x.x.79 inet 174.xx.xx.77 netmask 0xfffffffc broadcast 174.x.x.79 inet 174.xx.xx.78 netmask 0xfffffffc broadcast 174.x.x.79 nd6 options=29 media: Ethernet autoselect (100baseTX ) status: active ------------ Jail ifconfig: em0: flags=8843 metric 0 mtu 1500 options=4219b ether 00:30:48:b0:57:9b inet 174.x.x.79 netmask 0xffffffff broadcast 174.x.x.79 media: Ethernet autoselect (100baseTX ) status: active lo0: flags=8049 metric 0 mtu 16384 options=600003 From owner-freebsd-jail@FreeBSD.ORG Mon May 27 11:06:49 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 026E7327 for ; Mon, 27 May 2013 11:06:49 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id E25096C7 for ; Mon, 27 May 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r4RB6m7V016065 for ; Mon, 27 May 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r4RB6mTh016063 for freebsd-jail@FreeBSD.org; Mon, 27 May 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 May 2013 11:06:48 GMT Message-Id: <201305271106.r4RB6mTh016063@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 11:06:49 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o kern/174436 jail [jail] Jails with numbers as names don't work o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 17 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon May 27 11:08:25 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F0DF38FD for ; Mon, 27 May 2013 11:08:25 +0000 (UTC) (envelope-from thomas@gibfest.dk) Received: from mail.tyknet.dk (mail.tyknet.dk [176.9.9.186]) by mx1.freebsd.org (Postfix) with ESMTP id B2228865 for ; Mon, 27 May 2013 11:08:25 +0000 (UTC) Received: from [10.20.15.23] (out1.hq.siminn.dk [195.184.109.1]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.tyknet.dk (Postfix) with ESMTPSA id D2F7714115F; Mon, 27 May 2013 12:59:52 +0200 (CEST) X-DKIM: OpenDKIM Filter v2.5.2 mail.tyknet.dk D2F7714115F DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gibfest.dk; s=default; t=1369652393; bh=AZChBpnzZA9qkuY8gr+DDbe8r7KjShMOWXmptb1T1T0=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=ujAawjUpKpG9wUCQ8ZliTnFdTHmdmzmd+Cjm6wkvH4kmX0BLR1y/dJ0Lz7priFymS +YCjZm9X7RjgfaTqCpkJw2rPLa+oZDp2E9KnpZ6H+DsKTfOwygEWbrHLa/fdl1Fwdu hOZqh/P8ugx1vVg2Yul73B1X8cvlJXKrmrmr1hM0= Message-ID: <51A33CA8.5090601@gibfest.dk> Date: Mon, 27 May 2013 12:59:52 +0200 From: Thomas Steen Rasmussen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: lists@tabits.co.za Subject: Re: Cant reach Jailed services from internet. References: In-Reply-To: X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 11:08:26 -0000 On 27-05-2013 09:45, Mogamat Abrahams wrote: > options=4219b IC,VLAN_HWTSO> > ether 00:30:48:b0:57:9b > inet 67.205.xx.xx netmask 0xffffffe0 broadcast 67.205.74.63 > inet 174.xx.xx.76 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.79 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.77 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.78 netmask 0xfffffffc broadcast 174.x.x.79 > nd6 options=29 > media: Ethernet autoselect (100baseTX ) > status: active Generally you should give the first IP in a subnet the real netmask, and the rest should be /32s. Do you have a firewall enabled on this system ? /Thomas From owner-freebsd-jail@FreeBSD.ORG Mon May 27 11:23:26 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B7873280 for ; Mon, 27 May 2013 11:23:26 +0000 (UTC) (envelope-from matsh@nanogene.org) Received: from mail.nanogene.org (www.nanogene.org [109.236.85.181]) by mx1.freebsd.org (Postfix) with ESMTP id 8043A987 for ; Mon, 27 May 2013 11:23:26 +0000 (UTC) Received: from localhost (www.nanogene.org [109.236.85.181]) by mail.nanogene.org (Postfix) with ESMTP id 0B49DE7730C for ; Mon, 27 May 2013 13:18:02 +0200 (CEST) Received: from mail.nanogene.org ([109.236.85.181]) by localhost (mail.nanogene.org [109.236.85.181]) (maiad, port 10024) with ESMTP id 06621-04 for ; Mon, 27 May 2013 13:18:00 +0200 (CEST) Received: by mail.nanogene.org (Postfix, from userid 80) id 429C8E7730F; Mon, 27 May 2013 13:18:00 +0200 (CEST) To: freebsd-jail@freebsd.org Subject: Re: Cant reach Jailed services from internet. X-PHP-Originating-Script: 80:rcmail.php MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 27 May 2013 13:18:00 +0200 From: "Mats A. Hansen" In-Reply-To: References: Message-ID: X-Sender: matsh@nanogene.org User-Agent: Roundcube Webmail X-Virus-Scanned: Maia Mailguard X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 11:23:26 -0000 On 2013-05-27 09:45, Mogamat Abrahams wrote: > Hi, > > Got a 9.1 machine with two jails on it. webjail (IP=.79), > mailjail(IP=.78). > I can reach the jailed services from the host, reach the jails from > each > other, reach the internet from the jails and host, reach the host from > the > internet BUT I cannot reach the jails from the internet. > > I've used EZJAIL to set these up and assigned a public IP address to > the > jails. These IP's are also aliased to the em0 interface of the > host(perhaps > this is a problem?). I am assuming that the jails inherit the routing > of the > host. > > I've seen some posts stating that ports should be forwarded to the > jails, > but that would defeat the possibility of running duplicate services in > separate jails on their own ips. Like have 3 WWW servers on one host, > each > in its own jail. > > Some clues from the bigger brains would be appreciated :-) > > M > > ==================== > HOST ifconfig: > > em0: flags=8843 metric 0 mtu > 1500 > > options=4219b IC,VLAN_HWTSO> > ether 00:30:48:b0:57:9b > inet 67.205.xx.xx netmask 0xffffffe0 broadcast 67.205.74.63 > inet 174.xx.xx.76 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.79 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.77 netmask 0xfffffffc broadcast 174.x.x.79 > inet 174.xx.xx.78 netmask 0xfffffffc broadcast 174.x.x.79 > nd6 options=29 > media: Ethernet autoselect (100baseTX ) > status: active > ------------ > Jail ifconfig: > > em0: flags=8843 metric 0 mtu > 1500 > > options=4219b IC,VLAN_HWTSO> > ether 00:30:48:b0:57:9b > inet 174.x.x.79 netmask 0xffffffff broadcast 174.x.x.79 > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" Hi Any reason you are running your webjail on the broadcast IP for the subnet? IP range for your 0xfffffffc net would be (.77|.78). From owner-freebsd-jail@FreeBSD.ORG Mon May 27 20:01:55 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 8AE69DBE for ; Mon, 27 May 2013 20:01:55 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4F4C6965 for ; Mon, 27 May 2013 20:01:55 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Uh3c1-0006QK-33 for freebsd-jail@freebsd.org; Mon, 27 May 2013 22:01:45 +0200 Received: from 105-236-93-112.access.mtnbusiness.co.za ([105.236.93.112]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 22:01:45 +0200 Received: from lists by 105-236-93-112.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 22:01:45 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. Date: Mon, 27 May 2013 20:01:29 +0000 (UTC) Lines: 25 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.93.112 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 20:01:55 -0000 Mats A. Hansen writes: > Any reason you are running your webjail on the broadcast IP for the > subnet? IP range for your 0xfffffffc net would be (.77|.78). Hi, Thanks, however thats the info I got the from people providing the machine : The hosts rc.conf: ipv4_addrs_em0="67.x.x.x/27 174.x.x.76-79/30" Will try some of the other ips and see how it goes. M From owner-freebsd-jail@FreeBSD.ORG Mon May 27 20:17:49 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 31F44314 for ; Mon, 27 May 2013 20:17:49 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id E8D7F9F1 for ; Mon, 27 May 2013 20:17:48 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Uh3rW-0003pW-V3 for freebsd-jail@freebsd.org; Mon, 27 May 2013 22:17:46 +0200 Received: from 105-236-93-112.access.mtnbusiness.co.za ([105.236.93.112]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 22:17:46 +0200 Received: from lists by 105-236-93-112.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Mon, 27 May 2013 22:17:46 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. Date: Mon, 27 May 2013 20:17:31 +0000 (UTC) Lines: 17 Message-ID: References: <51A33CA8.5090601@gibfest.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.93.112 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 May 2013 20:17:49 -0000 Hi, Thomas Steen Rasmussen writes: > Generally you should give the first IP in a subnet the real netmask, > and the rest should be /32s. Config as received from colo provider. Will enquire with them > > Do you have a firewall enabled on this system ? Fresh install, no firewall activated. Thanks, M From owner-freebsd-jail@FreeBSD.ORG Tue May 28 05:14:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 2D8EDB03 for ; Tue, 28 May 2013 05:14:38 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 9A6FB8A3 for ; Tue, 28 May 2013 05:14:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r4S5EMNa056698; Tue, 28 May 2013 15:14:24 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 28 May 2013 15:14:22 +1000 (EST) From: Ian Smith To: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. In-Reply-To: Message-ID: <20130528145629.X55451@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 May 2013 05:14:38 -0000 On Mon, 27 May 2013 20:01:29 +0000, Mogamat Abrahams wrote: > Mats A. Hansen writes: > > > Any reason you are running your webjail on the broadcast IP for the > > subnet? IP range for your 0xfffffffc net would be (.77|.78). > > Hi, > > Thanks, however thats the info I got the from people providing the machine : That's a worry .. you won't do any good trying to use the broadcast address. Mats is right, you only get 2 usable addresses with a /30. > The hosts rc.conf: > > ipv4_addrs_em0="67.x.x.x/27 174.x.x.76-79/30" > > Will try some of the other ips and see how it goes. If/when you're running a firewall, it's common to just drop any packets addressed to the network address (here .76) and broadcast address (.79) coming in from the outside. Perhaps you need a /29, which would give you 6 usable addresses? cheers, Ian From owner-freebsd-jail@FreeBSD.ORG Tue May 28 08:07:29 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id BF55FA8B for ; Tue, 28 May 2013 08:07:29 +0000 (UTC) (envelope-from goya@eik.bme.hu) Received: from mono.eik.bme.hu (mono.eik.bme.hu [IPv6:2001:738:2001:2001::2001]) by mx1.freebsd.org (Postfix) with ESMTP id 8086316F for ; Tue, 28 May 2013 08:07:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mono.eik.bme.hu (Postfix) with ESMTP id 45A63D1F8; Tue, 28 May 2013 10:07:20 +0200 (CEST) X-Virus-Scanned: amavisd-new at eik.bme.hu Received: from mono.eik.bme.hu ([127.0.0.1]) by localhost (mono.eik.bme.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id l-r-utoCdW69; Tue, 28 May 2013 10:07:20 +0200 (CEST) Received: by mono.eik.bme.hu (Postfix, from userid 884) id 01214D2C5; Tue, 28 May 2013 10:07:19 +0200 (CEST) Date: Tue, 28 May 2013 10:07:19 +0200 From: =?utf-8?B?SsOBS8OTIEFuZHLDoXM=?= To: Mogamat Abrahams , freebsd-jail@freebsd.org, Ian Smith Subject: Re: Cant reach Jailed services from internet. Message-ID: <20130528080719.GA11195@eik.bme.hu> References: <20130528145629.X55451@sola.nimnet.asn.au> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20130528145629.X55451@sola.nimnet.asn.au> User-Agent: Mutt/1.4.2.3i Organization: Budapest University of Technology and Economics - Division of Telecommunications and Informatics X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 May 2013 08:07:29 -0000 > > > Any reason you are running your webjail on the broadcast IP for the > > > subnet? IP range for your 0xfffffffc net would be (.77|.78). > > > > Hi, > > > > Thanks, however thats the info I got the from people providing the machine : > > That's a worry .. you won't do any good trying to use the broadcast > address. Mats is right, you only get 2 usable addresses with a /30. Assigning a /30 for four jails is perfectly valid, if it's an aggregate of four /32s. I would configure a static route on the default gateway for 174.x.x.76/30 -> 67.x.x.x, then on the host I'd assign the four /32s to lo1..lo4. Packets arrive to the jails because of the /30 static route in the neighbouring router, packets leave the jail because of the host's already existing default route, and of course traffic between the jails and the host are OK because the kernel knows its own interfaces. (Actually that's how I run my FreeBSD jails.) > > The hosts rc.conf: > > > > ipv4_addrs_em0="67.x.x.x/27 174.x.x.76-79/30" Regards, András From owner-freebsd-jail@FreeBSD.ORG Tue May 28 16:25:45 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 187B9339 for ; Tue, 28 May 2013 16:25:45 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id D01277A6 for ; Tue, 28 May 2013 16:25:44 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1UhMiV-0004tY-1T for freebsd-jail@freebsd.org; Tue, 28 May 2013 18:25:43 +0200 Received: from 105-236-93-112.access.mtnbusiness.co.za ([105.236.93.112]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 28 May 2013 18:25:42 +0200 Received: from lists by 105-236-93-112.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 28 May 2013 18:25:42 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. Date: Tue, 28 May 2013 16:25:26 +0000 (UTC) Lines: 40 Message-ID: References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.93.112 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 May 2013 16:25:45 -0000 Hi Thanks for the help thus far. > of four /32s. I would configure a static route on the default gateway > for 174.x.x.76/30 -> 67.x.x.x, then on the host I'd assign the four /32s > to lo1..lo4. >From the internet I can reach services on the host which are bound to these addresses. Still no luck with the jails.... is there anything else I can to to diagnose this? >Packets arrive to the jails because of the /30 static route > in the neighbouring router, packets leave the jail because of the host's > already existing default route, and of course traffic between the jails > and the host are OK because the kernel knows its own interfaces. > (Actually that's how I run my FreeBSD jails.) Talking about routes, i take it these are configured by the kernel? Internet: Destination Gateway Flags Refs Use Netif Expire default 67.x.x.33 UGS 0 2319 em0 67.x.x.32/27 link#1 U 0 0 em0 67.x.x.57 link#1 UHS 0 0 lo0 127.0.0.1 link#7 UH 0 94 lo0 174.x.x.76 link#1 UHS 0 0 lo0 => 174.x.x.76/32 link#1 U 0 0 em0 => 174.x.x.76/30 link#1 U 0 0 em0 174.x.x.77 link#1 UHS 0 28 lo0 => 174.x.x.77/32 link#1 U 0 0 em0 174.x.x.78 link#1 UHS 0 0 lo0 --- jls : JID IP Address Hostname Path 1 174.x.x.76 webhost /usr/jails/webhost 2 174.x.x.77 openerp /usr/jails/openerp From owner-freebsd-jail@FreeBSD.ORG Wed May 29 07:19:14 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AA7ACF7E for ; Wed, 29 May 2013 07:19:14 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6D229BE for ; Wed, 29 May 2013 07:19:14 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Uhaf0-0001L5-Dx for freebsd-jail@freebsd.org; Wed, 29 May 2013 09:19:02 +0200 Received: from 105-236-93-112.access.mtnbusiness.co.za ([105.236.93.112]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 29 May 2013 09:19:02 +0200 Received: from lists by 105-236-93-112.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 29 May 2013 09:19:02 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. Date: Wed, 29 May 2013 07:18:43 +0000 (UTC) Lines: 13 Message-ID: References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.93.112 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 07:19:14 -0000 The plot thickens! Running tcpdump on the host, I can see that the packets are received at the host on the ip address. Netstat on the host and jail also show services listening on those addresses on the correct ports. But for some reason the jails are not responding to the packets....... and tcpdump does not work inside jails. Are their any other tools that can be used to diagnose this? Compiling a kernel a VIMAGE in the meantime, just in case... M From owner-freebsd-jail@FreeBSD.ORG Wed May 29 11:39:51 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id CD7653E6 for ; Wed, 29 May 2013 11:39:51 +0000 (UTC) (envelope-from feld@feld.me) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id A00601D8 for ; Wed, 29 May 2013 11:39:51 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 94F15207D3 for ; Wed, 29 May 2013 07:39:50 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([unixlocal]) by compute2.internal (MEProxy); Wed, 29 May 2013 07:39:50 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h= content-type:to:subject:references:date:mime-version :content-transfer-encoding:from:message-id:in-reply-to; s= mesmtp; bh=SHW66XoevUQira0FS8JmG8AZZd0=; b=f8djG4A+s2tIp3o8V5dA2 Dr6xI09yvS7+Szr7CcIcaX0i7I433IYI1Rz4hvSi/uXSzJ6a/zkTduDcikpu7nrR jJjkNfQ0/NKD7two9vptdrFMzOtOBCqa3+Xi/NJeRKwiYm1DXJ9R/fSXLaGPx2Ne p4S8DtdCo2DpqbUH6GBodk= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-type:to:subject:references:date :mime-version:content-transfer-encoding:from:message-id :in-reply-to; s=smtpout; bh=SHW66XoevUQira0FS8JmG8AZZd0=; b=ITd8 V/5yZo3trALOGBmM7+u8GnoYrWBVaquUZEjzvapk+999OVbKbK5ym7hgPVnOxma/ lO7zYqJxf5LRiIo3t4TK1IlTbbEZbOl0jCuwVlxGeMzKmYBDti3FCCZnh3C+DMdY PQ5nDaMn3r8wMXgS3i+1/vPXxk2GPcOeR4SiC5A= X-Sasl-enc: JGnE1nmSf/Y5JnoPD7YweWTGVBm9Kyz31w1O+MrrPkwL 1369827590 Received: from markf.office.supranet.net (unknown [66.170.8.18]) by mail.messagingengine.com (Postfix) with ESMTPA id 6009E200319 for ; Wed, 29 May 2013 07:39:50 -0400 (EDT) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes To: freebsd-jail@freebsd.org Subject: Re: Cant reach Jailed services from internet. References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> Date: Wed, 29 May 2013 06:39:49 -0500 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Mark Felder" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.15 (FreeBSD) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 11:39:51 -0000 On Wed, 29 May 2013 02:18:43 -0500, Mogamat Abrahams wrote: > Compiling a kernel a VIMAGE in the meantime, just in case... VIMAGE is still considered experimental and may or may not cause you grief. I believe it has major issues with PF as well unless some fixes made it into 9.1-RELEASE which I don't believe they did. In fact, the fixes someone was working on might only be in HEAD. YMMV From owner-freebsd-jail@FreeBSD.ORG Wed May 29 12:40:38 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AB0A4CE0 for ; Wed, 29 May 2013 12:40:38 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 985418F1 for ; Wed, 29 May 2013 12:40:38 +0000 (UTC) Received: from [10.0.10.1] ([173.88.196.224]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 29 May 2013 05:40:34 -0700 Message-ID: <51A5F743.7080307@a1poweruser.com> Date: Wed, 29 May 2013 08:40:35 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 May 2013 12:40:34.0370 (UTC) FILETIME=[B6834220:01CE5C69] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 12:40:38 -0000 Mogamat Abrahams wrote: > The plot thickens! > > Running tcpdump on the host, I can see that the packets are received at the > host on the ip address. Netstat on the host and jail also show services > listening on those addresses on the correct ports. > But for some reason the jails are not responding to the packets....... and > tcpdump does not work inside jails. Are their any other tools that can be used > to diagnose this? > > Compiling a kernel a VIMAGE in the meantime, just in case... > Do you have gateway_enable="YES" statement in the host's rc.conf? Is the jails /etc/resolv.conf populated with the correct info? You said "Netstat on the host and jail also show services listening on those addresses on the correct ports." If what you mean is the host has processes listening on the SAME ip address / ports as the jails are listening on, then your jails will never get any unsolicited traffic because the host always gets access to that traffic first and processes it without the jail ever knowing about it. From owner-freebsd-jail@FreeBSD.ORG Wed May 29 14:33:24 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 239D75AD for ; Wed, 29 May 2013 14:33:24 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 8E00689B for ; Wed, 29 May 2013 14:33:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r4TEX2KX025511; Thu, 30 May 2013 00:33:03 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 30 May 2013 00:33:02 +1000 (EST) From: Ian Smith To: =?utf-8?B?SsOBS8OTIEFuZHLDoXM=?= Subject: Re: Cant reach Jailed services from internet. In-Reply-To: <20130528080719.GA11195@eik.bme.hu> Message-ID: <20130530002458.R55451@sola.nimnet.asn.au> References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-182471751-1369837982=:55451" Cc: freebsd-jail@freebsd.org, Mogamat Abrahams X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 May 2013 14:33:24 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-182471751-1369837982=:55451 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT On Tue, 28 May 2013, JÁKÓ András wrote: >> That's a worry .. you won't do any good trying to use the broadcast >> address. Mats is right, you only get 2 usable addresses with a /30. > Assigning a /30 for four jails is perfectly valid, if it's an > aggregate of four /32s. I would configure a static route on the > default gateway for 174.x.x.76/30 -> 67.x.x.x, then on the host I'd > assign the four /32s to lo1..lo4. Packets arrive to the jails because > of the /30 static route in the neighbouring router, packets leave the > jail because of the host's already existing default route, and of > course traffic between the jails and the host are OK because the > kernel knows its own interfaces. (Actually that's how I run my > FreeBSD jails.) > Regards, > András Ok, thanks, that's interesting. Maybe I can squeeze more from my /29 .. cheers, Ian --0-182471751-1369837982=:55451-- From owner-freebsd-jail@FreeBSD.ORG Thu May 30 12:51:21 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 72AD1662 for ; Thu, 30 May 2013 12:51:21 +0000 (UTC) (envelope-from gofj-freebsd-jail@m.gmane.org) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.freebsd.org (Postfix) with ESMTP id 33D40D9A for ; Thu, 30 May 2013 12:51:21 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1Ui2K0-0006J9-VX for freebsd-jail@freebsd.org; Thu, 30 May 2013 14:51:13 +0200 Received: from 105-236-155-9.access.mtnbusiness.co.za ([105.236.155.9]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 30 May 2013 14:51:12 +0200 Received: from lists by 105-236-155-9.access.mtnbusiness.co.za with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 30 May 2013 14:51:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-jail@freebsd.org From: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. Date: Thu, 30 May 2013 12:50:56 +0000 (UTC) Lines: 27 Message-ID: References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> <51A5F743.7080307@a1poweruser.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 105.236.155.9 (Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 12:51:21 -0000 > > Do you have gateway_enable="YES" statement in the host's rc.conf? Added it and not difference. > > Is the jails /etc/resolv.conf populated with the correct info? > Yes, name resolution works ok - i can reach out from the jail to other services on the internet. > You said "Netstat on the host and jail also show services > listening on those addresses on the correct ports." > > If what you mean is the host has processes listening on the SAME > ip address / ports as the jails are listening on, then your jails > will never get any unsolicited traffic because the host always gets > access to that traffic first and processes it without the jail ever > knowing about it. I only have sshd configured on the host, that on the 67. ip address. So I assume those listening ports are coming from the jail as its on the same IP and ports 80 and 81 Any other suggestions? M From owner-freebsd-jail@FreeBSD.ORG Thu May 30 13:49:54 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id F1383172 for ; Thu, 30 May 2013 13:49:54 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id DD9122F9 for ; Thu, 30 May 2013 13:49:54 +0000 (UTC) Received: from [10.0.10.1] ([173.88.196.224]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 30 May 2013 06:49:49 -0700 Message-ID: <51A758FF.4080402@a1poweruser.com> Date: Thu, 30 May 2013 09:49:51 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Mogamat Abrahams Subject: Re: Cant reach Jailed services from internet. References: <20130528145629.X55451@sola.nimnet.asn.au> <20130528080719.GA11195@eik.bme.hu> <51A5F743.7080307@a1poweruser.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 May 2013 13:49:49.0805 (UTC) FILETIME=[8DC211D0:01CE5D3C] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 13:49:55 -0000 Mogamat Abrahams wrote: >> Do you have gateway_enable="YES" statement in the host's rc.conf? > Added it and not difference. >> Is the jails /etc/resolv.conf populated with the correct info? >> > Yes, name resolution works ok - i can reach out from the jail to other > services on the internet. > >> You said "Netstat on the host and jail also show services >> listening on those addresses on the correct ports." >> >> If what you mean is the host has processes listening on the SAME >> ip address / ports as the jails are listening on, then your jails >> will never get any unsolicited traffic because the host always gets >> access to that traffic first and processes it without the jail ever >> knowing about it. > I only have sshd configured on the host, that on the 67. ip address. So I > assume those listening ports are coming from the jail as its on the same IP > and ports 80 and 81 > > Any other suggestions? > > M > > Lets find out about those jail ip addresses. You stated those ip address prefixed with 174 were provided by you colo provider. Questions to ask them. Are those 174.x.x.x ip addresses provisioned or said a different way are they true static ip addresses? Read up on the difference. Your 67.205.xx.xx ip address looks like a dynamic ip address that you use dhcp to automatically obtain all the network configuration information needed by your host. Static ip addresses don't work that way. You have to manually configure the static network. If I remember correctly, for a block of 3 assignable ip addresses you need a block of 5 from your provider. The first and last ip address are used to config the network. Best you talk to your provider to find out how those ip addresses are configured at their end and how you should config them at your end. You never said if you have a firewall on your host. The firewall rules maybe dropping unsolicited inbound traffic for those 174 prefixed ip addresses. Try putting a pass all log from that NIC rule or just a log all rule or turn off the firewall all together and see what happens. Verify your NAT is not trying to NAT unsolicited inbound traffic for those 174 prefixed ip addresses.