From owner-freebsd-jail@FreeBSD.ORG Mon Jul 29 11:06:47 2013 Return-Path: Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 242161AD for ; Mon, 29 Jul 2013 11:06:47 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0FCCE2DD6 for ; Mon, 29 Jul 2013 11:06:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6TB6kmT061809 for ; Mon, 29 Jul 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6TB6kUg061807 for freebsd-jail@FreeBSD.org; Mon, 29 Jul 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Jul 2013 11:06:46 GMT Message-Id: <201307291106.r6TB6kUg061807@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-jail@FreeBSD.org Subject: Current problem reports assigned to freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 11:06:47 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/180067 jail [jail] [patch] fix multicast support within jails o bin/178302 jail jail(8): unknown parameter: ip6.addr when kernel compi o kern/176112 jail [jail] [panic] kernel panic when starting jails o kern/176092 jail [jail] [panic] Starting a jail on my releng/9.1 kernel o kern/174902 jail [jail] jail should provide validator for jail names o bin/173469 jail [jail] regression: security.jail.sysvipc_allowed=1 no o kern/169751 jail [jail] reading routing information does not work in ja o bin/167911 jail new jail(8) problem with removal, ifconfg -alias and k o kern/159918 jail [jail] inter-jail communication failure o kern/156111 jail [jail] procstat -b not supported in jail o misc/155765 jail [patch] `buildworld' does not honors WITHOUT_JAIL o conf/154246 jail [jail] [patch] Bad symlink created if devfs mount poin s conf/142972 jail [jail] [patch] Support JAILv2 and vnet in rc.d/jail o conf/141317 jail [patch] uncorrect jail stop in /etc/rc.d/jail o kern/133265 jail [jail] is there a solution how to run nfs client in ja o kern/119842 jail [smbfs] [jail] "Bad address" with smbfs inside a jail o bin/99566 jail [jail] [patch] fstat(1) according to specified jid 17 problems total. From owner-freebsd-jail@FreeBSD.ORG Mon Jul 29 13:44:02 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 0EB55FCF for ; Mon, 29 Jul 2013 13:44:02 +0000 (UTC) (envelope-from roberto@keltia.net) Received: from keltia.net (cl-90.mrs-01.fr.sixxs.net [IPv6:2a01:240:fe00:59::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 69A1B2703 for ; Mon, 29 Jul 2013 13:44:01 +0000 (UTC) Received: from roberto02-aw.erc.corp.eurocontrol.int (aran.keltia.net [88.191.250.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 8BFC052AE for ; Mon, 29 Jul 2013 15:43:59 +0200 (CEST) Date: Mon, 29 Jul 2013 15:43:58 +0200 From: Ollivier Robert To: freebsd-jail@freebsd.org Subject: jail design Message-ID: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: MacOS X / Macbook Pro - FreeBSD 7.2 / Dell D820 SMP User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 13:44:02 -0000 Hello, I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. What is the best practices about jails knowing that: - I have only one IPv4 - I have a full /48 IPv6 to play with I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? I need something as easy as ezjail or a way to tweek it, with - one jail for smtp/imap - one for www stuff, ideally one jail per hosted domain (using nginx) I'm a jail newbie, in case you haven't found it already :) Thanks, -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.net In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ From owner-freebsd-jail@FreeBSD.ORG Mon Jul 29 21:19:53 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id ABEF6427 for ; Mon, 29 Jul 2013 21:19:53 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from fmd1s.ukr.net (fmd1s.ukr.net [195.214.192.43]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5D354216F for ; Mon, 29 Jul 2013 21:19:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=4G2VZmM3LRAzj4f3HnTQL4CA7k+7JfosYC8p7aPdwRQ=; b=gI7kVm/tzm4GJVsLMa1WV4ZHmZ+p4DTA2Zm44mqkuWfhsXR+cVkeFt8u8TPXS7BB0+eawLJ7l0+BuEw1xeqsrH1AEXk9u1+Snx1ZGormF/PA/1ZYFoo9fBP0sbLcyCO0LS8tz+JHeYBiFyBuQbOBajkM3ghMqKKg6SHtOikYKfU=; Received: from [10.0.10.93] (helo=zebra-x17.ukr.net) by fmd1s.ukr.net with smtp ID 1V3uP9-0001w2-GR for freebsd-jail@freebsd.org/RC:1; Mon, 29 Jul 2013 23:50:55 +0300 Date: Mon, 29 Jul 2013 23:50:55 +0300 From: wishmaster Subject: Re: jail design To: Ollivier Robert X-Mailer: freemail.ukr.net 5.0 Message-Id: <1375129684.51112329.bbke8h7m@zebra-x17.ukr.net> In-Reply-To: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> References: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> MIME-Version: 1.0 Received: from artemrts@ukr.net by zebra-x17.ukr.net; Mon, 29 Jul 2013 23:50:55 +0300 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 21:19:53 -0000 --- Original message --- From: "Ollivier Robert" Date: 29 July 2013, 16:44:11 > Hello, > > I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. > > What is the best practices about jails knowing that: > - I have only one IPv4 > - I have a full /48 IPv6 to play with > > I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. ezjail is good tool, but not suitable for vnet, so from my experience: - I use slightly patched ezjail for create jail environment, update and so on. Also I have made 'newjail' suitable for login and network and have populated it with base packages like mc, perl and so on. - I use jail2 from ports as startup script which reads configs from jail.conf, not from rc.conf - I use vnet jails which communicate with world and each others via epair interface - as firewall - ipfw, disabled in each jails, but filter on each epair*a interface. ipfw configured with per-interface acl. > Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? > > I need something as easy as ezjail or a way to tweek it, with > - one jail for smtp/imap > - one for www stuff, ideally one jail per hosted domain (using nginx) Use nginx in separate jail with virtual hosts. Why do you need vhost/jail? > > I'm a jail newbie, in case you haven't found it already :) > > Thanks, > > -- > Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.net > In memoriam to Ondine, our 2nd child: http://ondine.keltia.net/ > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" From owner-freebsd-jail@FreeBSD.ORG Tue Jul 30 02:19:14 2013 Return-Path: Delivered-To: freebsd-jail@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D97CB54B; Tue, 30 Jul 2013 02:19:14 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id ACBB62CDF; Tue, 30 Jul 2013 02:19:14 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r6U2JEQY047823; Tue, 30 Jul 2013 02:19:14 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r6U2JEME047822; Tue, 30 Jul 2013 02:19:14 GMT (envelope-from linimon) Date: Tue, 30 Jul 2013 02:19:14 GMT Message-Id: <201307300219.r6U2JEME047822@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-jail@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/180916: [jail] [regression] jail startup is broken for 8.4 without INET6 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 02:19:14 -0000 Old Synopsis: [regression] jail startup is broken for 8.4 without INET6 New Synopsis: [jail] [regression] jail startup is broken for 8.4 without INET6 Responsible-Changed-From-To: freebsd-bugs->freebsd-jail Responsible-Changed-By: linimon Responsible-Changed-When: Tue Jul 30 02:18:58 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=180916 From owner-freebsd-jail@FreeBSD.ORG Tue Jul 30 21:38:07 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3F7BA7CB for ; Tue, 30 Jul 2013 21:38:07 +0000 (UTC) (envelope-from jlh@FreeBSD.org) Received: from caravan.chchile.org (caravan.chchile.org [178.32.125.136]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C73282C58 for ; Tue, 30 Jul 2013 21:38:06 +0000 (UTC) Received: by caravan.chchile.org (Postfix, from userid 1000) id ACDCDB7163; Tue, 30 Jul 2013 21:38:04 +0000 (UTC) Date: Tue, 30 Jul 2013 23:38:04 +0200 From: Jeremie Le Hen To: Ollivier Robert Subject: Re: jail design Message-ID: <20130730213804.GI13628@caravan.chchile.org> Mail-Followup-To: Ollivier Robert , freebsd-jail@freebsd.org References: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130729134335.GD13529@roberto02-aw.erc.corp.eurocontrol.int> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 21:38:07 -0000 Hi Ollivier, On Mon, Jul 29, 2013 at 03:43:58PM +0200, Ollivier Robert wrote: > Hello, > > I have a new server I'm going to run all my services on (www, smtp/imap, and so on). Running 9.2-BETA1, full ZFS-on-root. > > What is the best practices about jails knowing that: > - I have only one IPv4 > - I have a full /48 IPv6 to play with > > I've looked at ezjail which is doing most of what I need but it does not support ip4/ip6=inherit parameters (and no jail.conf support either) so my networking setup is more complicated. All the other packages like qjail have only limited ZFS support. > > Do I need to setup pf to redirect all traffic in/out for specific ports to my jails? Or do I try to shoehorn "inherit" into ezjail? Is inherit easier to deal with? What are the security implications? > > I need something as easy as ezjail or a way to tweek it, with > - one jail for smtp/imap > - one for www stuff, ideally one jail per hosted domain (using nginx) > > I'm a jail newbie, in case you haven't found it already :) I've run services in jail for roughly a decade, always by hand. This is not a big deal if you do it correctly because, well, you don't create jail everyday :). Especially with recent tools. - First I started creating a jail for each service, sharing host's directories like /lib, /bin, /usr/lib, /usr/share, ... with nullfs in each jail in order to save space. - Then I found that it was painful because when I upgraded the host I had to upgrade all the jails at once. So I began to use the setup described in the handbook, section 16.6 [1]. Basically you create a base jail which is mounted r/o in each jail; all r/w directory are actually symlinks to a r/w space dedicated to the jail. This worked pretty well because when you want to upgrade your jail, you just create a new base jail and you progressively switch each jail to the new base, applying the upgrade procedure in each of them. At that time, every single service ran in its own jail. Jails were bound to 127.0.0.2, 127.0.0.3 and I used the right rdr rules on my public IP address. - Finally as time goes on and my free time decreases, I switched to the current model where I have very few jails, based on security domains (what you describe make sense: mail and web; you could also create one for shell access; honestly I don't advice to multiply jails, like one for each www domain, this is way to much adminitration overhead). These jails are full-fledged systems each on their own ZFS dataset. The very nice thing about that is that you can run a zfs send/receive every minute or so to backup your jails remotely, this is extremely efficient. Each jail is updated as if you had different servers, save the kernel of course. Besides, with pkgng and poudriere (kudos to the authors), this is extremely simple to upgrade. Regarding IP address, I bought one IP address for each jail (Kimsufi/OVH and Dedibox both provide this I think). The jail is simply brought up and down along with the jail. As you may have understood, I have a spare server which synchronizes the jails very often. If the main server fails, I can just start them on the backup one and perform an "IP failover" on my provider admin console. As for firewalling, this is not rocket science. The only difference is that you need to avoid using interfaces for filtering. You need to consider all traffic to both go out and come in on the loopback interface successively. Hope this helps. Cheers, [1] http://www.freebsd.org/doc/handbook/jails-application.html -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. From owner-freebsd-jail@FreeBSD.ORG Wed Jul 31 11:58:12 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A9F8C43C for ; Wed, 31 Jul 2013 11:58:12 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from keltia.net (cl-90.mrs-01.fr.sixxs.net [IPv6:2a01:240:fe00:59::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6BC092D6D for ; Wed, 31 Jul 2013 11:58:12 +0000 (UTC) Received: from lonrach.local (foret.keltia.net [78.232.116.160]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 2F77A52B1 for ; Wed, 31 Jul 2013 13:58:09 +0200 (CEST) Date: Wed, 31 Jul 2013 13:58:07 +0200 From: Ollivier Robert To: freebsd-jail@freebsd.org Subject: IPv6 init issue Message-ID: <20130731115807.GB85585@lonrach.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 11:58:12 -0000 Hello, I've configured several different jails to host my services and such (howto to come soon, relating my experience) but I still have an IPv6 initialization issue. It happens with plain jail and using ezjail to start jails. lo0 is having the various 127.0.1.x IPv4 addresses for IPv4 networking, using nat/rdr bce1 is having the various 2a01:240:fe5c:1::x IPv6 addresses /etc/jail.conf ----- # Typical static defaults: # Use the rc scripts to start and stop jails. Mount jail's /dev. exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; host.hostname = "$name.keltia.net"; mail { ip4.addr = lo0|127.0.1.3; ip6.addr = bce1|2a01:240:fe5c:1::3; path = "/jails/mail.keltia.net"; mount.fstab = "/etc/fstab.mail_keltia_net"; allow.raw_sockets = 1; command = "/usr/bin/login -f root"; } ----- results in the following, preventing any services in /usr/local/etc/rc.d to properly start. If I log into the jail after init and run the scripts manually, it works! Even the system sshd refuses to start. host and basejail is 9.2-BETA1. ----- 1327 [13:50] root@centre:local/etc# jail -c mail mail: created /etc/rc: WARNING: $hostname is not set -- see rc.conf(5). ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/dovecot 32-bit compatibility ldconfig path: /usr/lib32 Creating and/or trimming log files. ln: /dev/log: Operation not permitted Starting syslogd. Clearing /tmp (X related). Updating motd:. Starting dovecot. Error: bind(2a01:240:fe5c:1::3, 143) failed: Can't assign requested address Error: service(imap-login): listen(2a01:240:fe5c:1::3, 143) failed: Can't assign requested address Error: bind(2a01:240:fe5c:1::3, 993) failed: Can't assign requested address Error: service(imap-login): listen(2a01:240:fe5c:1::3, 993) failed: Can't assign requested address Fatal: Failed to start listeners /etc/rc: WARNING: failed to start dovecot postfix/postfix-script: starting the Postfix mail system postfix/postfix-script: fatal: mail system startup failed Starting sshd. Starting cron. Wed Jul 31 11:50:15 UTC 2013 Last login: Wed Jul 31 11:44:07 on pts/2 FreeBSD 9.2-BETA1 (DEDIBOX9) #2 r253554: Tue Jul 23 00:18:00 CEST 2013 Welcome to FreeBSD! -- mail.keltia.net jail root@mail:/root # logout ----- Any idea? -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/ From owner-freebsd-jail@FreeBSD.ORG Wed Jul 31 14:10:10 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 51EB7D57 for ; Wed, 31 Jul 2013 14:10:10 +0000 (UTC) (envelope-from roberto@keltia.freenix.fr) Received: from keltia.net (cl-90.mrs-01.fr.sixxs.net [IPv6:2a01:240:fe00:59::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 14224245A for ; Wed, 31 Jul 2013 14:10:10 +0000 (UTC) Received: from lonrach.local (foret.keltia.net [78.232.116.160]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 73F8852AE for ; Wed, 31 Jul 2013 16:10:08 +0200 (CEST) Date: Wed, 31 Jul 2013 16:10:07 +0200 From: Ollivier Robert To: freebsd-jail@freebsd.org Subject: Re: IPv6 init issue Message-ID: <20130731141006.GC85585@lonrach.local> References: <20130731115807.GB85585@lonrach.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130731115807.GB85585@lonrach.local> X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2013 14:10:10 -0000 According to Ollivier Robert: > Error: bind(2a01:240:fe5c:1::3, 143) failed: Can't assign requested address > Error: service(imap-login): listen(2a01:240:fe5c:1::3, 143) failed: Can't assign requested address > Error: bind(2a01:240:fe5c:1::3, 993) failed: Can't assign requested address > Error: service(imap-login): listen(2a01:240:fe5c:1::3, 993) failed: Can't assign requested Thanks to a friend of mine, using this in /etc/sysctl.conf for the host (or setting it manually if you don't want to reboot of course) fixed it: ## -- for jails net.inet6.ip6.dad_count=0 I guess the killer things was that if the interface was too slow to come up due to the DAD protocol. There I do not want to use DAD at all, I'm fixing all jails addresses automatically. So now, I'm all set. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/ From owner-freebsd-jail@FreeBSD.ORG Thu Aug 1 01:55:28 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 63379705 for ; Thu, 1 Aug 2013 01:55:28 +0000 (UTC) (envelope-from josh@signalboxes.net) Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 290B82091 for ; Thu, 1 Aug 2013 01:55:27 +0000 (UTC) Received: by mail-oa0-f51.google.com with SMTP id h1so158909oag.38 for ; Wed, 31 Jul 2013 18:55:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :x-gm-message-state; bh=KdedcNxbytmqLO05nwF6ASh8FFHOuqeUTJi0m4Hbku8=; b=hlj/4lNae9BHMbfv8YGgjms4jBkixOEljgKXvd4w5n4pAAVAVDqWVFxl/6JFK8xIph eHIjSXtiB8K1u707KGkXcVO+eBlJf2nog3bKdkGbNvCeiwCg6P6UNH80lt2gpMabRHnO p5JOQqbpc226DFr1yLqoQL4jmzBLdZWUnhILjpIkHZ0Ijf4loCV6QtYYJq2ODF42Swcq Lxz9/S9DAPOrN30HyS0egBCjcqXKFbRJH7YVlItpRoyzKifvZqRByPlrH4/6OsurcKc1 4nkC/rSgRKsDcDsO3zbn+jf50J2a60buCNBM3/XN+bsH7TOYZ+hf/zb5W2nCrityKxme NCJQ== X-Received: by 10.60.54.39 with SMTP id g7mr68452371oep.18.1375322121649; Wed, 31 Jul 2013 18:55:21 -0700 (PDT) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [2607:f8b0:4003:c01::234]) by mx.google.com with ESMTPSA id fk3sm761762obb.2.2013.07.31.18.55.21 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 31 Jul 2013 18:55:21 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id up14so2781191obb.11 for ; Wed, 31 Jul 2013 18:55:20 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.38.199 with SMTP id i7mr68701780oek.36.1375322120852; Wed, 31 Jul 2013 18:55:20 -0700 (PDT) Received: by 10.60.133.38 with HTTP; Wed, 31 Jul 2013 18:55:20 -0700 (PDT) Date: Wed, 31 Jul 2013 19:55:20 -0600 Message-ID: Subject: Starting jail breaks routing / multi-network jail From: Josh Beard To: freebsd-jail@freebsd.org X-Gm-Message-State: ALoCoQnwT/NlMkW6NhVFYyOfuPKOcAGuQAXl65C0tgpacUlF0ikXZmBGwDZodFs3VTcXPKYxWO+Y Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Aug 2013 01:55:28 -0000 Hello, I posted this on forums.freebsd.org ( http://forums.freebsd.org/showthread.php?t=41135), but figured I may have better luck here. I'm trying to setup a host that will accommodate two networks for its jails - with two NICs. One of this NICs (igb0) is connected to our LAN and the other (igb1) is connected to a public WAN switch. For the WAN side, I'll actually have two different gateways with two completely different set of addresses due to IP exhaustion - same network, however. I'm not sure if the problem I'm having is a bug, a misconfiguration, or a limitation. Whenever starting a a test jail that has an address on the LAN and one on the WAN, my hosts's routing gets changed and I'm unable to reach the public address I have for the jail. Here's a snip of what the host /etc/rc.conf looks like (addresses obfuscated for privacy): ifconfig_igb0="inet 172.30.112.196 netmask 255.255.240.0" ifconfig_igb0_alias0="inet 172.30.112.192 netmask 255.255.240.0" # (I tried a recommended 255.255.255.255, too) ifconfig_igb1="inet 96.2.192.A netmask 255.255.255.240 broadcast 96.2.192.BA " ifconfig_igb1_alias0="inet 24.111.1.B netmask 255.255.255.240 broadcast 24.111.1.BB" defaultrouter="24.111.1.BR" I'm using ezjail and in the jail's config, I have: export jail_jailedhost_ip="igb0|172.30.112.192,igb1|24.111.1.a" export jail_jailedhost_fib="1" Before starting the jail, I can ping any of the addresses in question. After starting, the public addresses stop responding. --------- default 24.111.1.b UGS 0 4 igb1 24.111.1.x/28 link#3 U 0 43 igb1 24.111.1.a link#3 UHS 0 0 lo0 (and the routes for the LAN) --------- When I start the jail, my hosts's routes change: --------- default 24.111.1.b UGS 0 236 igb1 24.111.1.a link#3 UHS 0 0 lo0 => 24.111.1.a/32 link#3 U 0 0 igb1 (routes for the LAN - routes for each address /32) --------- The broadcast for each interface also changes to its own address (/32). I can "fix" this by doing this on the host system, but this isn't desirable. If I have to, I guess I could have this executed on startup (but cycling a jail will break the routing table again): service netif restart service routing restart set fib 1 route add -host 24.111.1.BR -iface igb1 set fib 1 route add default 24.111.1.BR I'm not sure where to go from here. I've tried using setfib to take care of this (as you see there), but the results are the same. TL;DR: Starting a jail with a LAN and public address changes the host's routing table and will not talk over the public network. Cycling the netif and routing services resolves it. Any insight? Anything is much appreciated. Josh From owner-freebsd-jail@FreeBSD.ORG Thu Aug 1 11:48:22 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 82564ECF for ; Thu, 1 Aug 2013 11:48:22 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 56FD92C8E for ; Thu, 1 Aug 2013 11:48:22 +0000 (UTC) Received: from compute6.internal (compute6.nyi.mail.srv.osa [10.202.2.46]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 4EE0421479 for ; Thu, 1 Aug 2013 07:48:20 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute6.internal (MEProxy); Thu, 01 Aug 2013 07:48:20 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:from:to:mime-version :content-transfer-encoding:content-type:subject:date:in-reply-to :references; s=smtpout; bh=YP02hUKDNjSEv+jUZ+rWNo6sAxs=; b=X9XgO qNlZe3QILKS8jZug/VsHiJrX3niZdY5YB1+bVGYZl7lJ2tgmQJw1A3J3MgMzvNVb o6v+AATgy+qD4WmmMTmG1OqF6XHVQYM0enurGYwD+kxalbby1lIgpVaTR67QU9mk E24+O216PBNXZFq4lDpoyfWBZw/SLPqrN/L31E= Received: by web3.nyi.mail.srv.osa (Postfix, from userid 99) id 323C7B01FE5; Thu, 1 Aug 2013 07:48:20 -0400 (EDT) Message-Id: <1375357700.9597.4374227.38E046B6@webmail.messagingengine.com> X-Sasl-Enc: LKyrhjVUGFDBlzdx7uMRmt7xcdM7XuH4CfMLZjduYpej 1375357700 From: Mark Felder To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-2d520484 Subject: Re: Starting jail breaks routing / multi-network jail Date: Thu, 01 Aug 2013 06:48:20 -0500 In-Reply-To: References: X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Aug 2013 11:48:22 -0000 On Wed, Jul 31, 2013, at 20:55, Josh Beard wrote: > > Starting a jail with a LAN and public address changes the host's routing > table and will not talk over the public network. Cycling the netif and > routing services resolves it. > I'm not aware of the routing issue you're describing. I had a need not too long ago for a 32bit system to get migrated to 64bit, but first we needed to run it in a 32bit jail while we formulated the plan. This server had several NICs on different networks which were all passed to the jail. Many were private, a couple were public. The routing itself worked fine; the problem was that raw sockets always picked the first interface of the jail. The most obvious breakage was ping. However, TCP and UDP worked fine to all networks. This was 9.0-RELEASE at the time. I do have a PR for my issue here: http://www.freebsd.org/cgi/query-pr.cgi?pr=168678 Are you sure you aren't just running into that? Although, I really doubt restarting routing would fix it, so you must be hitting another anomaly... From owner-freebsd-jail@FreeBSD.ORG Fri Aug 2 13:05:37 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 483DB2BA for ; Fri, 2 Aug 2013 13:05:37 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mailch-2.name-services.com (mailch-2.name-services.com [98.124.252.184]) by mx1.freebsd.org (Postfix) with ESMTP id 3137125FF for ; Fri, 2 Aug 2013 13:05:36 +0000 (UTC) Received: from mailch.name-services.com (localhost [127.0.0.1]) by mailch.name-services.com (Postfix) with SMTP id 0E85062DFCB; Fri, 2 Aug 2013 06:05:37 -0700 (PDT) X-Sender-Id: 173.88.196.224 Received: from mail-24.name-services.com (sjl0vwsmail09.prod.dm.local [10.7.17.59]) by 0.0.0.0:2500 (trex/4.8.23); Fri, 02 Aug 2013 13:05:37 GMT X-Pool-Id: 3 Received: from [10.0.10.1] (cpe-173-88-196-224.neo.res.rr.com [173.88.196.224]) by mail-24.name-services.com with SMTP; Fri, 2 Aug 2013 06:05:23 -0700 Message-ID: <51FBAE91.7030205@a1poweruser.com> Date: Fri, 02 Aug 2013 09:05:21 -0400 From: Fbsd8 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Josh Beard Subject: Re: Starting jail breaks routing / multi-network jail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Aug 2013 13:05:37 -0000 Josh Beard wrote: > Hello, > > I posted this on forums.freebsd.org ( > http://forums.freebsd.org/showthread.php?t=41135), but figured I may have > better luck here. > > I'm trying to setup a host that will accommodate two networks for its jails > - with two NICs. > > One of this NICs (igb0) is connected to our LAN and the other (igb1) is > connected to a public WAN switch. > For the WAN side, I'll actually have two different gateways with two > completely different set of addresses due to IP exhaustion - same network, > however. > > I'm not sure if the problem I'm having is a bug, a misconfiguration, or a > limitation. Whenever starting a a test jail that has an address on the LAN > and one on the WAN, my hosts's routing gets changed and I'm unable to reach > the public address I have for the jail. > > Here's a snip of what the host /etc/rc.conf looks like (addresses > obfuscated for privacy): > ifconfig_igb0="inet 172.30.112.196 netmask 255.255.240.0" > ifconfig_igb0_alias0="inet 172.30.112.192 netmask 255.255.240.0" # (I tried > a recommended 255.255.255.255, too) > > ifconfig_igb1="inet 96.2.192.A netmask 255.255.255.240 broadcast 96.2.192.BA > " > ifconfig_igb1_alias0="inet 24.111.1.B netmask 255.255.255.240 broadcast > 24.111.1.BB" > > defaultrouter="24.111.1.BR" > > I'm using ezjail and in the jail's config, I have: > export jail_jailedhost_ip="igb0|172.30.112.192,igb1|24.111.1.a" > export jail_jailedhost_fib="1" > > Before starting the jail, I can ping any of the addresses in question. > After starting, the public addresses stop responding. > --------- > default 24.111.1.b UGS 0 4 igb1 > 24.111.1.x/28 link#3 U 0 43 igb1 > 24.111.1.a link#3 UHS 0 0 lo0 > (and the routes for the LAN) > --------- > When I start the jail, my hosts's routes change: > > --------- > default 24.111.1.b UGS 0 236 igb1 > 24.111.1.a link#3 UHS 0 0 lo0 => > 24.111.1.a/32 link#3 U 0 0 igb1 > (routes for the LAN - routes for each address /32) > --------- > The broadcast for each interface also changes to its own address (/32). > > I can "fix" this by doing this on the host system, but this isn't > desirable. If I have to, I guess I could have this executed on startup > (but cycling a jail will break the routing table again): > > service netif restart > > service routing restart > > set fib 1 route add -host 24.111.1.BR -iface igb1 > > set fib 1 route add default 24.111.1.BR > > > I'm not sure where to go from here. I've tried using setfib to take care > of this (as you see there), but the results are the same. > > > TL;DR: > > Starting a jail with a LAN and public address changes the host's routing > table and will not talk over the public network. Cycling the netif and > routing services resolves it. > > > Any insight? Anything is much appreciated. > > > Josh Let me start of by saying I an no network expert. This is my understanding of how jail works. 1. There are 2 ways to define jails, the legacy rc.d-script method where the jail description parameters are in /etc/rc.conf and the jail(8) method that finally has all the bugs fixed in 9.2 where the jail description parameters are in /etc/jail.conf. These 2 methods can not be mixed together. 2. By design normal jails defined using either method ONLY access an single NIC having a single or multiple IPv4/IPv6 ip address/addresses. 3. The only way to assign multiple NICs to a jail is by using the highly experimental vimage software that has to be compiled into the hosts kernel which limits the host to only using IPFW firewall. PF and IPF filewalls on the host with vimage will case a hang. 4. fib's are only configured on the host, it takes an boot option or the kernel has to be recompiled to increase the number of system fibs available to the host before you can assign a second one to a jail. 5. This is incorrect syntax ip="igb0|172.30.112.192,igb1|24.111.1.a" should be ip="172.30.112.192,24.111.1.a" No nic device name. Not issuing a error does not mean its correct. My jail system has 4 LAN only jails that have outbound access to the public internet and 2 public accessible jails for my web and email servers using the same public routable dynamic IPv4 IP address assigned by my ISP without the need for special host firewall port redirection. I use the qjail version 3.1 utility to admin my jail system. Due to the 9.2-BETA port freeze qjail-3.2 which adds IPv6 support has not been committed to the port system yet. The port-make-files can be downloaded from here http://sourceforge.net/projects/qjail/files/Port%20make%20files/ Good luck. From owner-freebsd-jail@FreeBSD.ORG Fri Aug 2 20:44:50 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 21006E35 for ; Fri, 2 Aug 2013 20:44:50 +0000 (UTC) (envelope-from josh@signalboxes.net) Received: from mail-oa0-f44.google.com (mail-oa0-f44.google.com [209.85.219.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D7B7E2A26 for ; Fri, 2 Aug 2013 20:44:49 +0000 (UTC) Received: by mail-oa0-f44.google.com with SMTP id l20so2368356oag.3 for ; Fri, 02 Aug 2013 13:44:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=XqzdPTnIjeCNNqeo3xK7fa8mJMz4UQlQ60NhEU0s/88=; b=FeCQF4siIolB3E0b34At4bpxfuBZHsZM3i2YiWLiSY/WSpkRhRVln0UzH2l/3Nvzvk 0T64oZXofh1O9Ji6LliyYwMU/5Z1P66IYhDlPD4UU6Tkdzb7XSsnlMtaiSIDxmYzsB/O hRs23+dOe68gHvT+T6BxCkoaL/ouZC02wfX70t2CeZTIbXZ8CqvZkVRdgdXCOAt7rf9b 5u8XkE2LvlVhan4Rrri73c4LavXYgkHXBkSRTly+h5iJKBggrJ1ZjcmuZ60Ow1y7LN1c qKQX80HFUx1G8jffRSGmaByFRg8xhLEjVVWztM9oIs2Yan+xZyUToYqg7dohwrm7wZmK wrVg== X-Received: by 10.182.176.67 with SMTP id cg3mr6413165obc.65.1375476288575; Fri, 02 Aug 2013 13:44:48 -0700 (PDT) Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [2607:f8b0:4003:c01::234]) by mx.google.com with ESMTPSA id z2sm10224549obi.3.2013.08.02.13.44.48 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 02 Aug 2013 13:44:48 -0700 (PDT) Received: by mail-ob0-f180.google.com with SMTP id up14so1988754obb.25 for ; Fri, 02 Aug 2013 13:44:47 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.60.60.167 with SMTP id i7mr6856549oer.58.1375476287769; Fri, 02 Aug 2013 13:44:47 -0700 (PDT) Received: by 10.60.133.38 with HTTP; Fri, 2 Aug 2013 13:44:47 -0700 (PDT) In-Reply-To: <51FBAE91.7030205@a1poweruser.com> References: <51FBAE91.7030205@a1poweruser.com> Date: Fri, 2 Aug 2013 14:44:47 -0600 Message-ID: Subject: Re: Starting jail breaks routing / multi-network jail From: Josh Beard To: Fbsd8 X-Gm-Message-State: ALoCoQno/KKwUi8KkQnHqY/unnhX2U3z6T6x+VuJ1xWhOQMHTviMSG0P7znGIZCgu3nY44V1w4JR Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-jail@freebsd.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Aug 2013 20:44:50 -0000 Thanks for the advice, but not totally correct. On Fri, Aug 2, 2013 at 7:05 AM, Fbsd8 wrote: > Josh Beard wrote: > >> Hello, >> >> I posted this on forums.freebsd.org ( >> http://forums.freebsd.org/**showthread.php?t=41135), >> but figured I may have >> better luck here. >> >> <--snipped--> > > > > Let me start of by saying I an no network expert. This is my understanding > of how jail works. > > 1. There are 2 ways to define jails, the legacy rc.d-script method where > the jail description parameters are in /etc/rc.conf and the jail(8) method > that finally has all the bugs fixed in 9.2 where the jail description > parameters are in /etc/jail.conf. These 2 methods can not be mixed together. > > 2. By design normal jails defined using either method ONLY access an > single NIC having a single or multiple IPv4/IPv6 ip address/addresses. > > 3. The only way to assign multiple NICs to a jail is by using the highly > experimental vimage software that has to be compiled into the hosts kernel > which limits the host to only using IPFW firewall. PF and IPF firewalls on > the host with vimage will case a hang. > No - I'm using multiple NICs on my jails with different addresses without using vimage. > > 4. fib's are only configured on the host, it takes an boot option or the > kernel has to be recompiled to increase the number of system fibs available > to the host before you can assign a second one to a jail. > > 5. This is incorrect syntax > ip="igb0|172.30.112.192,igb1|**24.111.1.a" > should be > ip="172.30.112.192,24.111.1.a" > No nic device name. Not issuing a error does not mean its correct. > That *does* work! Again, I'm using ezjail. Not sure how stock jail configuration is. > > My jail system has 4 LAN only jails that have outbound access to the > public internet and 2 public accessible jails for my web and email servers > using the same public routable dynamic IPv4 IP address assigned by my ISP > without the need for special host firewall port redirection. > > I use the qjail version 3.1 utility to admin my jail system. > Due to the 9.2-BETA port freeze qjail-3.2 which adds IPv6 support has not > been committed to the port system yet. > > The port-make-files can be downloaded from here > http://sourceforge.net/**projects/qjail/files/Port%**20make%20files/ > > Good luck. > > > Thanks.