From owner-freebsd-jail@freebsd.org Thu Jan 18 12:28:51 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D89EE76356 for ; Thu, 18 Jan 2018 12:28:51 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CBBD36A5A8 for ; Thu, 18 Jan 2018 12:28:50 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x5ce4c0f5.dyn.telefonica.de [92.228.192.245]) by smtp.free.de (Postfix) with ESMTPSA id 746D411D3B for ; Thu, 18 Jan 2018 13:23:08 +0100 (CET) Date: Thu, 18 Jan 2018 13:23:04 +0100 From: Ole To: freebsd-jail@freebsd.org Subject: Jails routing and localhost Message-ID: <20180118132304.3455fa43.ole@free.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/mb2yi3yffgYsAvYymj6.dKY"; protocol="application/pgp-signature" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 12:28:51 -0000 --Sig_/mb2yi3yffgYsAvYymj6.dKY Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi, I have some questions about how routing works for jails.=20 I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP and different /29 routed networks. The IP is setup as /32 and there is a default route to the router of the datacenter: #ifconfig em1 (...) inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57 (...) # netstat -rn (...) Destination Gateway Flags Netif Expire default a.a.a.1 UGS em1 (...) If I create jails like # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' everything is fine until some service in the jail tries to bind to 127.0.0.1. Because it will bind to the public IP b.b.b.238. The Handbook [1] tells=20 "Inside a jail, access to the loopback address 127.0.0.1 is redirected to the first IP address assigned to the jail." If I change the order of the IP-Adresses the service will bind to 127.b.b.238. But inside the Jail Networking fails in a way that I can't debug. I can conntect from the outside via ssh but I can't connect from the Jail to an external Server. I can't find any differences in routing table or ifconfig between both setups. I also tried to use tap interfaces instead of lo, but it results in the same.=20 I wonder how others solve this problem. I searched a lot, but couldn't find a solution. Maybe you don't have a solution, but can give me a hint to debug the Problem. Thank you! regards Ole [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html --Sig_/mb2yi3yffgYsAvYymj6.dKY Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaYJGrAAoJECWWkUao5JRQxrsQAIu2FRtuvf1F+U2CqZRR196+ iQnzln6sEXY/B/gLlQPzlaDvXqtt0UvuHWZ8E/YNj74RK8dAaZ6BGaUYgGkGwyqE 6JmzQGy578A1K8KY9u40lH1XKNAXH4kolFArEPfSI3ywszYMiDkcoCAbr4kZo/La ou5tAudxCv96QWdWay7+ynI1jSGwIQ4MKnRRveYabl5okxIa8XKhycM3qsdvR5r/ 6+Dr0ltaoVnvnhRw2I4O527R/ZMaD47exjOGZcns+ypWWL8zIdvoy76knqu0tSxW FXD83tAlt7MW21I7EFdxNZD8wesiFjOTZmppedwCpa40z4s90OI6vbYKjNviHRwq EOZrO1qvCpuW+7CW+sWAMj90jsHEDrEqT+VtQ8ZD7kWv/2P8uUc/6a1cvWonyrSR NYRGPWAZuFjuj9Xu/xabN2sRFgdbQKVg+guuHzYU/oyVm3PIPyb/m7Kr6NdOxJKn DdK8rnAAt9vXQn4hshkSUJAVfOlCn4eZa9JWwV1BtR5rx1wfDpnDULwZuLV86GnP bb8nSJRubT41fICEmbWBdMNaxDE8gIK+EASrNyjddvqWpGDYVIp/4i/mXH+PNEax JxBJEJDBHqQ8BMGoJC+jedwsKLa0GD2t8I/Ln7eApWG86zWlCKtOVKLYM/K4ohof pLfyNvuzEcfrMupQ9Qw7 =v3Fb -----END PGP SIGNATURE----- --Sig_/mb2yi3yffgYsAvYymj6.dKY-- From owner-freebsd-jail@freebsd.org Thu Jan 18 16:52:30 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2B91EB69B6 for ; Thu, 18 Jan 2018 16:52:30 +0000 (UTC) (envelope-from ruth.turner@protechnologyaccounts.net) Received: from mail-qt0-x246.google.com (mail-qt0-x246.google.com [IPv6:2607:f8b0:400d:c0d::246]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AADDB76A9A for ; Thu, 18 Jan 2018 16:52:30 +0000 (UTC) (envelope-from ruth.turner@protechnologyaccounts.net) Received: by mail-qt0-x246.google.com with SMTP id k11so18090600qth.23 for ; Thu, 18 Jan 2018 08:52:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protechnologyaccounts.net; s=google; h=mime-version:message-id:date:subject:from:to; bh=acPFf6rKT1TP9DraCPYSaLRToyRekCKeDbSV3K/HsQw=; b=dNONlc5lpTqTlsD75e8+l6bki72tGFKW1EvGta1jTI9n9mgVXMGbK9MUjUMkuLwlaf IslbQdDGmb5C811Oxdeb7im6xA3pg60J5hZ56BUFNrAOlsThBvJjHFutF2X63A9BsQVB sfpjR5u0rWmDapdY2eWPnd1XTg6Re18JYr8UQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:message-id:date:subject:from:to; bh=acPFf6rKT1TP9DraCPYSaLRToyRekCKeDbSV3K/HsQw=; b=Q+ObjZjEQ+vjfHfX11wYzOqeTLygrjGVvYWda7DR2pq6YQlZSdlPXNSlPJr7M0R+XK IMkg48bnS2CzmX4ssq8BQfX42v7/qkKgbmYDKwMnp76agoBITKpVC09T92jSLsozu5cb jWg/1qg7gdQMBtyfEWofGBBvlSnmJssysSno8p7Dh+uFiRicKKNXo2LYLNHTRVjX1m1s JFcgA+ukkLgt+MJn7n9OvlzvVOLOXNoJo5UCMy4uHGYtftCoSNWQCoIILYl4KgdwTCbS z70rEv7A5ltsNbesW37zM2kL4bS6LD5qnqpcqz6NDPgaBy3ekzuuW3R31hwGD99vylGo D1iA== X-Gm-Message-State: AKwxytfvLhEXnT6h4+AB5E8jWVeyNzhasNkyNZfb5VLZro7sZVXCUUPm 6px2zmHyuqmKDqwrgzPvip+ZA8wuaEq7 X-Google-Smtp-Source: AH8x227AlJhiId0WL2OgZsTJald9jdEpGXMDRcQ4ll5yRARor367ugBgnCskQoZWX3AYhcQ1lZa5EZOYgQ== MIME-Version: 1.0 X-Received: by 10.200.6.145 with SMTP id f17mr1268960qth.62.1516294349505; Thu, 18 Jan 2018 08:52:29 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2018 16:52:29 +0000 Subject: Global Cloud and Flash-Storage Install Base From: ruth.turner@protechnologyaccounts.net To: freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes Content-Transfer-Encoding: base64 X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 16:52:31 -0000 PGRpdiBkaXI9Imx0ciI+PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0Om5v cm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNvbG9yOnJnYigzMSw3OCwxMjEpIj5IaSzCoDwvc3Bhbj48 c3Bhbj48L3NwYW4+PC9wPjxwICANCmNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJsaW5lLWhlaWdo dDpub3JtYWwiPjxzcGFuICANCnN0eWxlPSJjb2xvcjpyZ2IoMzEsNzgsMTIxKSI+PGJyPjwvc3Bh bj48L3A+DQoNCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwi PjxzcGFuICANCnN0eWxlPSJjb2xvcjpyZ2IoMzEsNzgsMTIxKSI+SQ0Kd291bGQgbGlrZSB0byBr bm93IGlmIHlvdSBhcmUgaW50ZXJlc3RlZCBpbiBhY3F1aXJpbmfCoDxiPkhQRSAzUEFSIGFuZA0K QXJjU2lnaHQgQ2xpZW50IExpc3QuPC9iPsKgPC9zcGFuPjxzcGFuPjwvc3Bhbj48L3A+PHAgY2xh c3M9Ik1zb05vcm1hbCIgIA0Kc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PHNwYW4gIA0Kc3R5 bGU9ImNvbG9yOnJnYigzMSw3OCwxMjEpIj48YnI+PC9zcGFuPjwvcD4NCg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNvbG9y OnJnYigzMSw3OCwxMjEpIj5XZQ0KYWxzbyBwcm92aWRlIHRoZSBIUEUgQ29tcGV0aXRvcnMgQ29u dGFjdCBJbmZvIExpa2U6wqA8Yj5EZWxsIEVNQyBVc2VycywNCk5ldEFwcCBVc2VycywgSERTIFVz ZXJzLCBWZWVhbSBVc2VycywgQWNyb25pcyBVc2VycywgVW5pdHJlbmRzIFVzZXJzLCBWTXdhcmUN CnZTcGhlcmUgVXNlcnMsIE51dGFuaXggVXNlcnMsIE1pY3Jvc29mdCBPZmZpY2UgMzY1IFVzZXJz IGFuZCBBV1MgIA0KVXNlcnMuwqA8L2I+PC9zcGFuPjxzcGFuPjwvc3Bhbj48L3A+PHAgY2xhc3M9 Ik1zb05vcm1hbCIgIA0Kc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PHNwYW4gIA0Kc3R5bGU9 ImNvbG9yOnJnYigzMSw3OCwxMjEpIj48Yj48YnI+PC9iPjwvc3Bhbj48L3A+DQoNCjxwIGNsYXNz PSJNc29Ob3JtYWwiICANCnN0eWxlPSJtYXJnaW4tYm90dG9tOjAuMDAwMXB0O2xpbmUtaGVpZ2h0 Om5vcm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNvbG9yOnJnYigzMSw3OCwxMjEpIj5XZSBoYXZlIDEw MCUgT3B0LUluIERhdGENCkludGVsbGlnZW5jZSBvZiB0aGUgYWJvdmUgdGVjaG5vbG9naWVzLjwv c3Bhbj48c3Bhbj48L3NwYW4+PC9wPjxwICANCmNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tYm90dG9tOjAuMDAwMXB0O2xpbmUtaGVpZ2h0Om5vcm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNv bG9yOnJnYigzMSw3OCwxMjEpIj48YnI+PC9zcGFuPjwvcD4NCg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNvbG9yOnJnYigz MSw3OCwxMjEpIj5LaW5kbHkNCmxldCBtZSBrbm93IHlvdXIgaW50ZXJlc3QgdG8gcHJvdmlkZSB5 b3Ugd2l0aCBkZXRhaWxlZCBpbmZvcm1hdGlvbiBmb3IgdGhlDQpzYW1lLsKgPC9zcGFuPjxzcGFu Pjwvc3Bhbj48L3A+PHAgY2xhc3M9Ik1zb05vcm1hbCIgIA0Kc3R5bGU9ImxpbmUtaGVpZ2h0Om5v cm1hbCI+PHNwYW4gIA0Kc3R5bGU9ImNvbG9yOnJnYigzMSw3OCwxMjEpIj48YnI+PC9zcGFuPjwv cD4NCg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PHNw YW4gIA0Kc3R5bGU9ImNvbG9yOnJnYigzMSw3OCwxMjEpIj5SZWdhcmRzLMKgPGJyPg0KUnV0aCBU dXJuZXI8YnI+DQpNYXJrZXRpbmcgRXhlY3V0aXZlPGJyPg0KPGJyPg0KUmVwbHkg4oCcUmVtb3Zl 4oCdIHRvIE9wdC1PdXQuPC9zcGFuPjxzcGFuPjwvc3Bhbj48L3A+PC9kaXY+DQo8cD4mbmJzcDs8 L3A+PGEgc3R5bGU9J2Rpc3BsYXk6IGJsb2NrOyBtYXJnaW46IDMycHggMCA0MHB4IDA7IHBhZGRp bmc6ICANCjEwcHg7IGZvbnQtc2l6ZTogMWVtOyB0ZXh0LWFsaWduOiBjZW50ZXI7IGJvcmRlcjog MDsgYm9yZGVyLXRvcDogMXB4IHNvbGlkICANCmdyYXk7ICcgaHJlZj0naHR0cHM6Ly9nb28uZ2wv MmtzZFJ2Jz5wb3dlcmVkIGJ5IEdTTS4gRnJlZSBtYWlsIG1lcmdlIGFuZCAgDQplbWFpbCBtYXJr ZXRpbmcgc29mdHdhcmUgZm9yIEdtYWlsLjwvYT4NCg== From owner-freebsd-jail@freebsd.org Thu Jan 18 19:03:34 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 661C2EBD0F6 for ; Thu, 18 Jan 2018 19:03:34 +0000 (UTC) (envelope-from luke@solentwholesale.com) Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 297427BD4D for ; Thu, 18 Jan 2018 19:03:33 +0000 (UTC) (envelope-from luke@solentwholesale.com) Received: by mail-qt0-x22b.google.com with SMTP id z11so7026891qtm.3 for ; Thu, 18 Jan 2018 11:03:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=solentwholesale.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ns7dbu9KwbfMOFQ+Qi0uoEyVJ2uMlM10eG26Qmx5j/w=; b=ZBb3nFEiXSShjOBe8eCnvBWcv5FHiPW21Sh8iRbOpuQdalkZbJRKEoiFgyd9Qfp+IX 0c1FgVb6CfNFwTqCDLTyxKUcU8XSqvI1FS1uC5Jt7EUB4Z2872bN1o6c5NqrxlRdGOsO F1k1gPYxzS9v0/2G6OtJDBlAxaUHhq+f5dfPk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ns7dbu9KwbfMOFQ+Qi0uoEyVJ2uMlM10eG26Qmx5j/w=; b=mi8pYG2HM+I4WQlqLDbAmaUD+UEHsPIxhy8+TLE+4Y4x04inNwJvEozFhpZ7x7KEJP jgZx6gURuWW/fqFm8WsagICSm5W32b8sMva4a64XLAUaGOHzm0z5J8NRjUPvE4AL9ml+ V2nVVj/1py5t6OV0duXgxqTxdKgeVoyNngxSYmd92mehVOI0Os1EKI8M6/liF9OsqY+Y BWmdoOZF4KvGP0FK45dycrqjb7IwqravrYKCbCKuIkfJna4K7DBTzOUn8GztPCofsrQC 6dxeByd57IO1POsTI85OiVBOsIaU47NN61E3wrMUiymMLoZoIwMtjRf8snNsPcq/Midv lt9Q== X-Gm-Message-State: AKwxytfj9CeMKX6HzdXw8QawwA1avqiax52hbDdkKlMnvKqf7N3qjr8Y gSUgIb9zdkgRGu+l/lC0JMl14V3zfCV/yeyaF0WECw== X-Google-Smtp-Source: ACJfBovswXijneTlvRh/BAFtPXMLD25lYJ1lcATrQhRRtaNOrVzr4Hll24JvmDGmXc8rGj0rq5/b3oGvkDwdumF68R4= X-Received: by 10.200.61.137 with SMTP id v9mr28887995qtf.17.1516302212911; Thu, 18 Jan 2018 11:03:32 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.141.6 with HTTP; Thu, 18 Jan 2018 11:03:32 -0800 (PST) Received: by 10.12.141.6 with HTTP; Thu, 18 Jan 2018 11:03:32 -0800 (PST) In-Reply-To: <20180118132304.3455fa43.ole@free.de> References: <20180118132304.3455fa43.ole@free.de> From: Luke Crooks Date: Thu, 18 Jan 2018 19:03:32 +0000 Message-ID: Subject: Re: Jails routing and localhost To: Ole Cc: freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 19:03:34 -0000 Hi Ole, I am by no means an expert, but to me I see your problem is here.. # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' You are binding the jail to the same network controller lo1. Usually you would bind the jail like.. # ezjail-admin create somejail 'lo1|127.0.0.238, emX|10.1.1.238' Where 10.1.1.0/24 is your subnet of your host. And you have free range on the network and want to create the jail as a fully fledged host. Seeing as you have only been assigned a /32 for your host. I would imagine you would either need to possibly do something like... # ezjail-admin create somejail 'lo1|127.0.0.238, lo0|127. 0.0.237' E.g bind the jail loopback of lo1 to the host loopback lo0. But I have never seen a configuration like yours using the same device twice, but I could be totally wrong. On 18 Jan 2018 12:58, "Ole" wrote: > Hi, > > I have some questions about how routing works for jails. > > I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP > and different /29 routed networks. The IP is setup as /32 and there is a > default route to the router of the datacenter: > > > #ifconfig em1 > (...) > inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57 > (...) > > > # netstat -rn > (...) > Destination Gateway Flags Netif Expire > default a.a.a.1 UGS em1 > (...) > > > If I create jails like > > # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' > > everything is fine until some service in the jail tries to bind to > 127.0.0.1. Because it will bind to the public IP b.b.b.238. > The Handbook [1] tells > > "Inside a jail, access to the loopback address 127.0.0.1 is > redirected to the first IP address assigned to the jail." > > If I change the order of the IP-Adresses the service will bind to > 127.b.b.238. But inside the Jail Networking fails in a way that I can't > debug. I can conntect from the outside via ssh but I can't connect from > the Jail to an external Server. I can't find any differences in > routing table or ifconfig between both setups. > > > I also tried to use tap interfaces instead of lo, but it results in the > same. > > I wonder how others solve this problem. I searched a lot, but couldn't > find a solution. Maybe you don't have a solution, but can give me a > hint to debug the Problem. Thank you! > > > regards > Ole > > [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html > From owner-freebsd-jail@freebsd.org Thu Jan 18 19:37:58 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7754EBEE67 for ; Thu, 18 Jan 2018 19:37:58 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 992A97CFAC for ; Thu, 18 Jan 2018 19:37:58 +0000 (UTC) (envelope-from ike@blackskyresearch.net) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 25AE920DED for ; Thu, 18 Jan 2018 14:32:07 -0500 (EST) Received: from web4 ([10.202.2.214]) by compute1.internal (MEProxy); Thu, 18 Jan 2018 14:32:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= blackskyresearch.net; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=mesmtp; bh=VZX RXaHT6PNG8SJxME5vmX9F2OydTIGIunS3DNy3aus=; b=tUcFJL0dlP9meGGwUfk WWlpT6rQLQDgw0FOa0SBXtb57sSLaeVIte7mP7q5by9CqLhdNKn1zVHebeuvNcKQ r37MRkLXD1RntJGo56uhukyRnEUy7K+REQpyNwjBIxelC6eqPVe4YqUWtn4N8Lh8 UxdGh0qOW/NAdaS2wprdl7DI= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=VZXRXa HT6PNG8SJxME5vmX9F2OydTIGIunS3DNy3aus=; b=XbZMgqM6cTomClZdfwKG7n 2prFf4Hvq41M1bFDSMRscb1mfFkW/IWximCd3Jinsdi4wXYtrq47ArBc4Hs0jPUf BM4u7Jnwptjxb/gtd7dMU9Mb/IAPMceuX0Naw4c1Ev8Lh7GdlECOzg4FcC7xNp35 wYlvZGksufMVlpBvQWW8BcyTOQVmF7q8pVES5T6v5wxd/t9CevFo4r5C+xigyPmI onry0Y+ZHUu/EvIEAOpAe0uAGXQCEd8vo9trtEZtb0PscfPM8Abwqw91cy2lMGf1 +kOv1/yOdKNTK9cBRCMVlCcbKhvEgmJTdzzwESk8kopSz+psnl7n3IP7/tlBj+mw == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id E6DF6BA1AC; Thu, 18 Jan 2018 14:32:06 -0500 (EST) Message-Id: <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> From: "Isaac (.ike) Levy" To: freebsd-jail@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-75de3051 In-Reply-To: <20180118132304.3455fa43.ole@free.de> Subject: Re: Jails routing and localhost References: <20180118132304.3455fa43.ole@free.de> Date: Thu, 18 Jan 2018 14:32:06 -0500 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 19:37:58 -0000 Hi Ole, I cannot comment on ezjail specifics, but can add notes on how jails fundamentally handle localhost, which may help you, On Thu, Jan 18, 2018, at 7:23 AM, Ole wrote: > Hi, > > I have some questions about how routing works for jails. > > I have a FreeBSD 11.1 host in a datacenter. Which has only a routed IP > and different /29 routed networks. The IP is setup as /32 and there is a > default route to the router of the datacenter: > > > #ifconfig em1 > (...) > inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57 > (...) > > > # netstat -rn > (...) > Destination Gateway Flags Netif Expire > default a.a.a.1 UGS em1 > (...) > > > If I create jails like > > # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' > > everything is fine until some service in the jail tries to bind to > 127.0.0.1. Because it will bind to the public IP b.b.b.238. > The Handbook [1] tells > > "Inside a jail, access to the loopback address 127.0.0.1 is > redirected to the first IP address assigned to the jail." Right- so if you don't assign a loopback address at all, loopback will use to the first IP assigned the host (another response in this thread). Because your hardware host has the 127.0.0.1 address, if you were to assign it to jails, that would mean all jails would all be communicating using it, which would be bad - (I'm not sure if it even works or if jail(2) prevents it from working). RFC 3330 tells us, http://www.ietf.org/rfc/rfc3330.txt 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher level protocol to an address anywhere within this block should loop back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback, but no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]. So, here's what I've been doing for many years: - Add another 127.x.x.x address to lo0 on your hardware host (I typically match the last octects to the public address I'm using, just my way of keeping track of things), for example, this IPv4 address could look like: "127.4.4.4/32". You can add these single /32 addresses right to the lo0 interface on the host machine. - Start your jail, first binding "127.4.4.4/32" to it as one of the IP interfaces- follow with your other IP's. - In your jail, edit /etc/resolv.conf so that the 'localhost' entry, matches your IP above, "127.4.4.4". Viola- you now have localhost! -- This process is quite counter-intuitive, since who ever really thinks about 127.0.0.0/8 as an actual netblock? (Since these addresses "no addresses within this block should ever appear on any network anywhere [RFC1700, page 5]." The same principle applies to IPv6 localhost in jails. > > If I change the order of the IP-Adresses the service will bind to > 127.b.b.238. But inside the Jail Networking fails in a way that I can't > debug. I can conntect from the outside via ssh but I can't connect from > the Jail to an external Server. I can't find any differences in > routing table or ifconfig between both setups. >From what you wrote above, I agree with the other person who responded- it may be the order of when you specify interfaces, (or how ezjail does). Or, it may be that you're not making the localhost address a /32 to isolate it. -- One more caveat: bad software :) I've seen plenty of fine software which follows very bad form and hardcodes 127.0.0.1, instead of calling 'localhost' for various operations. Simple answer here: file a bug and point to internet RFC's if 3rd party software, or, go have a chat with your colleagues if the software is in-house. > > > I also tried to use tap interfaces instead of lo, but it results in the > same. (From a practical security perspective, I've wondered for years if making abstracted interfaces for each localhost in each jail had any advantages, but that's a tangent here.) > > I wonder how others solve this problem. I searched a lot, but couldn't > find a solution. Maybe you don't have a solution, but can give me a > hint to debug the Problem. Thank you! Hope this helps, tell us how it goes! Best, .ike > > > regards > Ole > > [1] https://www.freebsd.org/doc/handbook/jails-ezjail.html > Email had 1 attachment: > + Attachment2 > 1k (application/pgp-signature) From owner-freebsd-jail@freebsd.org Thu Jan 18 23:39:18 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9A82EB38D5 for ; Thu, 18 Jan 2018 23:39:18 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2E28E639BA for ; Thu, 18 Jan 2018 23:39:17 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w0INdc1Q035839 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 19 Jan 2018 10:39:39 +1100 (AEDT) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host ewsw01.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Jails routing and localhost To: ole@free.de References: <20180118132304.3455fa43.ole@free.de> <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> From: Dewayne Geraghty Cc: "Isaac (.ike) Levy" , freebsd-jail@freebsd.org, luke@solentwholesale.com Message-ID: <1c753990-e148-cfc9-4a82-997564ceff57@heuristicsystems.com.au> Date: Fri, 19 Jan 2018 10:36:43 +1100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 In-Reply-To: <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> Content-Language: en-AU MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 23:39:18 -0000 From owner-freebsd-jail@freebsd.org Thu Jan 18 23:52:25 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE779EB45F0 for ; Thu, 18 Jan 2018 23:52:25 +0000 (UTC) (envelope-from dan@langille.org) Received: from clavin1.langille.org (clavin.langille.org [162.208.116.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "clavin.langille.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8D2A268506 for ; Thu, 18 Jan 2018 23:52:24 +0000 (UTC) (envelope-from dan@langille.org) Received: from (clavin1.int.langille.org (clavin1.int.unixathome.org [10.4.7.7]) (Authenticated sender: hidden) with ESMTPSA id E69821EA4 ; Thu, 18 Jan 2018 23:46:27 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\)) Subject: Re: Jails routing and localhost From: Dan Langille In-Reply-To: <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> Date: Thu, 18 Jan 2018 18:45:15 -0500 Cc: freebsd-jail@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180118132304.3455fa43.ole@free.de> <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> To: "Isaac (.ike) Levy" X-Mailer: Apple Mail (2.3445.5.20) X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2018 23:52:25 -0000 > On Jan 18, 2018, at 2:32 PM, Isaac (.ike) Levy = wrote: >=20 > Hi Ole, >=20 > I cannot comment on ezjail specifics, but can add notes on how jails = fundamentally handle localhost, which may help you, >=20 > On Thu, Jan 18, 2018, at 7:23 AM, Ole wrote: >> Hi, >>=20 >> I have some questions about how routing works for jails.=20 >>=20 >> I have a FreeBSD 11.1 host in a datacenter. Which has only a routed = IP >> and different /29 routed networks. The IP is setup as /32 and there = is a >> default route to the router of the datacenter: >>=20 >>=20 >> #ifconfig em1 >> (...) >> inet a.a.a.57 netmask 0xffffffff broadcast a.a.a.57 >> (...) >>=20 >>=20 >> # netstat -rn >> (...) >> Destination Gateway Flags Netif Expire >> default a.a.a.1 UGS em1 >> (...) >>=20 >>=20 >> If I create jails like >>=20 >> # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' >>=20 >> everything is fine until some service in the jail tries to bind to >> 127.0.0.1. Because it will bind to the public IP b.b.b.238. >> The Handbook [1] tells=20 >>=20 >> "Inside a jail, access to the loopback address 127.0.0.1 is >> redirected to the first IP address assigned to the jail." >=20 > Right- so if you don't assign a loopback address at all, loopback will = use to the first IP assigned the host (another response in this thread). >=20 > Because your hardware host has the 127.0.0.1 address, if you were to = assign it to jails, that would mean all jails would all be communicating = using it, which would be bad - (I'm not sure if it even works or if = jail(2) prevents it from working). >=20 > RFC 3330 tells us, http://www.ietf.org/rfc/rfc3330.txt >=20 > 127.0.0.0/8 - This block is assigned for use as the Internet host > loopback address. A datagram sent by a higher level protocol to an > address anywhere within this block should loop back inside the host. > This is ordinarily implemented using only 127.0.0.1/32 for loopback, > but no addresses within this block should ever appear on any network > anywhere [RFC1700, page 5]. >=20 > So, here's what I've been doing for many years: >=20 > - Add another 127.x.x.x address to lo0 on your hardware host (I = typically match the last octects to the public address I'm using, just = my way of keeping track of things), for example, this IPv4 address could = look like: "127.4.4.4/32". You can add these single /32 addresses right = to the lo0 interface on the host machine. I do similar, except *sometimes* I create lo1 and assign those addresses = there. I use this approach on jails with no public presence (e.g. database = server). --=20 Dan Langille - BSDCan / PGCon dan@langille.org From owner-freebsd-jail@freebsd.org Fri Jan 19 03:16:53 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8FFE1EBE3CB for ; Fri, 19 Jan 2018 03:16:53 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A2E0C6E962 for ; Fri, 19 Jan 2018 03:16:51 +0000 (UTC) (envelope-from dewayne.geraghty@heuristicsystems.com.au) Received: from [10.0.5.3] (ewsw01.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id w0J3GMZF042072 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 19 Jan 2018 14:16:42 +1100 (AEDT) (envelope-from dewayne.geraghty@heuristicsystems.com.au) X-Authentication-Warning: b3.hs: Host ewsw01.hs [10.0.5.3] claimed to be [10.0.5.3] To: freebsd-jail@freebsd.org From: Dewayne Geraghty Subject: Minimal devices in a jail Message-ID: <256cee44-ee74-8d09-8048-a9e8463764e0@heuristicsystems.com.au> Date: Fri, 19 Jan 2018 14:13:19 +1100 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-AU X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2018 03:16:53 -0000 While attempting to find a functional jail with the smallest number of devices, I was surprised that a jail with only jail3#  ls /dev/ crypto  null    random  urandom zero was actually functional.  (I expected it to require /dev/{stdin, stdout, stderr, fs*} >From the base system, I start "jexec jail3 tcsh", and when that started, jail3# fstat USER     CMD          PID   FD MOUNT      INUM MODE         SZ|DV R/W root     fstat      40606 text /bj      12241168 -r-xr-xr-x   18360  r root     fstat      40606 ctty /bj         235 crw--w----   pts/4 rw root     fstat      40606   wd /        7384356 drwxr-xr-x    1024  r root     fstat      40606 root /        7384356 drwxr-xr-x    1024  r root     fstat      40606 jail /        7384356 drwxr-xr-x    1024  r root     fstat      40606    0 /           235 crw--w----   pts/4 rw root     fstat      40606    1 /           235 crw--w----   pts/4 rw root     fstat      40606    2 /           235 crw--w----   pts/4 rw root     fstat      40606    3 /        7389794 -rw-------   40960  r sh ... tcsh... So after some further testing it appears to use std{in,out,err}, multiple filedescriptors and well, functional. Is something causing the jail to inherit std{in,out,err} functionality.  If there is, are there others?  And the pts device seems to be inherited from the parent/base jail, even though there is no /dev/pts in the jail? This is on  FreeBSD 11.1-STABLE  r327954M amd64 1101506 1101506  with /etc/jail.conf entry reads: b6 { persist; ip4.addr = "10.0.7.96,10.0.5.126"; devfs_ruleset = "4"; } (My intent is for a teeny jail to start, run a script (PKI key generation stuff) then terminate and yes the base system only: starts jails & runs ntp in a chroot).  Kind regards, Dewayne. From owner-freebsd-jail@freebsd.org Fri Jan 19 12:12:23 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E7615ED2B0B for ; Fri, 19 Jan 2018 12:12:23 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B085D7EB08 for ; Fri, 19 Jan 2018 12:12:22 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x4db5c9ef.dyn.telefonica.de [77.181.201.239]) by smtp.free.de (Postfix) with ESMTPSA id 591FE12039; Fri, 19 Jan 2018 13:12:20 +0100 (CET) Date: Fri, 19 Jan 2018 13:12:16 +0100 From: Ole To: Luke Crooks Cc: freebsd-jail@freebsd.org Subject: Re: Jails routing and localhost Message-ID: <20180119131216.2412f876.ole@free.de> In-Reply-To: References: <20180118132304.3455fa43.ole@free.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/_tmYluZFwVJ=ODvyWTXk=Dw"; protocol="application/pgp-signature" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2018 12:12:24 -0000 --Sig_/_tmYluZFwVJ=ODvyWTXk=Dw Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi Luke, Thu, 18 Jan 2018 19:03:32 +0000 - Luke Crooks : > Hi Ole, >=20 > I am by no means an expert, but to me I see your problem is here.. >=20 >=20 > # ezjail-admin create somejail 'lo1|b.b.b.238,lo1|127.b.b.238' >=20 > You are binding the jail to the same network controller lo1. >=20 > Usually you would bind the jail like.. >=20 > # ezjail-admin create somejail 'lo1|127.0.0.238, emX|10.1.1.238' If I do this (and ad first I tried exactly this) the networking on the host system will fail a few minutes after the jail start. And I have no remote connection to the Server. So I only can do a hard reset. I don't know why this happens. At the moment I only have production Servers in this datacenter, so I can't play with them to reproduce. But I will organize another and report here. Usually I have Servers with a public IP in a /24 Layer2 network. Then=20 # ezjail-admin create somejail 'lo1|127.b.b.238, emX|b.b.b.238' woks fine. =20 > Where 10.1.1.0/24 is your subnet of your host. And you have free > range on the network and want to create the jail as a fully fledged > host. >=20 > Seeing as you have only been assigned a /32 for your host. I would > imagine you would either need to possibly do something like... >=20 > # ezjail-admin create somejail 'lo1|127.0.0.238, lo0|127. 0.0.237' >=20 > E.g bind the jail loopback of lo1 to the host loopback lo0. But I have > never seen a configuration like yours using the same device twice, > but I could be totally wrong. But then I also have to set a static route like # route add b.b.b.238 127. 0.0.237 to reach the server with the public IP? Thank you all for your replies Ole --Sig_/_tmYluZFwVJ=ODvyWTXk=Dw Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaYeCjAAoJECWWkUao5JRQA8wP/izXc4wwF50QH6UqJbSdegBi N/lNY8UCBqg9MKWi9rhxH6Mt7WWHOJjOQJSOnU9s/XGxd16WwFORtGiNkPiD1g9S Lc8Z2FeqmGMJ4tm4/2IlruHtQgFEX7GkGZErWQe3U1mhlF7oUfd2RNDodqU408Ms yv3+NvWuS1ABhgHWbZwFZPWh4ot2hxFJzfh1thl6GjiFQ+RNb/ybvYDOdxnB2yDp DxtCkucQF7etp6hcO1wZbwPO1MSrrQ3+txUEyubd/9CEU0pyHX7R7lI12r6EWEUQ ZYat28MExOMoP/mAuXWI6+D6iaXb4uXAv8yUivfPetW702FEsjLm6V2XZulFzmZ3 hZ0aNmEtJHJ5B2ZVUSkdl+Ee64b/zH1Ld7Mo+d0j9hOh/hN2a7V5KG7CFmVPvZ05 ICKTtO+LA4aBjFiIGuedW2CO/BBxdKCTKYB14qMzBejBWdfFtus5qn1DSKA4+Tf4 XtnE1yfqhMKu4NEP/+PPPdx9GyWh6sI8c7JuN82s4UdmuMd+X5BzLawOgrg2n9Lf XWmq+Y+Qohbh83IRqQQm4t5Si6a5whH9l42ZREELWfYfKCOegwQEdp0qBY7ut9BF 003rO6Uy8as44TDlmm+5NKnE2aEt5F2l8xqzz0fjz4GpNpgk4Aj1dygp20DCuPab fcl/3ny8YsSEpiMpoEDE =5kjS -----END PGP SIGNATURE----- --Sig_/_tmYluZFwVJ=ODvyWTXk=Dw-- From owner-freebsd-jail@freebsd.org Fri Jan 19 12:31:11 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2F3A7ED37B3 for ; Fri, 19 Jan 2018 12:31:11 +0000 (UTC) (envelope-from ole@free.de) Received: from smtp.free.de (smtp.free.de [91.204.6.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E9D0E7F705 for ; Fri, 19 Jan 2018 12:31:10 +0000 (UTC) (envelope-from ole@free.de) Received: from bard (x4db5c9ef.dyn.telefonica.de [77.181.201.239]) by smtp.free.de (Postfix) with ESMTPSA id 01ABC12041; Fri, 19 Jan 2018 13:31:02 +0100 (CET) Date: Fri, 19 Jan 2018 13:30:59 +0100 From: Ole To: Dewayne Geraghty Cc: "Isaac (.ike) Levy" , freebsd-jail@freebsd.org, luke@solentwholesale.com Subject: Re: Jails routing and localhost Message-ID: <20180119133059.33f5bcf6.ole@free.de> In-Reply-To: <1c753990-e148-cfc9-4a82-997564ceff57@heuristicsystems.com.au> References: <20180118132304.3455fa43.ole@free.de> <1516303926.3867424.1240160096.44CF04A6@webmail.messagingengine.com> <1c753990-e148-cfc9-4a82-997564ceff57@heuristicsystems.com.au> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/9m=9awIGJvzL=okddLDyW=3"; protocol="application/pgp-signature" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2018 12:31:11 -0000 --Sig_/9m=9awIGJvzL=okddLDyW=3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi Dewayne, Fri, 19 Jan 2018 10:36:43 +1100 - Dewayne Geraghty : > If you're paranoid, I also add a firewall rule to restrict traffic > from/to specific ports and IP's over lo0.=C2=A0 If you have anything > sensitive you might also consider this restriction.=C2=A0=C2=A0 Though I = would > recommend using "tcpdump -ni $INTERFACE" to learn how jails and > routing works in your environment.=C2=A0 I was surprised to observe: when > two jails are assigned IP's on their external interface the traffic > between, expecting to use their external interfaces, traverses lo0.=C2=A0 Until now I thought that Jails with two different /32 loopback addresses can not communicate over loopback. Because it is /32. But you are right. I need a firewall rule to block traffic between the jails. > PS Sadly there are many examples of ports using 127.0.0.1 instead of > localhost, there are 104 different files in the Samba 4.7 suite that > use 127.0.0.1 :/ Yes. I think there are two standards. On is like Isaac told RFC 3330. And the other one was "vote with the feet" and is localhost =3D 127.0.0.1 There is too many software with this address hardcoded. So it is a security feature that software will not bind to public IP by accident. I wonder why it is such a difference if the IP address of the host is /32 or not. And I cant' just change it to /24, because than I couldn't reach the other Server in this /24 Network. And some of them are also mine :-( Ole --Sig_/9m=9awIGJvzL=okddLDyW=3 Content-Type: application/pgp-signature Content-Description: Digitale Signatur von OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaYeUGAAoJECWWkUao5JRQEhQQALn5ArkZ+27hP5+A873IYumN azTAmBpE3AtInFCb8xOsTv20IlvXeoEMjmZo6lfrE1IwiS/yyjNzQv+sx48KKuo7 I3ODHONQAf3W43+SWwoYhzFzFSpDChLgOSR6/d2oQrwExgK/eY8uInkoEycfUibB 8tcmLRKwrX/Te7EPfHq8khrEn++zKXfdi6Ew7m9jWS1WCnYjssLCPl4uyq9mLula eSHAkePDsZhDyXlpuB/OvTo25zLPHeQnFlOmHF4vQHf4yKPNxA5sEIx7c0Rzh6my KB4OTr9V3fVY5vRTVqAVab8swlNx8KzyETRF6J1atpP+Fk1U1XDoe266vdauqRbE GTBP+w4UPTV8sgXG8sQsa62a5Yko1snSqkSxpnd3gP0DS50WWCiVn+XJXRjT5wWD y1BgXN1DWTnu5P37wqSoPg7ajo8+7fuqEhRMudCuKTy9ODxQgEBjcO3BrOvmdU+p E2WCPHKWZVfe4BL3BV2FmBf7yjxKAXjmsSE+lMt15V08s38uZGEiAexb6wMeR9lt Wim4gNOK6YOnyy11R/5mTlTyx4Io9suwqepcTjsipyz8kr+msriLpDumYqbyujb+ D2A6PhfL/v1IT5qE/qSAl58XnYV6FXFgW6i8QwlugifEUhSF2FHzY2fBuq0+Gmit Kw4c09y7xKCJgDm2f4r3 =NIqr -----END PGP SIGNATURE----- --Sig_/9m=9awIGJvzL=okddLDyW=3--