From owner-freebsd-jail@freebsd.org Thu Mar 22 04:20:26 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1A542F659DD for ; Thu, 22 Mar 2018 04:20:26 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gritton.org", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id A94E27C6B0 for ; Thu, 22 Mar 2018 04:20:25 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id w2M4DqQ5064205 for ; Wed, 21 Mar 2018 22:13:52 -0600 (MDT) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 21 Mar 2018 22:13:52 -0600 From: James Gritton To: freebsd-jail@freebsd.org Subject: Time for those old global jail sysctls to go Message-ID: <129ec9ac36d1e1d690924dba62d6c095@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.3 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 04:20:26 -0000 I've got a revision in the works to remove the security.jail.foo_allowed sysctls: > The old jail system had sysctls to set jail permissions for all jails > (e.g. security.jail.mount_allowed), which were superseded by per-jail > permissions (e.g. allow.mount). These old sysctls remain a constant > source of confusion to users, who expect that setting the sysctl will > change the behavior of existing jails. That the sysctl value at the > time > a jail is created may matter is a backward-compatibility hack that does > little or nothing to relieve the confusion. So it's time for them to > go. > Also, jail(2) has been replaced by jail_set(2) for a number of years > now, and it really ought to retire - at least into the COMPAT world. This may be of interest to anyone who works with jails. My hope is that no current software relies on these old sysctls, and they can be removed with little trouble. But removing old things never seems to go that easy. - Jamie From owner-freebsd-jail@freebsd.org Thu Mar 22 08:56:15 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C94DDF519F8 for ; Thu, 22 Mar 2018 08:56:15 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (mx1.sbone.de [IPv6:2a01:4f8:130:3ffc::401:25]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mx1.sbone.de", Issuer "SBone.DE" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5B35268C66; Thu, 22 Mar 2018 08:56:15 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id D8E1225D3A71; Thu, 22 Mar 2018 08:56:12 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 1B3AED1F7EE; Thu, 22 Mar 2018 08:56:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id anMdQRNlYzPH; Thu, 22 Mar 2018 08:56:10 +0000 (UTC) Received: from [192.168.1.88] (fresh-ayiya.sbone.de [IPv6:fde9:577b:c1a9:f001::2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 2B8B5D1F7E5; Thu, 22 Mar 2018 08:56:10 +0000 (UTC) From: "Bjoern A. Zeeb" To: "James Gritton" Cc: freebsd-jail@freebsd.org Subject: Re: Time for those old global jail sysctls to go Date: Thu, 22 Mar 2018 08:56:08 +0000 X-Mailer: MailMate (2.0BETAr6106) Message-ID: <0073E940-4256-4EE7-BA26-2CE134595A26@lists.zabbadoz.net> In-Reply-To: <129ec9ac36d1e1d690924dba62d6c095@freebsd.org> References: <129ec9ac36d1e1d690924dba62d6c095@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 08:56:15 -0000 On 22 Mar 2018, at 4:13, James Gritton wrote: > I've got a revision in the works > to > remove the security.jail.foo_allowed sysctls: > >> The old jail system had sysctls to set jail permissions for all jails >> (e.g. security.jail.mount_allowed), which were superseded by per-jail >> permissions (e.g. allow.mount). These old sysctls remain a constant >> source of confusion to users, who expect that setting the sysctl will >> change the behavior of existing jails. That the sysctl value at the >> time >> a jail is created may matter is a backward-compatibility hack that >> does >> little or nothing to relieve the confusion. So it's time for them to >> go. > >> Also, jail(2) has been replaced by jail_set(2) for a number of years >> now, and it really ought to retire - at least into the COMPAT world. > > This may be of interest to anyone who works with jails. My hope is > that > no current software relies on these old sysctls, and they can be > removed > with little trouble. But removing old things never seems to go that > easy. I think #1 action item is to put them under BURN_BRIDGES or however it was spelt if you really want to remove them. Then for the next major version they could go away ( I’d be all up for removing them immediately (incl. from the man pages ) but I remember there used to be 2-3 ports which used the jail v1 stuff; might be worth checking that they were updated or are gone? /bz From owner-freebsd-jail@freebsd.org Thu Mar 22 14:44:16 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8B66E98B for ; Thu, 22 Mar 2018 14:44:16 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gritton.org", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1DC0A78308 for ; Thu, 22 Mar 2018 14:44:15 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [199.192.165.131]) by gritton.org (8.15.2/8.15.2) with ESMTP id w2MEiD0w091187; Thu, 22 Mar 2018 08:44:14 -0600 (MDT) (envelope-from jamie@freebsd.org) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Thu, 22 Mar 2018 08:44:13 -0600 From: James Gritton To: "Bjoern A. Zeeb" Cc: freebsd-jail@freebsd.org Subject: Re: Time for those old global jail sysctls to go In-Reply-To: <0073E940-4256-4EE7-BA26-2CE134595A26@lists.zabbadoz.net> References: <129ec9ac36d1e1d690924dba62d6c095@freebsd.org> <0073E940-4256-4EE7-BA26-2CE134595A26@lists.zabbadoz.net> Message-ID: <70fa76bee491a2c8a3de8a861c39ad9a@freebsd.org> X-Sender: jamie@freebsd.org User-Agent: Roundcube Webmail/1.3.3 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 14:44:16 -0000 On 2018-03-22 02:56, Bjoern A. Zeeb wrote: > On 22 Mar 2018, at 4:13, James Gritton wrote: > >> I've got a revision in the works >> to >> remove the security.jail.foo_allowed sysctls: >> >>> The old jail system had sysctls to set jail permissions for all jails >>> (e.g. security.jail.mount_allowed), which were superseded by per-jail >>> permissions (e.g. allow.mount). These old sysctls remain a constant >>> source of confusion to users, who expect that setting the sysctl will >>> change the behavior of existing jails. That the sysctl value at the >>> time >>> a jail is created may matter is a backward-compatibility hack that >>> does >>> little or nothing to relieve the confusion. So it's time for them to >>> go. >> >>> Also, jail(2) has been replaced by jail_set(2) for a number of years >>> now, and it really ought to retire - at least into the COMPAT world. >> >> This may be of interest to anyone who works with jails. My hope is >> that >> no current software relies on these old sysctls, and they can be >> removed >> with little trouble. But removing old things never seems to go that >> easy. > > I think #1 action item is to put them under BURN_BRIDGES or however it > was spelt if you really want to remove them. > Then for the next major version they could go away ( I’d be all up for > removing them immediately (incl. from the man pages ) but I remember > there used to be 2-3 ports which used the jail v1 stuff; might be > worth checking that they were updated or are gone? BURN_BRIDGES indeed. I keep learning new things about this project! Yes, the hard part of testing this will be going through ports which use the jail stuff. The few places in the core code which still relied on jail(2) weren't placed I'd think to look if I hadn't checked all of src, and I imagine ports are a similar case. - Jamie From owner-freebsd-jail@freebsd.org Thu Mar 22 19:37:32 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DA009F64854 for ; Thu, 22 Mar 2018 19:37:31 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 538D587087 for ; Thu, 22 Mar 2018 19:37:31 +0000 (UTC) (envelope-from pgollucci@p6m7g8.com) Received: by mail-wm0-x22a.google.com with SMTP id e194so18002513wmd.3 for ; Thu, 22 Mar 2018 12:37:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=p6m7g8-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LBaUBYP85Q6o4np3KEEoc08Paslyhci11TYdT3W0vgU=; b=Ao56PP7CX15S2LmKVoec9LDR3KKXRqPfWFPmcygdP7WPAwf4Wz9VQF+pj1hO5jTkOi AeDp6NaRCeRI8/hop7RlKlWrWq8/lL8pZkt3cYfybi1xX3KZjnBk52LOhTX8tl6wTRp1 YjNnK9k4NQQ1aoQ89vP0jlcpynsAVzgk79JjQ7v6rxjErKUUdvt/mvHQSAuB+LqBewWe QeID1LtFxjaSKYIWMb0A/TEjMIS7I5hyhsHG6uBG1eqNrzuwn7Yf6lQ1gUrfsrVAq3IE Faquj8SREXTekhZ960JvuLmITgBK1k4wgcUye0sfX5JjFCZ+etevGf0wNc1G0tuiqlLG qIUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LBaUBYP85Q6o4np3KEEoc08Paslyhci11TYdT3W0vgU=; b=TzkGVl7zwBpRlMetKslDTkmnT12ro2pf+b4jwqaDc4ZjZ9ycqQoMeImcyqiQ2HnyW0 gUeb1vpPdNiWJdYvHU8935kpLk1o0PNpi0yHDdHgIWzBsqma/ZD0VmeMnZbj8ON2s0UG RpR6koDLtTs0rptsVzB+GdX1N2YXgjfhURgLkmtUfhpeUxRp6a9ngl5G55nQ0jgSK940 +eX7wSJVhj5BI/Mh4CJJo7RhySnw9OsP8GmY/0M4yIHbIqwWR2UkOx2czgFr6VFTDVfZ ipsk4cqh3241OI0T9KseD0Dx7lgLdpC37yiD4V0h/3TPGlB8UdyCnEdrw2t5phlO7vVN lA+w== X-Gm-Message-State: AElRT7FyRrHXFD7w+as3bn2m0DqjqWa3GAmoJDrAJN9pEm14a4JCNmcl gxk9yw1XBeY1pEoq6BY4V3nCZbiXP9jIonRw99wBww== X-Google-Smtp-Source: AG47ELsWXTaL8qXlgFy0pwVV0c8YzaLW6H2ldY4K3IjjJjp5VicFEb1jYyvX3o41Wv/sNZ3DaeULImDWZB0ipsnb1SA= X-Received: by 10.80.192.28 with SMTP id r28mr10676690edb.222.1521747449526; Thu, 22 Mar 2018 12:37:29 -0700 (PDT) MIME-Version: 1.0 References: <129ec9ac36d1e1d690924dba62d6c095@freebsd.org> <0073E940-4256-4EE7-BA26-2CE134595A26@lists.zabbadoz.net> <70fa76bee491a2c8a3de8a861c39ad9a@freebsd.org> In-Reply-To: <70fa76bee491a2c8a3de8a861c39ad9a@freebsd.org> From: "Philip M. Gollucci" Date: Thu, 22 Mar 2018 19:37:18 +0000 Message-ID: Subject: Re: Time for those old global jail sysctls to go To: James Gritton Cc: "Bjoern A. Zeeb" , freebsd-jail@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Mar 2018 19:37:32 -0000 Trying to catch runtime is a loosing batter for this in ports but exp rum worthy On Thu, Mar 22, 2018 at 10:44 AM James Gritton wrote: > On 2018-03-22 02:56, Bjoern A. Zeeb wrote: > > On 22 Mar 2018, at 4:13, James Gritton wrote: > > > >> I've got a revision in the works > >> to > >> remove the security.jail.foo_allowed sysctls: > >> > >>> The old jail system had sysctls to set jail permissions for all jails > >>> (e.g. security.jail.mount_allowed), which were superseded by per-jail > >>> permissions (e.g. allow.mount). These old sysctls remain a constant > >>> source of confusion to users, who expect that setting the sysctl will > >>> change the behavior of existing jails. That the sysctl value at the > >>> time > >>> a jail is created may matter is a backward-compatibility hack that > >>> does > >>> little or nothing to relieve the confusion. So it's time for them to > >>> go. > >> > >>> Also, jail(2) has been replaced by jail_set(2) for a number of years > >>> now, and it really ought to retire - at least into the COMPAT world. > >> > >> This may be of interest to anyone who works with jails. My hope is > >> that > >> no current software relies on these old sysctls, and they can be > >> removed > >> with little trouble. But removing old things never seems to go that > >> easy. > > > > I think #1 action item is to put them under BURN_BRIDGES or however it > > was spelt if you really want to remove them. > > Then for the next major version they could go away ( I=E2=80=99d be all= up for > > removing them immediately (incl. from the man pages ) but I remember > > there used to be 2-3 ports which used the jail v1 stuff; might be > > worth checking that they were updated or are gone? > > BURN_BRIDGES indeed. I keep learning new things about this project! > > Yes, the hard part of testing this will be going through ports which use > the jail stuff. The few places in the core code which still relied on > jail(2) weren't placed I'd think to look if I hadn't checked all of src, > and I imagine ports are a similar case. > > - Jamie > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > --=20 ---------------------------------------------------------------------------= ------ 4096R/D21D2752 ECDF B= 597 B54B 7F92 753E E0EA F699 A450 D21D 2752 Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354 Member, Apache Software Foundation Committer, FreeBSD Foundation Consultant, P6M7G8 Inc. Director Cloud Technology, Capital One What doesn't kill us can only make us stronger; Except it almost kills you. From owner-freebsd-jail@freebsd.org Fri Mar 23 15:58:29 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4A6E7F5417A; Fri, 23 Mar 2018 15:58:29 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A7BD27B703; Fri, 23 Mar 2018 15:58:25 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 0C59728469; Fri, 23 Mar 2018 16:58:24 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id EEA8928462; Fri, 23 Mar 2018 16:58:22 +0100 (CET) Subject: Re: two NIC's in a jail To: Joerg Surmann , FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> From: Miroslav Lachman <000.fbsd@quip.cz> Cc: freebsd-current@freebsd.org Message-ID: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> Date: Fri, 23 Mar 2018 16:58:22 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 15:58:29 -0000 Joerg Surmann wrote on 2018/03/23 16:45: > Thanks for replay. > > netstat -an | egrep 'tcp4.*80 .*LISTEN' > say: > netstat: kvm not available: /dev/mem No such file or directory <- is > inside a jail. > tcp4    0        0 *.80        *.*        LISTEN > > grep -i Listen /usr/local/etc/apache24/httpd.conf > > Listen 80 > Listen 443 > > From the internal IP is no Problem. > You are right. I'm not sure on wich IP's Apache is listening. > > I have change the Listen directive to the external IP in httpd.conf > Listen 213.70.80.92:80 > > netstat -an | egrep 'tcp4.*80 .*LISTEN' > now say: > tcp4    0        0  213.70.80.92:80        *.*        LISTEN > > But apache is not availble from Internet. > From Intranet... no Problem. > > When i use tcpdump on Host i can see Traffic. > > Whats wrong? That's strange. Listen 80 and Listen 443 is OK, it is the same as Listen *:80 Listen *:443 and as you see with netstat, Apache was listening on both IPs: *.80 *.* LISTEN Do you have something listening on port 80 in the Host? What netstat shows in the host? Also check Apache log files. If you didn't configure virtual host, then you have just these two log files: /var/log/httpd-access.log /var/log/httpd-error.log Use tail and then try to access your website from the internet # tail -f /var/log/httpd-*.log Please send what "jls -v" in the Host will show you. (there should be 2 IPs for your jail) or "jls -s" (replace any sensitive informations if you want) And move this discussion to proper mailing list: freebsd-jail@FreeBSD.org Miroslav Lachman > Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: >> Joerg Surmann wrote on 2018/03/23 13:49: >>> Hi all, >>> >>> I have a Problem to understund how to manage 2 Networks inside a Jail. >>> >>> i have create a jail (using ezjail) with a alias IP. >>> in rc.conf (on Host): >>> >>> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0" >>> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"  <- this >>> is the jail ip >>> >>> Inside the jail running apachhe24. >>> >>> Now i add a new NIC to the System. >>> in rc.conf (on Host): >>> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0" >>> >>> in /usr/local/etc/ezjail/myjail.conf: >>> i add the new ip >>> export jail_myjail_ip="192.168.100.2,213.70.80.92" >>> >>> Restart the jail and ifconfig looks fine. >>> vmx0 -> inet 192.168.100.2 >>> em0  -> inet 213.70.80.92 >>> >>> Apache Listen on all NIC's () >>> But i can see my Website only via 192.168.100.2 from intern Network. >>> >>> The Host is behind a Firewall. >>> The IP  213.70.80.92 is enabled for incomming Traffic. >>> >>> When i give the Hostname in a Browser i become "connection Timeout". >>> >>> What is to do that the Host is accessable from Inet? >> >> Are you sure Apache is listening on both IPs? >> >> What netstat says? >> >> # netstat -an | egrep 'tcp4.*80 .*LISTEN' >> >> Also check what you have in httpd.conf for Listen directive >> >> # grep -i Listen /usr/local/etc/apache24/httpd.conf >> >> I am not using ezjail, I am using jail.conf >> >> costa { >>         host.hostname   = "costa.example.com"; >>         ip4.addr        = AA.BB.CCC.DDD; >>         ip4.addr       += 192.168.222.57; >> } >> >> Real IP was replaced with AA.BB.CCC.DDD >> >> And it works. Services inside jail must be listening on both IPs or >> wildcard * (0.0.0.0) >> >> And be sure to disable hosts services to listen on IPs and ports you >> want to be served from jail. From owner-freebsd-jail@freebsd.org Fri Mar 23 16:14:21 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D0601F55A5E for ; Fri, 23 Mar 2018 16:14:20 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 47B857C3B1 for ; Fri, 23 Mar 2018 16:14:19 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 51047 invoked from network); 23 Mar 2018 16:14:17 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 16:14:17 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Cc: freebsd-current@freebsd.org References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> From: Joerg Surmann Message-ID: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> Date: Fri, 23 Mar 2018 17:14:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 16:14:21 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP Content-Type: multipart/mixed; boundary="FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp"; protected-headers="v1" From: Joerg Surmann To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Cc: freebsd-current@freebsd.org Message-ID: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> In-Reply-To: <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> --FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable tail -f /var/log/httpd-access.log 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 -= 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 -= 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 - 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209 tail -f /var/log/httpd-error.log [Fri Mar 23 12:08:18.142835 2018] [mpm_prefork:notice] [pid 18904] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 12:08:18.142925 2018] [core:notice] [pid 18904] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' [Fri Mar 23 12:30:19.005654 2018] [mpm_prefork:notice] [pid 18904] AH00169: caught SIGTERM, shutting down [Fri Mar 23 12:31:11.111900 2018] [ssl:warn] [pid 2542] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Fri Mar 23 12:31:11.847515 2018] [mpm_prefork:notice] [pid 2542] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 12:31:11.847589 2018] [core:notice] [pid 2542] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT' [Fri Mar 23 15:32:08.238227 2018] [mpm_prefork:notice] [pid 2542] AH00169: caught SIGTERM, shutting down [Fri Mar 23 15:32:08.414689 2018] [ssl:warn] [pid 40920] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Fri Mar 23 15:32:08.716943 2018] [mpm_prefork:notice] [pid 40920] AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15 configured -- resuming normal operations [Fri Mar 23 15:32:08.717018 2018] [core:notice] [pid 40920] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT jls -v =C2=A0=C2=A0 JID=C2=A0 Hostname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 Path =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Name=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 State =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CPUSetID =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 IP Address(es) =C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0=C2=A0 2=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 /usr/jails/apache24 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 ACTIVE =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 192.168.100.2 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 213.70.80.92 jls -s devfs_ruleset=3D0 enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=3Ddisab= le jid=3D2 name=3Dapache24 osreldate=3D1101001 osrelease=3D11.1-RELEASE path=3D/usr/jails/apache24 nopersist securelevel=3D-1 sysvmsg=3Ddisable sysvsem=3Ddisable sysvshm=3Ddisable allow.nochflags allow.mount allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=3D0 host.domainname=3D"" host.hostid=3D0 host.hostname=3Dapache24 host.hostuuid=3D00000000-0000-0000-0000-000000000000 Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 16:45: >> Thanks for replay. >> >> netstat -an | egrep 'tcp4.*80 .*LISTEN' >> say: >> netstat: kvm not available: /dev/mem No such file or directory <- is >> inside a jail. >> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80=C2= =A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0= LISTEN >> >> grep -i Listen /usr/local/etc/apache24/httpd.conf >> >> Listen 80 >> Listen 443 >> >> =C2=A0From the internal IP is no Problem. >> You are right. I'm not sure on wich IP's Apache is listening. >> >> I have change the Listen directive to the external IP in httpd.conf >> Listen 213.70.80.92:80 >> >> netstat -an | egrep 'tcp4.*80 .*LISTEN' >> now say: >> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0 = 213.70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN >> >> But apache is not availble from Internet. >> =C2=A0From Intranet... no Problem. >> >> When i use tcpdump on Host i can see Traffic. >> >> Whats wrong? > > That's strange. > > Listen 80 and Listen 443 is OK, it is the same as > =C2=A0 Listen *:80 > =C2=A0 Listen *:443 > and as you see with netstat, Apache was listening on both IPs: > =C2=A0*.80=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 LISTEN > > Do you have something listening on port 80 in the Host? > > What netstat shows in the host? > > Also check Apache log files. If you didn't configure virtual host, > then you have just these two log files: > /var/log/httpd-access.log > /var/log/httpd-error.log > > Use tail and then try to access your website from the internet > > # tail -f /var/log/httpd-*.log > > Please send what "jls -v" in the Host will show you. (there should be > 2 IPs for your jail) or "jls -s"=C2=A0 (replace any sensitive informati= ons > if you want) > > And move this discussion to proper mailing list: > =C2=A0freebsd-jail@FreeBSD.org > > Miroslav Lachman > > >> Am 23.03.2018 um 16:07 schrieb Miroslav Lachman: >>> Joerg Surmann wrote on 2018/03/23 13:49: >>>> Hi all, >>>> >>>> I have a Problem to understund how to manage 2 Networks inside a Jai= l. >>>> >>>> i have create a jail (using ezjail) with a alias IP. >>>> in rc.conf (on Host): >>>> >>>> ifconfig_vmx0=3D"inet 192.168.100.1 netmask 255.255.255.0" >>>> ifconfig_vmx0_alias0=3D"inet 192.168.100.2 netmask 255.255.255.0"=C2= =A0 <- >>>> this >>>> is the jail ip >>>> >>>> Inside the jail running apachhe24. >>>> >>>> Now i add a new NIC to the System. >>>> in rc.conf (on Host): >>>> ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" >>>> >>>> in /usr/local/etc/ezjail/myjail.conf: >>>> i add the new ip >>>> export jail_myjail_ip=3D"192.168.100.2,213.70.80.92" >>>> >>>> Restart the jail and ifconfig looks fine. >>>> vmx0 -> inet 192.168.100.2 >>>> em0=C2=A0 -> inet 213.70.80.92 >>>> >>>> Apache Listen on all NIC's () >>>> But i can see my Website only via 192.168.100.2 from intern Network.= >>>> >>>> The Host is behind a Firewall. >>>> The IP=C2=A0 213.70.80.92 is enabled for incomming Traffic. >>>> >>>> When i give the Hostname in a Browser i become "connection Timeout".= >>>> >>>> What is to do that the Host is accessable from Inet? >>> >>> Are you sure Apache is listening on both IPs? >>> >>> What netstat says? >>> >>> # netstat -an | egrep 'tcp4.*80 .*LISTEN' >>> >>> Also check what you have in httpd.conf for Listen directive >>> >>> # grep -i Listen /usr/local/etc/apache24/httpd.conf >>> >>> I am not using ezjail, I am using jail.conf >>> >>> costa { >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 host.hostname=C2=A0=C2= =A0 =3D "costa.example.com"; >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3D AA.BB.CCC.DDD; >>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ip4.addr=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 +=3D 192.168.222.57; >>> } >>> >>> Real IP was replaced with AA.BB.CCC.DDD >>> >>> And it works. Services inside jail must be listening on both IPs or >>> wildcard * (0.0.0.0) >>> >>> And be sure to disable hosts services to listen on IPs and ports you >>> want to be served from jail. --FDsEC3PGqsJupiwJ9aOKqMKe0THZ1IeZp-- --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1J9YACgkQGHz25TAa 4suq3Q//WS/az9y5SEcMrPW/UNVQg5azDu8VnFWG/2imKX1blBUsybedo6SQWvuc eOyAy23ppyS0gFFtn0rStYl49Y5K/ZnZqgQEf4U9gvQCjUl5Ei3i4E1hAKac4v83 mwY9DUSdbgL+vZsvCfdEkUovGNzQRWuppq/h5Ieek96gF1kD3tkDTZTLAP/aYsH3 wzMGFy0UlUoboLHCdkgFbIpspfFjvqjlOqArCkKvt/wA196UARKpdLe1LGxvT+BM /Gl31CSubsgJHCXUHPlwKjWEfSEzOjOPp7KtKxlcLUauvqjO1ppVTNz1nrLJzKY/ N6DdkzQOWtm0gNSivfphMtviygJ90HIR+B1frOeJtHRp1z4HmVEbGgmKYe1SfVk4 BHYz0VDrTeqyd0DY8oRiR0gtHxsCVxCelrHJGK/jh2ZSH+jA5LUj5F4+kvEDpxZC PdwKdCfXIzQSOXoGzUFy7OOq3zrnNvdZertxT9Y2Rc74fBLLmym/WqqC/ZpCVy6m +SrGoiG0jqnkYb2taagE3+fgRlWm3b/HP/47xAMi3FDgxhC6m6yVahCMS1+9ZxO1 rs6f6G5R2Bnsjmhtgyqi0ULbkCH81MnOLf7aK6cBtmZ/OkkNpHhBF0OFki+XzOFB 9NCEHg7TWTWNP00YFMeRlZLqKvVj42Cn9cffQz+wsVDAO4Cb2lc= =iJnj -----END PGP SIGNATURE----- --DUWhYKd617V0IXTgdZAOgU0sVtB7v3vTP-- From owner-freebsd-jail@freebsd.org Fri Mar 23 16:41:04 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 141F2F582BA for ; Fri, 23 Mar 2018 16:41:04 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BB397DBA1 for ; Fri, 23 Mar 2018 16:41:03 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id CAA8A28458; Fri, 23 Mar 2018 17:41:01 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id A778028469; Fri, 23 Mar 2018 17:41:00 +0100 (CET) Subject: Re: two NIC's in a jail To: Joerg Surmann , FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Fri, 23 Mar 2018 17:41:00 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 MIME-Version: 1.0 In-Reply-To: <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 16:41:04 -0000 Joerg Surmann wrote on 2018/03/23 17:14: > tail -f /var/log/httpd-access.log > 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 - > 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209 > 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 - > 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209 How did you do the request from 213.70.80.92? It was made from localhost where Apache runs? > jls -v >    JID  Hostname                      Path >         Name                          State >         CPUSetID >         IP Address(es) > >      2  apache24                      /usr/jails/apache24 >         apache24                      ACTIVE >         3 >         192.168.100.2 >         213.70.80.92 Looks good > jls -s > > devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2 > name=apache24 osreldate=1101001 osrelease=11.1-RELEASE > path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable > sysvsem=disable sysvshm=disable allow.nochflags allow.mount > allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs > allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs > allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets > allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0 > host.domainname="" host.hostid=0 host.hostname=apache24 > host.hostuuid=00000000-0000-0000-0000-000000000000 This is strange. You have ip4=disable ip6=disable. My jails have "ip4=new ip6=disable" And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for example Miroslav Lachman > Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: >> Joerg Surmann wrote on 2018/03/23 16:45: >>> Thanks for replay. >>> >>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>> say: >>> netstat: kvm not available: /dev/mem No such file or directory <- is >>> inside a jail. >>> tcp4    0        0 *.80        *.*        LISTEN >>> >>> grep -i Listen /usr/local/etc/apache24/httpd.conf >>> >>> Listen 80 >>> Listen 443 >>> >>>  From the internal IP is no Problem. >>> You are right. I'm not sure on wich IP's Apache is listening. >>> >>> I have change the Listen directive to the external IP in httpd.conf >>> Listen 213.70.80.92:80 >>> >>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>> now say: >>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN >>> >>> But apache is not availble from Internet. >>>  From Intranet... no Problem. >>> >>> When i use tcpdump on Host i can see Traffic. >>> >>> Whats wrong? >> >> That's strange. >> >> Listen 80 and Listen 443 is OK, it is the same as >>   Listen *:80 >>   Listen *:443 >> and as you see with netstat, Apache was listening on both IPs: >>  *.80        *.*        LISTEN >> >> Do you have something listening on port 80 in the Host? >> >> What netstat shows in the host? >> >> Also check Apache log files. If you didn't configure virtual host, >> then you have just these two log files: >> /var/log/httpd-access.log >> /var/log/httpd-error.log >> >> Use tail and then try to access your website from the internet >> >> # tail -f /var/log/httpd-*.log >> >> Please send what "jls -v" in the Host will show you. (there should be >> 2 IPs for your jail) or "jls -s"  (replace any sensitive informations >> if you want) >> >> And move this discussion to proper mailing list: >> freebsd-jail@FreeBSD.org >> From owner-freebsd-jail@freebsd.org Fri Mar 23 19:12:52 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BC28F65C25 for ; Fri, 23 Mar 2018 19:12:52 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6F0F871C7 for ; Fri, 23 Mar 2018 19:12:51 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 92286 invoked from network); 23 Mar 2018 19:12:50 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 19:12:50 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> From: joerg_surmann Message-ID: <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> Date: Fri, 23 Mar 2018 20:12:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 19:12:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il Content-Type: multipart/mixed; boundary="P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q"; protected-headers="v1" From: joerg_surmann To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Message-ID: <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> In-Reply-To: --P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: de-DE Hi, thanks for yor help. I can't find a solution. But i have find a starnge ip config. in rc.conf on Host(not jail) ifconfig_vmx0_alias1=3D"inet 192.168.100.2=C2=A0 netmask 255.255.255.0" ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" ifconfig on host say: inet 213.70.80.92 netmask 0xffffffff broadcast 213.70.80.92 inet 192.168.100.2=C2=A0 netmask 0xffffffff broadcast 192.168.100.2 ifconfig say to both ip's /32. Maby that's the reason for unavailable the apache. ifconfig iside the jail say the same. I'm a little bit confused. Am 23.03.2018 um 17:41 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 17:14: >> tail -f /var/log/httpd-access.log >> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" >> 200 - >> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" >> 200 - >> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209= >> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209= > > How did you do the request from 213.70.80.92? It was made from > localhost where Apache runs? > >> jls -v >> =C2=A0=C2=A0=C2=A0 JID=C2=A0 Hostname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Path >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Name=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 State >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CPUSetID >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 IP Address(es) >> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 /usr/jails/apache24 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache24=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ACTIVE >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 192.168.100.2 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 213.70.80.92 > > Looks good > >> jls -s >> >> devfs_ruleset=3D0 enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=3Ddi= sable >> jid=3D2 name=3Dapache24 osreldate=3D1101001 osrelease=3D11.1-RELEASE >> path=3D/usr/jails/apache24 nopersist securelevel=3D-1 sysvmsg=3Ddisabl= e >> sysvsem=3Ddisable sysvshm=3Ddisable allow.nochflags allow.mount >> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs >> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs >> allow.mount.notmpfs allow.mount.nozfs allow.noquotas >> allow.raw_sockets allow.noset_hostname allow.nosocket_af >> allow.nosysvipc children.max=3D0 host.domainname=3D"" host.hostid=3D0 >> host.hostname=3Dapache24 >> host.hostuuid=3D00000000-0000-0000-0000-000000000000 > > This is strange. You have ip4=3Ddisable ip6=3Ddisable. My jails have > "ip4=3Dnew ip6=3Ddisable" > And you don't have ip4.addr at all. I have ip4.addr=3D172.16.16.2 for > example > > Miroslav Lachman > > >> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: >>> Joerg Surmann wrote on 2018/03/23 16:45: >>>> Thanks for replay. >>>> >>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>> say: >>>> netstat: kvm not available: /dev/mem No such file or directory <- is= >>>> inside a jail. >>>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80= =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2= =A0 LISTEN >>>> >>>> grep -i Listen /usr/local/etc/apache24/httpd.conf >>>> >>>> Listen 80 >>>> Listen 443 >>>> >>>> =C2=A0From the internal IP is no Problem. >>>> You are right. I'm not sure on wich IP's Apache is listening. >>>> >>>> I have change the Listen directive to the external IP in httpd.conf >>>> Listen 213.70.80.92:80 >>>> >>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>> now say: >>>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0= 213.70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN >>>> >>>> But apache is not availble from Internet. >>>> =C2=A0From Intranet... no Problem. >>>> >>>> When i use tcpdump on Host i can see Traffic. >>>> >>>> Whats wrong? >>> >>> That's strange. >>> >>> Listen 80 and Listen 443 is OK, it is the same as >>> =C2=A0 Listen *:80 >>> =C2=A0 Listen *:443 >>> and as you see with netstat, Apache was listening on both IPs: >>> =C2=A0*.80=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 LISTEN >>> >>> Do you have something listening on port 80 in the Host? >>> >>> What netstat shows in the host? >>> >>> Also check Apache log files. If you didn't configure virtual host, >>> then you have just these two log files: >>> /var/log/httpd-access.log >>> /var/log/httpd-error.log >>> >>> Use tail and then try to access your website from the internet >>> >>> # tail -f /var/log/httpd-*.log >>> >>> Please send what "jls -v" in the Host will show you. (there should >>> be 2 IPs for your jail) or "jls -s"=C2=A0 (replace any sensitive >>> informations if you want) >>> >>> And move this discussion to proper mailing list: >>> freebsd-jail@FreeBSD.org >>> --P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q-- --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIzBAEBCgAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1Ua4ACgkQGHz25TAa 4stPaRAArmtTAheNjFuU3Jg4XVdvW6A5G9AoHg741wEzD/Md/fo5LKXsD09jNZ42 IBifHOHmrH5D/F+z7vt8MoXJNVJycOTvqjcR9aKoOH0sad2RzjQ4pxbHInlxZ4ua WKuO+r+Ee/a1xdHHjChIL+ZA/wA0Nb2SuB5NXyAM7N3m4PigoIiSwSw6JiwcfM7q iT1ANOq7sZ/UvOp5or/jlyRDHa9alDyvsogu4PWK8NYkUDRHFvRyXy2gcR1IlkiC qCACkigwfb6v2VBTLbdfmDb9GshmiB9eG7XRIcfSDJcvP/o0yjyS7AwMA/O2vcy7 455A1se8WAg1kSfWea72Z7TRgcwlGP+MGCAp4Sw+isQoxWZTrIpJQDydYXa8rF8q BNiIWrtqK8oS5ppMo7b/Nke3Zdm4wKf8h1CbvMXO+XXschIkQW5uaIMPWjNouCul OstUAaaDmSKBumsseAfnwt4uJECaXUJLDavqeRKRXJG3dFFqR9I3u1FG0lBjpZAP 1N5zxVblHsDoilNnsbr2BAilT48ZwM5+fqb8ODvgaFmg1WOgWABj7sVQ3WK4X+g8 A6q5+hEwtGtmNIU3L4Jhw1RK7bo65NjluimmF9aoDuU8lGjVv4NUWXGKaRfyB/UP 22aTbXcr7+FcbJmfn+euif0UxYXv3ljXayWA6ZQYaTqBzzUe55k= =DekE -----END PGP SIGNATURE----- --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il-- From owner-freebsd-jail@freebsd.org Fri Mar 23 23:15:29 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5AF5F54783 for ; Fri, 23 Mar 2018 23:15:29 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AB5D6A492 for ; Fri, 23 Mar 2018 23:15:29 +0000 (UTC) (envelope-from SRS0=pJyN=GN=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BE2032846E; Sat, 24 Mar 2018 00:15:26 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 1565128469; Sat, 24 Mar 2018 00:15:24 +0100 (CET) Subject: Re: two NIC's in a jail To: joerg_surmann , FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Sat, 24 Mar 2018 00:15:24 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 MIME-Version: 1.0 In-Reply-To: <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 23:15:30 -0000 joerg_surmann wrote on 2018/03/23 20:12: > Hi, > > thanks for yor help. > > I can't find a solution. > > But i have find a starnge ip config. > > in rc.conf on Host(not jail) > > ifconfig_vmx0_alias1="inet 192.168.100.2  netmask 255.255.255.0" > ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0" > > ifconfig on host say: > inet 213.70.80.92 netmask 0xffffffff broadcast 213.70.80.92 > inet 192.168.100.2  netmask 0xffffffff broadcast 192.168.100.2 > > ifconfig say to both ip's /32. > > Maby that's the reason for unavailable the apache. > > ifconfig iside the jail say the same. > > I'm a little bit confused. I think it can be a problem with your configuration of ezjail. I am not sure but if I remember it well if you set IP for jail in ezjail configuration it will be added to network interface on startup nad removed on stop of the jail. So when you start the host you will have 192.168.100.2/24 but after jail start you will end up with 192.168.100.2/32. Can you confirm this? (reboot the machine with ezjail disabled in rc.conf) You need to configure ezjail to not manage IPs on interfaces. Please post content of ezjail.conf and full conf of your jail. > Am 23.03.2018 um 17:41 schrieb Miroslav Lachman: >> Joerg Surmann wrote on 2018/03/23 17:14: >>> tail -f /var/log/httpd-access.log >>> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" >>> 200 - >>> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" >>> 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209 >>> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 - >>> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209 >> >> How did you do the request from 213.70.80.92? It was made from >> localhost where Apache runs? >> >>> jls -v >>>     JID  Hostname                      Path >>>          Name                          State >>>          CPUSetID >>>          IP Address(es) >>> >>>       2  apache24                      /usr/jails/apache24 >>>          apache24                      ACTIVE >>>          3 >>>          192.168.100.2 >>>          213.70.80.92 >> >> Looks good >> >>> jls -s >>> >>> devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable >>> jid=2 name=apache24 osreldate=1101001 osrelease=11.1-RELEASE >>> path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable >>> sysvsem=disable sysvshm=disable allow.nochflags allow.mount >>> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs >>> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs >>> allow.mount.notmpfs allow.mount.nozfs allow.noquotas >>> allow.raw_sockets allow.noset_hostname allow.nosocket_af >>> allow.nosysvipc children.max=0 host.domainname="" host.hostid=0 >>> host.hostname=apache24 >>> host.hostuuid=00000000-0000-0000-0000-000000000000 >> >> This is strange. You have ip4=disable ip6=disable. My jails have >> "ip4=new ip6=disable" >> And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for >> example >> >> Miroslav Lachman >> >> >>> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: >>>> Joerg Surmann wrote on 2018/03/23 16:45: >>>>> Thanks for replay. >>>>> >>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>>> say: >>>>> netstat: kvm not available: /dev/mem No such file or directory <- is >>>>> inside a jail. >>>>> tcp4    0        0 *.80        *.*        LISTEN >>>>> >>>>> grep -i Listen /usr/local/etc/apache24/httpd.conf >>>>> >>>>> Listen 80 >>>>> Listen 443 >>>>> >>>>>  From the internal IP is no Problem. >>>>> You are right. I'm not sure on wich IP's Apache is listening. >>>>> >>>>> I have change the Listen directive to the external IP in httpd.conf >>>>> Listen 213.70.80.92:80 >>>>> >>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>>> now say: >>>>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN >>>>> >>>>> But apache is not availble from Internet. >>>>>  From Intranet... no Problem. >>>>> >>>>> When i use tcpdump on Host i can see Traffic. >>>>> >>>>> Whats wrong? >>>> >>>> That's strange. >>>> >>>> Listen 80 and Listen 443 is OK, it is the same as >>>>   Listen *:80 >>>>   Listen *:443 >>>> and as you see with netstat, Apache was listening on both IPs: >>>>  *.80        *.*        LISTEN >>>> >>>> Do you have something listening on port 80 in the Host? >>>> >>>> What netstat shows in the host? >>>> >>>> Also check Apache log files. If you didn't configure virtual host, >>>> then you have just these two log files: >>>> /var/log/httpd-access.log >>>> /var/log/httpd-error.log >>>> >>>> Use tail and then try to access your website from the internet >>>> >>>> # tail -f /var/log/httpd-*.log >>>> >>>> Please send what "jls -v" in the Host will show you. (there should >>>> be 2 IPs for your jail) or "jls -s"  (replace any sensitive >>>> informations if you want) >>>> >>>> And move this discussion to proper mailing list: >>>> freebsd-jail@FreeBSD.org >>>> > >