Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Mar 2014 10:34:38 -0400
From:      "Littlefield, Tyler" <tyler@tysdomain.com>
To:        Jeff Tipton <jeff.t@mail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: jails, subnets and etc?
Message-ID:  <532EF0FE.8020907@tysdomain.com>
In-Reply-To: <532E984B.3060209@mail.com>
References:  <532E5F05.2040207@tysdomain.com> <532E984B.3060209@mail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
hello:
On 3/23/2014 4:16 AM, Jeff Tipton wrote:
> Hello,
>
> On 03/23/2014 06:11, Littlefield, Tyler wrote:
>> hello all:
>> I'm curious if I'm doing this right, and would like some advice from 
>> someone.
>> First, I created a jail with ezjails and set it's IP to 192.168.0.2, 
>> then bound mysql to that address.
>> The idea is that mysql can run in its own jail while not being 
>> accessible to the outside world. I set the gateway (defaultrouter in 
>> the jail's rc.conf) to the IP address of my machine so the system can 
>> access the network.
> Basically, you don't have to do that; you may do without the 
> "defaultrouter" line there at all.
>> This is where I run into a bit of fun: I am unable to ping/telnet to 
>> 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I 
>> have a few questions:
> By default, ping doesn't work with jails. If you want to enable it, 
> you have to set the security.jail.allow_raw_sockets sysctl value to 1. 
> But telnet should work without this setting.
>> 1) what needs to happen on the pf side to forward ports from x.x.x.x 
>> (my external-facing interface), to a specific address and port on the 
>> subnet? the idea is that I will just use pf to forward ports to 
>> public-facing jailed services.
> Example destination NAT in pf.conf
> rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2
> (where bge0 is the device name of your external interface; replace it 
> with your own)
>> 2) Do I need to do something special to get this subnet set up? What 
>> needs to happen to get the jail and the host talking to each other?
>> thanks in advance,
>>
> Jail and host should talk to each other without special settings. 
> Maybe you have some restrictions in pf? Try to flush all rules (pfctl 
> -Fa).
> How did you set up the network interface in your host machine -- is it 
> accessible to your jails?
>
I'm sorry for all the questions, I am fairly new to BSD. The only 
configuration of rc.conf is here:
jail_enable="YES"
ezjail_enable="YES"
sshd_enable="YES"
pf_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="pool.ntp.org"
fsck_y_enable="YES"
named_enable="YES"
dumpdev="NO"
local_unbound_enable=yes
ifconfig_em0="inet 192.99.32.153 netmask 255.255.255.0 broadcast 
192.99.32.255"
defaultrouter="192.99.32.254"
# IPv6 configuration
ipv6_enable="YES"
ipv6_network_interfaces="em0"
ifconfig_em0_ipv6="inet6 2607:5300:60:4799::1 prefixlen 64"
ipv6_static_routes="ovhgw"
ipv6_route_ovhgw="2607:5300:60:47ff:ff:ff:ff:ff -prefixlen 128 
-interface em0"
ipv6_defaultrouter="2607:5300:60:47ff:ff:ff:ff:ff"
hostname="sapphire"
#security
#kern_securelevel_enable="YES"
kern_securelevel=-1
postfix_enable="YES"
I flushed the firewall and am still unable to connect out from the jail 
(using telnet), or connect to the jail using telnet.

Do I need to do anything else special? Is there a way to track this down?

Thanks,


> -Jeff
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe@freebsd.org"


-- 
Take care,
Ty
http://tds-solutions.net
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?532EF0FE.8020907>