From owner-freebsd-questions@FreeBSD.ORG Sun Mar 23 14:34:38 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CB99F7F for ; Sun, 23 Mar 2014 14:34:38 +0000 (UTC) Received: from tds-solutions.net (tds-solutions.net [69.164.206.65]) by mx1.freebsd.org (Postfix) with ESMTP id 6911DF35 for ; Sun, 23 Mar 2014 14:34:38 +0000 (UTC) Received: from [136.167.217.26] (witr9z3f2p.bc.edu [136.167.217.26]) (Authenticated sender: tyler) by tds-solutions.net (Postfix) with ESMTPSA id 1CAA7A11E; Sun, 23 Mar 2014 08:40:39 -0600 (MDT) Message-ID: <532EF0FE.8020907@tysdomain.com> Date: Sun, 23 Mar 2014 10:34:38 -0400 From: "Littlefield, Tyler" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 MIME-Version: 1.0 To: Jeff Tipton Subject: Re: jails, subnets and etc? References: <532E5F05.2040207@tysdomain.com> <532E984B.3060209@mail.com> In-Reply-To: <532E984B.3060209@mail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: tyler@tysdomain.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 14:34:38 -0000 hello: On 3/23/2014 4:16 AM, Jeff Tipton wrote: > Hello, > > On 03/23/2014 06:11, Littlefield, Tyler wrote: >> hello all: >> I'm curious if I'm doing this right, and would like some advice from >> someone. >> First, I created a jail with ezjails and set it's IP to 192.168.0.2, >> then bound mysql to that address. >> The idea is that mysql can run in its own jail while not being >> accessible to the outside world. I set the gateway (defaultrouter in >> the jail's rc.conf) to the IP address of my machine so the system can >> access the network. > Basically, you don't have to do that; you may do without the > "defaultrouter" line there at all. >> This is where I run into a bit of fun: I am unable to ping/telnet to >> 192.168.0.2 3306, and I am unable to telnet out of the jail. So, I >> have a few questions: > By default, ping doesn't work with jails. If you want to enable it, > you have to set the security.jail.allow_raw_sockets sysctl value to 1. > But telnet should work without this setting. >> 1) what needs to happen on the pf side to forward ports from x.x.x.x >> (my external-facing interface), to a specific address and port on the >> subnet? the idea is that I will just use pf to forward ports to >> public-facing jailed services. > Example destination NAT in pf.conf > rdr on bge0 proto tcp from any to any port 3306 -> 192.168.0.2 > (where bge0 is the device name of your external interface; replace it > with your own) >> 2) Do I need to do something special to get this subnet set up? What >> needs to happen to get the jail and the host talking to each other? >> thanks in advance, >> > Jail and host should talk to each other without special settings. > Maybe you have some restrictions in pf? Try to flush all rules (pfctl > -Fa). > How did you set up the network interface in your host machine -- is it > accessible to your jails? > I'm sorry for all the questions, I am fairly new to BSD. The only configuration of rc.conf is here: jail_enable="YES" ezjail_enable="YES" sshd_enable="YES" pf_enable="YES" ntpdate_enable="YES" ntpdate_hosts="pool.ntp.org" fsck_y_enable="YES" named_enable="YES" dumpdev="NO" local_unbound_enable=yes ifconfig_em0="inet 192.99.32.153 netmask 255.255.255.0 broadcast 192.99.32.255" defaultrouter="192.99.32.254" # IPv6 configuration ipv6_enable="YES" ipv6_network_interfaces="em0" ifconfig_em0_ipv6="inet6 2607:5300:60:4799::1 prefixlen 64" ipv6_static_routes="ovhgw" ipv6_route_ovhgw="2607:5300:60:47ff:ff:ff:ff:ff -prefixlen 128 -interface em0" ipv6_defaultrouter="2607:5300:60:47ff:ff:ff:ff:ff" hostname="sapphire" #security #kern_securelevel_enable="YES" kern_securelevel=-1 postfix_enable="YES" I flushed the firewall and am still unable to connect out from the jail (using telnet), or connect to the jail using telnet. Do I need to do anything else special? Is there a way to track this down? Thanks, > -Jeff > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" -- Take care, Ty http://tds-solutions.net He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.