Date: Thu, 1 Feb 2018 10:08:25 -0600 From: Grouchy Sysadmin <sysadmin@grouchysysadmin.com> To: freebsd-questions@freebsd.org Subject: Re: EZJAIL and ping on FreeBSD-11. Message-ID: <0fe114e1-bc87-db17-ed24-8035bb1582b1@grouchysysadmin.com> In-Reply-To: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca> References: <05940d076ac711b2c9b740451706c5d4.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/01/2018 09:23 AM, James B. Byrne via freebsd-questions wrote: > I have read the various 'howtos' respecting this issue and I cannot > see where I have failed to properly follow the instructions. But > clearly I have not done it right. > > I have setup a jail named hll124. it is configured and running. It > can connect to the network and the Internet without issue. DNS > resolution works fine using local_unbound. > > In /etc/sysctl.conf on the host I have this: > > # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ > # > # This file is read when going to multi-user and its contents piped thru > # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for > details. > # > > # Uncomment this to prevent users from seeing information about > processes that > # are being run under another UID. > #security.bsd.see_other_uids=0 > security.bsd.see_other_uids=0 > security.bsd.see_other_gids=0 > security.bsd.unprivileged_read_msgbuf=0 > security.bsd.unprivileged_proc_debug=0 > security.bsd.stack_guard_page=1 > > # Required for Chrome/Chromium > kern.ipc.shm_allow_removed=1 > > # Add to allow jails to create sockets - 2018-01-31 JBB > security.jail.allow_raw_sockets=1 > > > The host system shows this: > > $ sudo sysctl security.jail.allow_raw_sockets > security.jail.allow_raw_sockets: 1 > > > In the ezjail configuration file I have this: > > # Allow ping, traceroute and other things 2018-01-31 JBB > export jail_hll124_allow_raw_sockets="YES" > > > When I connect to the ezjail instance with ezjail-admin console and > run ping then I see this: > > # ping 192.168.71.44 > ping: ssend socket: Operation not permitted > > What else am I missing? > You don't need to allow raw sockets globally. I'd leave it set as, "security.jail.allow_raw_sockets=0". Then allow raw sockets on a per jail basis by changing the parameters in the ezjail configuration. For example, add this to the /usr/local/etc/ezjail/hll124 file. export jail_hll124_parameters="allow.raw_sockets=1" Stop the jail, and then start it for the setting to take effect.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0fe114e1-bc87-db17-ed24-8035bb1582b1>