From owner-freebsd-questions@freebsd.org Fri Dec 23 17:01:25 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15CD2C8EADF for ; Fri, 23 Dec 2016 17:01:25 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by mx1.freebsd.org (Postfix) with ESMTP id E6E74365 for ; Fri, 23 Dec 2016 17:01:24 +0000 (UTC) (envelope-from doug@fledge.watson.org) Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id 8582047ED2; Fri, 23 Dec 2016 12:01:23 -0500 (EST) Received: from fledge.watson.org (doug@localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.15.2/8.15.2) with ESMTP id uBNH1NGI079956; Fri, 23 Dec 2016 12:01:23 -0500 (EST) (envelope-from doug@fledge.watson.org) Received: from localhost (doug@localhost) by fledge.watson.org (8.15.2/8.15.2/Submit) with ESMTP id uBNH1MXx079952; Fri, 23 Dec 2016 12:01:23 -0500 (EST) (envelope-from doug@fledge.watson.org) Date: Fri, 23 Dec 2016 12:01:22 -0500 (EST) From: doug Reply-To: doug@safeport.com To: byrnejb@harte-lyne.ca cc: freebsd-questions@freebsd.org Subject: Re: IP address assignments to jails using ezjail In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (fledge.watson.org [127.0.0.1]); Fri, 23 Dec 2016 12:01:23 -0500 (EST) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2016 17:01:25 -0000 On Thu, 22 Dec 2016, James B. Byrne via freebsd-questions wrote: > When I created the new jail I used this invocation: > > ezjail-admin create -x hlldrupal 'lo1|127.0.1.1,vtnet0|192.168.216.196' > > Inside the host rc.conf I have this: > > # Cloned i/f and assigned ipv4 addr for jails > cloned_interfaces="lo1" # For shared jail configuration > > And ifconfig on the host shows this: > > vtnet0: flags=8943 > metric 0 mtu 1500 > options=80028 > ether 00:a0:98:fa:aa:b6 > inet 216.185.71.16 netmask 0xffffff00 broadcast 216.185.71.255 > inet 192.168.216.16 netmask 0xffffff00 broadcast 192.168.216.255 > inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196 > nd6 options=29 > media: Ethernet 10Gbase-T > status: active > . . . > lo1: flags=8049 metric 0 mtu 16384 > options=600003 > inet 127.0.1.1 netmask 0xffffffff > nd6 options=29 > groups: lo > > Inside the jail ifconfig shows this: > > vtnet0: flags=8943 > metric 0 mtu 1500 > options=80028 > ether 00:a0:98:fa:aa:b6 > inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196 > media: Ethernet 10Gbase-T > status: active > lo0: flags=8049 metric 0 mtu 16384 > options=600003 > groups: lo > lo1: flags=8049 metric 0 mtu 16384 > options=600003 > inet 127.0.1.1 netmask 0xffffffff > groups: lo > > > All this seems to be correct and yet I cannot seem to obtain an ssh > connection to or from the jailed instance. ubound is running in the > jail and seems to be working. At least host responds to queries. > > root@hlldrupal:~ # host sendmail.com > sendmail.com has address 209.246.26.25 > sendmail.com mail is handled by 10 mxa-00148501.gslb.pphosted.com. > sendmail.com mail is handled by 20 mx2.proofpoint.com. > sendmail.com mail is handled by 10 mxb-00148501.gslb.pphosted.com. > > pf is not running in the jail but sshd is: > > root@hlldrupal:~ # service sshd status > sshd is running as pid 81502. > > root@hlldrupal:~ # service pf status > Cannot 'status' pf. Set pf_enable to YES in /etc/rc.conf or use > 'onestatus' instead of 'status'. > root@hlldrupal:~ # service pf onestatus > pf.ko is not loaded > > > I note that the flag IFDISABLED is present on the host's lo1. Why? Is > this the source of the connectivity problem with the jail? If so then > why does the host commend work when executed within the jail? In any > case I can ping the jail from without: > > [root@vhost04 ~ (master *%)]# ping 192.168.216.196 > PING 192.168.216.196 (192.168.216.196) 56(84) bytes of data. > 64 bytes from 192.168.216.196: icmp_seq=1 ttl=64 time=0.647 ms > > I just cannot connect to that address via ssh from without nor can I > connect ssh to any address from within the jail. > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail The handbook suggests that getting loopback traffic is a good thing. That said none of our production systems do this and a number of the jails use sshguard via inetd. One of the original jail developers did not have a handy answer as to why, or if, this is a must. That said, it can't hurt. As to pinging, the answer provided by some very helpful people here, is ping -S. This assumes /etc/sysctl.conf has 'security.jail.allow_raw_sockets=1' and /usr/local/etc/ezjail/jail-name has: export jail_`jail-name`_parameters="allow.raw_sockets=1" If you read the thread [anyone know what 'ping: sendto: Can't assign requested" means'] it documents my rather painful acquisition of this knowledge :)