From owner-freebsd-questions@freebsd.org Sat Dec 24 02:22:18 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B6AB5C8DBA5 for ; Sat, 24 Dec 2016 02:22:18 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8AA6CC9 for ; Sat, 24 Dec 2016 02:22:18 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x22f.google.com with SMTP id c4so45942680pfb.1 for ; Fri, 23 Dec 2016 18:22:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-transfer-encoding; bh=qHh0xHB81LpaUs9gERKpXBJW7HcsQNK3L3N/YKE+urA=; b=aybh5+UTWfNe7599CR5OAQVZc85jC9A0xmGYgXveMZsNWHuy9WCBtNoTbhzX0m5dpw 4wsPFOvPB8CrOF4o9d0l85d+oMh5+Ti+ulsI/ZjDRvpEokl2r8gWp9TLOwWdIDfNO0ba dTzArZS+O9Rt3QzDoMl89fwjL2MZz79f10fTR8qExatJCa0P28SKIX3rf64K9eKjjH+6 9PUJvVFII8+r3GU7Cilpix1SsvkklFe4g5+EBpW76BgjUpYLwJIINmkR1Gk+jT98e+G+ GQPmFCtnfR5Gddo88ATHFOJhQaAwRlFWYpLhXiml05LTWvK1EVD7d5gP6WqdM3J+uddq /5jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-transfer-encoding; bh=qHh0xHB81LpaUs9gERKpXBJW7HcsQNK3L3N/YKE+urA=; b=Iy0zxCMBdk2aX21f79VuXkHjccgP6minkYu0Q0sebuYbNwfYuvgjMmX1MTH5D1wqLu pDNupFNzyIWQV6z2W+tG7VUplOZOIrdXFgKr6ywgYPwqd9xM5yLPmvLCUgBuLt7xhkPx wZFjbt0zfDSBpdkPKPWJ6g0/G42I/GlwzCv1d0MLFgxiJEg3bifYO4fjuMcwOg9qPYNK pfAcERXbpFA99cof1JJw6JY7pfhPHJKNGO9gukZUJUD3fZF56NexW/XET5hH6jTCLr2p ma5+BjLoqBgAaAMgCQcq8ViJcZtkP7tbAZzxsjswgzjw6Iuz7nouRMnPSbNWHtNtNh8k x0Ew== X-Gm-Message-State: AIkVDXLadovLKxYp4kr6RVkcfd/SYHHX+afIOUT9FM3qxNnanWEhK5YiHGTcR+N0ZT4D6g== X-Received: by 10.84.206.37 with SMTP id f34mr35239524ple.35.1482546137853; Fri, 23 Dec 2016 18:22:17 -0800 (PST) Received: from [192.168.1.103] ([120.29.76.197]) by smtp.googlemail.com with ESMTPSA id y2sm64977867pff.82.2016.12.23.18.22.16 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 23 Dec 2016 18:22:17 -0800 (PST) Message-ID: <585DDBD9.1070207@gmail.com> Date: Sat, 24 Dec 2016 10:22:17 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: byrnejb@harte-lyne.ca CC: freebsd-questions@freebsd.org Subject: Re: IP address assignments to jails using ezjail References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2016 02:22:18 -0000 doug wrote: > On Thu, 22 Dec 2016, James B. Byrne via freebsd-questions wrote: > >> When I created the new jail I used this invocation: >> >> ezjail-admin create -x hlldrupal 'lo1|127.0.1.1,vtnet0|192.168.216.196' >> >> Inside the host rc.conf I have this: >> >> # Cloned i/f and assigned ipv4 addr for jails >> cloned_interfaces="lo1" # For shared jail configuration >> >> And ifconfig on the host shows this: >> >> vtnet0: flags=8943 >> metric 0 mtu 1500 >> options=80028 >> ether 00:a0:98:fa:aa:b6 >> inet 216.185.71.16 netmask 0xffffff00 broadcast 216.185.71.255 >> inet 192.168.216.16 netmask 0xffffff00 broadcast 192.168.216.255 >> inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196 >> nd6 options=29 >> media: Ethernet 10Gbase-T >> status: active >> . . . >> lo1: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet 127.0.1.1 netmask 0xffffffff >> nd6 options=29 >> groups: lo >> >> Inside the jail ifconfig shows this: >> >> vtnet0: flags=8943 >> metric 0 mtu 1500 >> options=80028 >> ether 00:a0:98:fa:aa:b6 >> inet 192.168.216.196 netmask 0xffffffff broadcast 192.168.216.196 >> media: Ethernet 10Gbase-T >> status: active >> lo0: flags=8049 metric 0 mtu 16384 >> options=600003 >> groups: lo >> lo1: flags=8049 metric 0 mtu 16384 >> options=600003 >> inet 127.0.1.1 netmask 0xffffffff >> groups: lo >> >> >> All this seems to be correct and yet I cannot seem to obtain an ssh >> connection to or from the jailed instance. ubound is running in the >> jail and seems to be working. At least host responds to queries. >> >> root@hlldrupal:~ # host sendmail.com >> sendmail.com has address 209.246.26.25 >> sendmail.com mail is handled by 10 mxa-00148501.gslb.pphosted.com. >> sendmail.com mail is handled by 20 mx2.proofpoint.com. >> sendmail.com mail is handled by 10 mxb-00148501.gslb.pphosted.com. >> >> pf is not running in the jail but sshd is: >> >> root@hlldrupal:~ # service sshd status >> sshd is running as pid 81502. >> >> root@hlldrupal:~ # service pf status >> Cannot 'status' pf. Set pf_enable to YES in /etc/rc.conf or use >> 'onestatus' instead of 'status'. >> root@hlldrupal:~ # service pf onestatus >> pf.ko is not loaded >> >> >> I note that the flag IFDISABLED is present on the host's lo1. Why? Is >> this the source of the connectivity problem with the jail? If so then >> why does the host commend work when executed within the jail? In any >> case I can ping the jail from without: >> >> [root@vhost04 ~ (master *%)]# ping 192.168.216.196 >> PING 192.168.216.196 (192.168.216.196) 56(84) bytes of data. >> 64 bytes from 192.168.216.196: icmp_seq=1 ttl=64 time=0.647 ms >> >> I just cannot connect to that address via ssh from without nor can I >> connect ssh to any address from within the jail. >> >> > > The handbook suggests that getting loopback traffic is a good thing. > That said none of our production systems do this and a number of the > jails use sshguard via inetd. One of the original jail developers did > not have a handy answer as to why, or if, this is a must. That said, it > can't hurt. > > As to pinging, the answer provided by some very helpful people here, is > ping -S. This assumes /etc/sysctl.conf has > 'security.jail.allow_raw_sockets=1' and /usr/local/etc/ezjail/jail-name > has: > > export jail_`jail-name`_parameters="allow.raw_sockets=1" > > If you read the thread [anyone know what 'ping: sendto: Can't assign > requested" means'] it documents my rather painful acquisition of this > knowledge :) > In a jail by design default, ping is considered a security risk. jail(8) disables it by default unless the variable allow.raw_sockets is included in that jails definition statements. Using the sysctl method enables ping for all jails running on the host. This is ok for testing, but should be turned off for an production environment and should be mandatory disabled for any jail accessible from the public network. Read [man 8 jail] for details. I have not checked ezjail in the last 6 months which at that time it was still using the rc.conf method of jail definitions. At jail start you see a warning message to convert to jail.conf method. There has been talk that the rc.conf method will be removed in 11.1 release or very soon after. I would not assume that ezjail being in the handbook is am recommend way to go. Its just one of many jail command wrapper utilities. Like all ports things change and the updating of the handbook documentation is not the responsibility of the port maintainer so it becomes outdated and misleading. You are not the first person to fall into this hole. There has been talk about removing all port documentation from the handbook just for this reason.