From owner-freebsd-jail@freebsd.org Fri Mar 23 19:12:52 2018 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BC28F65C25 for ; Fri, 23 Mar 2018 19:12:52 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: from elektropost.org (elektropost.org [217.115.13.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D6F0F871C7 for ; Fri, 23 Mar 2018 19:12:51 +0000 (UTC) (envelope-from joerg_surmann@elektropost.org) Received: (qmail 92286 invoked from network); 23 Mar 2018 19:12:50 -0000 Received: from elektropost.org (HELO elektropost.org) (joerg?surmann) by elektropost.org with ESMTPS (DHE-RSA-AES128-SHA encrypted); 23 Mar 2018 19:12:50 -0000 Subject: Re: two NIC's in a jail To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> From: joerg_surmann Message-ID: <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> Date: Fri, 23 Mar 2018 20:12:12 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2018 19:12:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il Content-Type: multipart/mixed; boundary="P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q"; protected-headers="v1" From: joerg_surmann To: Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD-Jail Message-ID: <2ad4c65f-6940-10fb-eccd-fa31a43a793a@elektropost.org> Subject: Re: two NIC's in a jail References: <63ecbccc-48e2-4c67-fbf5-0a73094f29be@elektropost.org> <31fe7e04-4373-2454-aff5-0bd74b3f4b4e@quip.cz> <5decebc0-0a77-69fd-4547-8a1665300890@quip.cz> <78112343-662e-7890-f5ee-668fda23b834@elektropost.org> In-Reply-To: --P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: de-DE Hi, thanks for yor help. I can't find a solution. But i have find a starnge ip config. in rc.conf on Host(not jail) ifconfig_vmx0_alias1=3D"inet 192.168.100.2=C2=A0 netmask 255.255.255.0" ifconfig_em0=3D"inet 213.70.80.92 netmask 255.255.255.0" ifconfig on host say: inet 213.70.80.92 netmask 0xffffffff broadcast 213.70.80.92 inet 192.168.100.2=C2=A0 netmask 0xffffffff broadcast 192.168.100.2 ifconfig say to both ip's /32. Maby that's the reason for unavailable the apache. ifconfig iside the jail say the same. I'm a little bit confused. Am 23.03.2018 um 17:41 schrieb Miroslav Lachman: > Joerg Surmann wrote on 2018/03/23 17:14: >> tail -f /var/log/httpd-access.log >> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" >> 200 - >> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" >> 200 - >> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209= >> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200= - >> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209= > > How did you do the request from 213.70.80.92? It was made from > localhost where Apache runs? > >> jls -v >> =C2=A0=C2=A0=C2=A0 JID=C2=A0 Hostname=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Path >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Name=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 State >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 CPUSetID >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 IP Address(es) >> >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2=C2=A0 apache24=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 /usr/jails/apache24 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 apache24=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ACTIVE >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 192.168.100.2 >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 213.70.80.92 > > Looks good > >> jls -s >> >> devfs_ruleset=3D0 enforce_statfs=3D2 host=3Dnew ip4=3Ddisable ip6=3Ddi= sable >> jid=3D2 name=3Dapache24 osreldate=3D1101001 osrelease=3D11.1-RELEASE >> path=3D/usr/jails/apache24 nopersist securelevel=3D-1 sysvmsg=3Ddisabl= e >> sysvsem=3Ddisable sysvshm=3Ddisable allow.nochflags allow.mount >> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs >> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs >> allow.mount.notmpfs allow.mount.nozfs allow.noquotas >> allow.raw_sockets allow.noset_hostname allow.nosocket_af >> allow.nosysvipc children.max=3D0 host.domainname=3D"" host.hostid=3D0 >> host.hostname=3Dapache24 >> host.hostuuid=3D00000000-0000-0000-0000-000000000000 > > This is strange. You have ip4=3Ddisable ip6=3Ddisable. My jails have > "ip4=3Dnew ip6=3Ddisable" > And you don't have ip4.addr at all. I have ip4.addr=3D172.16.16.2 for > example > > Miroslav Lachman > > >> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman: >>> Joerg Surmann wrote on 2018/03/23 16:45: >>>> Thanks for replay. >>>> >>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>> say: >>>> netstat: kvm not available: /dev/mem No such file or directory <- is= >>>> inside a jail. >>>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0 *.80= =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2= =A0 LISTEN >>>> >>>> grep -i Listen /usr/local/etc/apache24/httpd.conf >>>> >>>> Listen 80 >>>> Listen 443 >>>> >>>> =C2=A0From the internal IP is no Problem. >>>> You are right. I'm not sure on wich IP's Apache is listening. >>>> >>>> I have change the Listen directive to the external IP in httpd.conf >>>> Listen 213.70.80.92:80 >>>> >>>> netstat -an | egrep 'tcp4.*80 .*LISTEN' >>>> now say: >>>> tcp4=C2=A0=C2=A0=C2=A0 0=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 0=C2=A0= 213.70.80.92:80=C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 LISTEN >>>> >>>> But apache is not availble from Internet. >>>> =C2=A0From Intranet... no Problem. >>>> >>>> When i use tcpdump on Host i can see Traffic. >>>> >>>> Whats wrong? >>> >>> That's strange. >>> >>> Listen 80 and Listen 443 is OK, it is the same as >>> =C2=A0 Listen *:80 >>> =C2=A0 Listen *:443 >>> and as you see with netstat, Apache was listening on both IPs: >>> =C2=A0*.80=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 *.*=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 LISTEN >>> >>> Do you have something listening on port 80 in the Host? >>> >>> What netstat shows in the host? >>> >>> Also check Apache log files. If you didn't configure virtual host, >>> then you have just these two log files: >>> /var/log/httpd-access.log >>> /var/log/httpd-error.log >>> >>> Use tail and then try to access your website from the internet >>> >>> # tail -f /var/log/httpd-*.log >>> >>> Please send what "jls -v" in the Host will show you. (there should >>> be 2 IPs for your jail) or "jls -s"=C2=A0 (replace any sensitive >>> informations if you want) >>> >>> And move this discussion to proper mailing list: >>> freebsd-jail@FreeBSD.org >>> --P7HvaxYRMT9aoK5vqbk1nTbwqSNToN61Q-- --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIzBAEBCgAdFiEEKgIE1afOeXZNzpBEGHz25TAa4ssFAlq1Ua4ACgkQGHz25TAa 4stPaRAArmtTAheNjFuU3Jg4XVdvW6A5G9AoHg741wEzD/Md/fo5LKXsD09jNZ42 IBifHOHmrH5D/F+z7vt8MoXJNVJycOTvqjcR9aKoOH0sad2RzjQ4pxbHInlxZ4ua WKuO+r+Ee/a1xdHHjChIL+ZA/wA0Nb2SuB5NXyAM7N3m4PigoIiSwSw6JiwcfM7q iT1ANOq7sZ/UvOp5or/jlyRDHa9alDyvsogu4PWK8NYkUDRHFvRyXy2gcR1IlkiC qCACkigwfb6v2VBTLbdfmDb9GshmiB9eG7XRIcfSDJcvP/o0yjyS7AwMA/O2vcy7 455A1se8WAg1kSfWea72Z7TRgcwlGP+MGCAp4Sw+isQoxWZTrIpJQDydYXa8rF8q BNiIWrtqK8oS5ppMo7b/Nke3Zdm4wKf8h1CbvMXO+XXschIkQW5uaIMPWjNouCul OstUAaaDmSKBumsseAfnwt4uJECaXUJLDavqeRKRXJG3dFFqR9I3u1FG0lBjpZAP 1N5zxVblHsDoilNnsbr2BAilT48ZwM5+fqb8ODvgaFmg1WOgWABj7sVQ3WK4X+g8 A6q5+hEwtGtmNIU3L4Jhw1RK7bo65NjluimmF9aoDuU8lGjVv4NUWXGKaRfyB/UP 22aTbXcr7+FcbJmfn+euif0UxYXv3ljXayWA6ZQYaTqBzzUe55k= =DekE -----END PGP SIGNATURE----- --eVSQYKacfLGuHYwBtjvyRVUzwhPkFG7Il--