Date: Thu, 14 Aug 2014 11:08:01 -0700 (PDT) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-jail@freebsd.org Subject: Re: Allow jail to see source IP of incoming traffic Message-ID: <20140814210726.30e38251@rsbsd.rsb> In-Reply-To: <53ECE309.5040302@freebsd.org> References: <1408012260325-5938163.post@n5.nabble.com> <53ECE309.5040302@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Connections to localhost > (127.0.0.1) from inside the jail are rerouted to the jails primary IP, > since the jail does not have access to the loopback adapter. That's what I was attempting to describe in my awkward manner, except that if jail iface is an alias of loopback, one gets a similar result when sending traffic from host. > This can cause local connections to appear to be coming from the jails IP > rather than loopback, but other than that, everyone should show the > original source IP address. What happened, was that connecting to the jailed mlnet sesion from host resulted in being refused and adding <jail_ip> to allowed_ips was the only possible solution. My jails run on an alias of lo: /etc/rc.conf: cloned_interfaces="lo2" /etc/jail.conf: interface = lo2; \ ip4.addr = 192.168.2.xxx/32; > What address are you seeing the connections as coming from? Where are > they actually coming from? I didn't run tcpdump or anything (booo!) The only flag I reacted to was "allowed_ips" for gui not permitting host, and once I relaxed that, I needed to clarify before I proceeded any further (no attempts to download anything as yet, so no incoming external traffic) Under this configuration I tried to describe mean that only members of host/localhost will be able to connect to the mlnet daemon? Thank you. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Allow-jail-to-see-source-IP-of-incoming-traffic-tp5938163p5938334.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 18:25:36 2014 Return-Path: <owner-freebsd-jail@FreeBSD.ORG> Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E5044C8E for <freebsd-jail@freebsd.org>; Thu, 14 Aug 2014 18:25:36 +0000 (UTC) Received: from joe.nabble.com (216-139-250-139.aus.us.siteprotect.com [216.139.250.139]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C55092B5A for <freebsd-jail@freebsd.org>; Thu, 14 Aug 2014 18:25:36 +0000 (UTC) Received: from sam.nabble.com ([192.168.236.26]) by joe.nabble.com with esmtp (Exim 4.72) (envelope-from <zaphod@berentweb.com>) id 1XHziC-0000Ql-TB for freebsd-jail@freebsd.org; Thu, 14 Aug 2014 11:25:20 -0700 Date: Thu, 14 Aug 2014 11:25:05 -0700 (PDT) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-jail@freebsd.org Message-ID: <20140814212432.5ba83a6f@rsbsd.rsb> In-Reply-To: <53ECE309.5040302@freebsd.org> References: <1408012260325-5938163.post@n5.nabble.com> <53ECE309.5040302@freebsd.org> Subject: Re: Allow jail to see source IP of incoming traffic MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 14 Aug 2014 18:35:36 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/> List-Post: <mailto:freebsd-jail@freebsd.org> List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 14 Aug 2014 18:25:37 -0000 >> Under this configuration I tried to describe mean that only members >> of host/localhost will be able to connect to the mlnet daemon? correction: Under the configuration I have tried to describe; does it mean that only members of host/localhost will be able to connect to the mlnet daemon? ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/Allow-jail-to-see-source-IP-of-incoming-traffic-tp5938163p5938339.html Sent from the freebsd-jail mailing list archive at Nabble.com. From owner-freebsd-jail@FreeBSD.ORG Thu Aug 14 23:13:35 2014 Return-Path: <owner-freebsd-jail@FreeBSD.ORG> Delivered-To: freebsd-jail@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D2710AD8; Thu, 14 Aug 2014 23:13:35 +0000 (UTC) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7214B4F14; Thu, 14 Aug 2014 23:13:35 +0000 (UTC) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.14.9/8.14.9) with ESMTP id s7ENDXOP049152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 14 Aug 2014 17:13:33 -0600 (MDT) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.14.9/8.14.9/Submit) with ESMTP id s7ENDXMA049149; Thu, 14 Aug 2014 17:13:33 -0600 (MDT) (envelope-from wblock@wonkity.com) Date: Thu, 14 Aug 2014 17:13:33 -0600 (MDT) From: Warren Block <wblock@wonkity.com> To: James Gritton <jamie@freebsd.org> Subject: Re: How early can jails be started? In-Reply-To: <alpine.BSF.2.11.1408131820440.96581@wonkity.com> Message-ID: <alpine.BSF.2.11.1408141701560.46108@wonkity.com> References: <alpine.BSF.2.11.1408091848040.38134@wonkity.com> <53E6F664.10702@freebsd.org> <alpine.BSF.2.11.1408131820440.96581@wonkity.com> User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="3512871622-132103126-1408058013=:46108" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Thu, 14 Aug 2014 17:13:33 -0600 (MDT) Cc: freebsd-jail@FreeBSD.org X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/> List-Post: <mailto:freebsd-jail@freebsd.org> List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-jail>, <mailto:freebsd-jail-request@freebsd.org?subject=subscribe> X-List-Received-Date: Thu, 14 Aug 2014 23:13:36 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --3512871622-132103126-1408058013=:46108 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed On Wed, 13 Aug 2014, Warren Block wrote: > It works... mostly. This file is /etc/rc.d/earlyjail: > > #!/bin/sh > # PROVIDE: earlyjail > # REQUIRE: netwait > # KEYWORD: > # BEFORE: mountcritremote > /usr/local/etc/rc.d/ezjail start dns1 > > When /etc/rc.d/jail runs much later in the startup, it tries to start that > jail again, and gets an error because of it. Seeing the error, it deletes > /var/run/jail_dns1.id. ezjail uses those jail_*.id files to detect which > jails are running, and is sure that dns1 is not running. jls does show things > correctly. I'm not sure if there is a workaround short of modifying > /etc/rc.d/jail. A small patch to /etc/rc.d/jail checks whether a jail is already running and leaves the /var/run/jail_jailname.id file in place. With this, ezjail works fine with the early-started jail. There might be security or other implications that should be considered. Only superficially tested so far. It's conceivable that someone might want to start all jails early, but I have not modified that branch of the code. --- /usr/src/etc/rc.d/jail 2014-07-03 19:10:00.000000000 -0600 +++ /etc/rc.d/jail 2014-08-14 16:59:23.000000000 -0600 @@ -488,6 +488,12 @@ eval rc_flags=\${jail_${_j}_flags:-$jail_flags} eval command=\${jail_${_j}_program:-$jail_program} command_args="-i -f $_conf -c $_j" + + if jls name | grep -x -q "$_j" ;then + echo " $_j already started" + continue + fi + _tmp=`mktemp -t jail` || exit 3 if $command $rc_flags $command_args \ >> $_tmp 2>&1 </dev/null; then --3512871622-132103126-1408058013=:46108 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=rc.d-jail.diff Content-Transfer-Encoding: BASE64 Content-ID: <alpine.BSF.2.11.1408141713330.46108@wonkity.com> Content-Description: Content-Disposition: attachment; filename=rc.d-jail.diff LS0tIC91c3Ivc3JjL2V0Yy9yYy5kL2phaWwJMjAxNC0wNy0wMyAxOToxMDow MC4wMDAwMDAwMDAgLTA2MDANCisrKyAvZXRjL3JjLmQvamFpbAkyMDE0LTA4 LTE0IDE2OjU5OjIzLjAwMDAwMDAwMCAtMDYwMA0KQEAgLTQ4OCw2ICs0ODgs MTIgQEANCiAJCQlldmFsIHJjX2ZsYWdzPVwke2phaWxfJHtfan1fZmxhZ3M6 LSRqYWlsX2ZsYWdzfQ0KIAkJCWV2YWwgY29tbWFuZD1cJHtqYWlsXyR7X2p9 X3Byb2dyYW06LSRqYWlsX3Byb2dyYW19DQogCQkJY29tbWFuZF9hcmdzPSIt aSAtZiAkX2NvbmYgLWMgJF9qIg0KKw0KKwkJCWlmIGpscyBuYW1lIHwgZ3Jl cCAteCAtcSAiJF9qIiA7dGhlbg0KKwkJCQllY2hvICIgJF9qIGFscmVhZHkg c3RhcnRlZCINCisJCQkJY29udGludWUNCisJCQlmaQ0KKw0KIAkJCV90bXA9 YG1rdGVtcCAtdCBqYWlsYCB8fCBleGl0IDMNCiAJCQlpZiAkY29tbWFuZCAk cmNfZmxhZ3MgJGNvbW1hbmRfYXJncyBcDQogCQkJICAgID4+ICRfdG1wIDI+ JjEgPC9kZXYvbnVsbDsgdGhlbg0K --3512871622-132103126-1408058013=:46108--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140814210726.30e38251>