Date: Fri, 22 Feb 2013 06:10:44 +0000 From: "Teske, Devin" <Devin.Teske@fisglobal.com> To: Shane Ambler <FreeBSD@ShaneWare.Biz> Cc: "doug@safeport.com" <doug@safeport.com>, "Teske, Devin" <Devin.Teske@fisglobal.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, 'Bernt Hansson' <bah@bananmonarki.se> Subject: RE: jail and networking Message-ID: <13CA24D6AB415D428143D44749F57D7201EAC9AE@ltcfiswmsgmb21> In-Reply-To: <5127043C.8020306@ShaneWare.Biz> References: <5124F505.4040906@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABA71@ltcfiswmsgmb21> <51250B20.4000308@bananmonarki.se> <512510ED.6080807@mail.com>, <51251496.4050701@bananmonarki.se> <13CA24D6AB415D428143D44749F57D7201EABC1F@ltcfiswmsgmb21> <51251FA5.6030903@mail.com> <alpine.BSF.2.00.1302201613280.27836@fledge.watson.org> <512554C6.3070306@bananmonarki.se> <alpine.BSF.2.00.1302201830160.74170@oceanpt.safeport.com> <51258CEA.1050006@ShaneWare.Biz> <alpine.BSF.2.00.1302211347590.10788@fledge.watson.org> <031701ce1068$baa82cf0$2ff886d0$@fisglobal.com>, <5127043C.8020306@ShaneWare.Biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 21 Feb 2013, Shane Ambler wrote: > On 22/02/2013 05:52, Devin Teske wrote: >=20 > > What I find strange is that: > > > > 1. I knew about ListenAddress w/respect to jails, but... > > > > 2. We are not changing it (sshd_config has no ListenAddress -- leading = to > > default values used), yet... > > > > 3. Base machine and jails both work fine > > > > Not sure when it's required versus not, because we're running fine with= out that > > change here with over a dozen jails. > > > > The only thing I've ever noticed is that we tend to use > > jail_NAME_ip=3D"iface|addr" while most everybody else seems to be using > > jail_NAME_ip=3D"addr". > > >=20 > We may need to expand out from that. I use jail_NAME_ip=3D"addr" but also >=20 > ipv4_addrs_re0=3D"10.0.0.254/24 10.0.0.1-5/24" > route_jaillan0=3D"-net 10.0.0.0/24 10.0.0.254" > static_routes=3D"jaillan0" >=20 > Don't recall where I got that from but think it was an easy way to alias > a number of ip's whereas ifconfig_<iface>_alias0 sets one ip at a time > and is also deprecated. >=20 > If you use jail_NAME_ip=3D"iface|addr" does this mean you don't have ip > addresses aliased to the iface on startup and they get aliased as the > jail starts? That would be why sshd isn't bound to the address before. Correct, and this was my leading theory. > man rc.conf for jail_<jname>_ip says "... Additionally each address can > be prefixed by the name of an interface followed by a pipe to overwrite" > does that mean it clears the ip from the base system and re-creates it > for the jail? Dunno -- I first learned about "iface|addr" from reading the code. It did w= hat I wanted _and_ improved the clarity/readability of rc.conf(5) in the ca= se of multiple jails utilizing separate interfaces on similar subnets. Thus= , it was embraced. > I also see jail_<jname>_interface "...When set, sets the interface to > use when setting IP address alias. Note that the alias is created at > jail startup and removed at jail shutdown." Never used that setting before. > Which is what sounds like the solution to not have ip's available when > sshd starts so it isn't bound to them. Right-o. > Also what sys version were these options added? I would guess 8.x as we're using iface|addr in 8.1 (as previously mentioned= , not using jail_<jname>_interface -- dunno about that one). The following URLs might be of assistance in tracking down the origins of v= arious options: http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail http://svnweb.freebsd.org/base/head/etc/rc.d/jail --=20 Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?13CA24D6AB415D428143D44749F57D7201EAC9AE>