From owner-freebsd-stable@FreeBSD.ORG Thu Jan 8 11:10:08 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64CF4106567B for ; Thu, 8 Jan 2009 11:10:08 +0000 (UTC) (envelope-from spil.oss@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id E6DD68FC19 for ; Thu, 8 Jan 2009 11:10:07 +0000 (UTC) (envelope-from spil.oss@googlemail.com) Received: by fg-out-1718.google.com with SMTP id l26so2882058fgb.35 for ; Thu, 08 Jan 2009 03:10:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=3X2SgEZh6C/Kij13CS86VOis1NqSNCQSSV6hJZEPgfQ=; b=ROX0f5O3CXKAVX0bzhoxaVza350fzZr+nJQIVeyvuAQIhnhcBVvAC5wdS1j6fxhnCK 4wu8vMR+wq5NELHhWOPzZSZsDXL7uyrXzPJ+4EItDUXg90GDT970gUlF1KRJlJcB+LEg jKIEii0y/oEYJd8OBzwNkwcXiAG0PEdbGBCwk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=VK1AwTrO52Ug1lifXmEiqBHKKymmdOp1QrJCiEnPUAK798VKfchuMkPVGrnt+cuKiC 56N5A7Q1KKgt60KvIb2Hbl4+0w8M+Gl5+OkCRpxywVuPBRS9MiA/z63Lyp0sG+yFZK3Z EJZgUT/KhmHUajQcF6sKCBXT3qi2zwlusgJBw= Received: by 10.86.51.10 with SMTP id y10mr14108674fgy.9.1231413006618; Thu, 08 Jan 2009 03:10:06 -0800 (PST) Received: by 10.86.62.20 with HTTP; Thu, 8 Jan 2009 03:10:06 -0800 (PST) Message-ID: <5fbf03c20901080310g69da867v1fc8dadcdb4ca7ae@mail.gmail.com> Date: Thu, 8 Jan 2009 12:10:06 +0100 From: "Spil Oss" To: lists@peter.de.com, ezjail@erdgeist.org, freebsd-stable@freebsd.org In-Reply-To: <20090108105448.4cd6dcfe@dilbert.office.centralnic.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <5fbf03c20901080207y4b0b18beod775a8ef2887f147@mail.gmail.com> <20090108105448.4cd6dcfe@dilbert.office.centralnic.com> Cc: Subject: Re: Problems with network in jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: spil.oss@gmail.com List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jan 2009 11:10:09 -0000 Hi Peter, Thanks a lot! Will read up on that. (luckily I do speak german/swiss-german). From discussions on ##FreeBSD IRC I learned that it is not recommended to use lo0 for jails! On FreeBSD-6.3 I succesfully used lo0/127.0.0.2 for my mysql jail that needed to be addressed only locally, but ONLY LOCALLY, no other access. It may be possible to add a line similar to 00100 divert 8668 ip from any to any in via xl0 to my ipfw/NAT config, but being warned, I'm not going down that path. Since I moved my portbuild jail to bridge0/172.17.2.17 it works as expected, without device mem! And to boot I made errors when creating my aliases (ifconfig bridge0 inet 172.17.2.17 netmask *172.17.2.255* in stead of 255.255.255.0) I will protect the jails that only need to be connected to from local by adding rules to my ipfw setup Now Iet's hope that my failures/problems serve as reference for future users of (ez)jail! Kind regards, Spil. 2009/1/8 Oliver Peter : > On Thu, 8 Jan 2009 11:07:04 +0100 > "Spil Oss" wrote: > >> Early this week, I upgraded from 7.0 to 7.1 (not having 'used' jails >> on 7.0). After creating the jail with >> `ezjail-admin update -i` >> I created a 'ports build' jail >> `ezjail-admin create build 127.0.0.3` >> and forgot to add the alias to lo0, so no networking off-course. So I >> added the 127.0.0.3 alias to lo0 >> `ifconfig lo0 inet 127.0.0.3 alias` >> and restarted the jail > > If you use the loopback device for your jails you have to add NAT rules > to your host machine, this documentation is very useful: > > http://www.rootforum.de/wiki/freebsd/04_jail_infrastructure#packet_filter_einrichten > > (The article is in German, but the configuration stuff should be > understandable anyway) > > -- > Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 > "If it feels good, you're doing something wrong." > -- Coach McTavish > >