Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 03 Jan 2014 01:44:27 +1100
From:      nano <nanotek@bsdbox.co>
To:        freebsd-questions@freebsd.org
Subject:   losing jail alias IP addresses
Message-ID:  <52C57B4B.2090308@bsdbox.co>

next in thread | raw e-mail | index | archive | help
||I keep dropping jail (alias) IP addresses; that is, the IP disappears 
from ifconfig on the host and in the jail and whatever services (e.g. 
web or mail server) running in the jail become inaccessible.

An example jail creation process on FreeBSD nakatomi.bsdbox.co 
9.2-RELEASE FreeBSD 9.2-RELEASE #0 r255898: Fri Sep 27 03:52:52 UTC 2013 
root@bake.isc.freebsd.org:/usr/obj/usr/src/sys/GENERIC i386

# ifconfig wlan0 alias 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
# echo 'ifconfig_wlan0_alias3="inet 10.0.0.22 netmask 0xffffff00 
broadcast 10.0.0.255"' >> /etc/rc.conf
# echo '10.0.0.22 leavenworth' >> /etc/hosts
# ezjail-admin create leavenworth 10.0.0.22
# cp /etc/resolv.conf /usr/jails/leavenworth/etc/
# ezjail-admin start leavenworth
# ezjail-admin console leavenworth
# echo 'hostname="leavenworth"' >> /etc/rc.conf
# vi /etc/hosts
     127.0.0.1 localhost leavenworth
     10.0.0.22 leavenworth
     :wq


This occurs with some regularity. I have 3 development jails running and 
at least one of them will drop an IP every 24-72 hours. There appears to 
be no regular pattern, albeit at least one will go down every couple days.

I assigned a /32 CIDR to all jails (in the example above you will notice 
a /24 assignment), this did not provide a fix. I assigned an IP to the 
host in its rc.conf, this did not solve the problem either.

Further intel:

# cat /etc/rc.conf:
hostname="nakatomi.bsdbox.co"
wlans_ath0="wlan0"
ifconfig_wlan0="WPA DHCP"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
dumpdev="NO"
#hald_enable="YES"
#dbus_enable="YES"
pf_enable="YES"
pflog_enable="YES"
fail2ban_enable="YES"
#ifconfig_wlan0="inet 10.0.0.50/24"
#defaultrouter="10.0.0.138"

# AMP
ifconfig_wlan0_alias0="inet 10.0.0.111 netmask 0xffffffff broadcast 
10.0.0.255"
# relay
ifconfig_wlan0_alias1="inet 10.0.0.112 netmask 0xffffffff broadcast 
10.0.0.255"
# mail srv
ifconfig_wlan0_alias2="inet 10.0.0.113 netmask 0xffffffff broadcast 
10.0.0.255"
# research and tech dev
ifconfig_wlan0_alias3="inet 10.0.0.114 netmask 0xffffffff broadcast 
10.0.0.255"
ezjail_enable="YES"

# cat /etc/hosts
|||||127.0.0.1       localhost localhost.bsdbox.co
127.0.0.1       nakatomi.bsdbox.co nakatomi localhost
10.0.0.50       nakatomi.bsdbox.co nakatomi
10.0.0.111      bsdbox.co
10.0.0.112      zero.bsdbox.co zero
10.0.0.113      mail.bsdbox.co mail
10.0.0.114      rtd.bsdbox.co rtd

I notice that whenever the alias IP drops, my router displays the host 
IP as an address belonging to one of the jails. However, I have a static 
IP assignment to the host in my router configuration.

log/messages reveals WPA rekeying every 10 minutes:
Jan  3 01:04:13 nakatomi wpa_supplicant[568]: WPA: Group rekeying 
completed with IPv6 [GTK=CCMP]
Jan  3 01:14:13 nakatomi wpa_supplicant[568]: WPA: Group rekeying 
completed with |||||||||IPv6 |||[GTK=CCMP]
Jan  3 01:24:13 nakatomi wpa_supplicant[568]: WPA: Group rekeying 
completed with |||||||||IPv6||| [GTK=CCMP]
Jan  3 01:34:13 nakatomi wpa_supplicant[568]: WPA: Group rekeying 
completed with |||||||||IPv6||| [GTK=CCMP]
|

host /etc/pf.conf:
ext_if="wlan0"
table <fail2ban> persist
set skip on lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if from <fail2ban> to any
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
pass in on $ext_if proto tcp from any to any port ssh flags S/SA 
synproxy state
pass in on $ext_if proto tcp from any to any port www flags S/SA 
synproxy state


sample ezjail configuration file:
export jail_bsdbox_co_hostname="bsdbox.co"
export jail_bsdbox_co_ip="10.0.0.111"
export jail_bsdbox_co_rootdir="/usr/jails/bsdbox.co"
export jail_bsdbox_co_exec_start="/bin/sh /etc/rc"
export jail_bsdbox_co_exec_stop=""
export jail_bsdbox_co_mount_enable="YES"
export jail_bsdbox_co_devfs_enable="YES"
export jail_bsdbox_co_devfs_ruleset="devfsrules_jail"
export jail_bsdbox_co_procfs_enable="YES"
export jail_bsdbox_co_fdescfs_enable="YES"


sample pflog dump (appears to be repeated igmp queries* every couple 
minutes):
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
2014-01-03 01:11:58.827324 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:14:03.858878 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:16:08.889474 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:18:13.920559 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:20:18.951744 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:22:24.290028 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3
2014-01-03 01:24:29.321296 IP BigPond.BigPond > all-systems.mcast.net: 
igmp query v3


Not really sure what to do, obviously there is some user error. I am 
seeking any suggestions. Thank you.


*UPnP perhaps?
||

-- 
syn.bsdbox.co




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?52C57B4B.2090308>