OK, I managed to get it so something else wasn't grabbing *.*, dunno what made that happen. What you said made me think "Hey, there was something in the man pages about starting services", I figured I ought test that out. So I did:
Pre-Jail process/netstat: [EMAIL PROTECTED] 07:52:14 (0) /usr/ports > ps -A | grep syslog 2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84 [EMAIL PROTECTED] 07:52:17 (0) /usr/ports > ps -A | grep send 5489 p2 S+ 0:00.00 grep send [EMAIL PROTECTED] 07:52:25 (0) /usr/ports > ps -A | grep name [EMAIL PROTECTED] 07:52:29 (0) /usr/ports > ps -A | grep inet [EMAIL PROTECTED] 07:52:31 (0) /usr/ports > ps -A | grep ssh 2474 ?? Is 0:00.01 /usr/sbin/sshd 5498 p2 R+ 0:00.00 grep ssh [EMAIL PROTECTED] 07:51:08 (0) ~ > netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.ssh *.* LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 192.168.1.84.syslog *.* starting jail [EMAIL PROTECTED] 07:52:50 (0) /usr/ports > jail /jail/ [EMAIL PROTECTED] 192.168.1.85 /bin/sh /etc/rc Loading configuration files. [EMAIL PROTECTED] Setting hostname: [EMAIL PROTECTED] Creating and/or trimming log files:. ln: /dev/log: Operation not permitted Starting syslogd. ELF ldconfig path: /lib /usr/lib /usr/lib/compat a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout Clearing /tmp (X related). Starting local daemons:. Updating motd. Starting sshd. Starting cron. Local package initialization:. Sat Feb 24 07:54:40 UTC 2007 Jailed port/binding list: [EMAIL PROTECTED] 07:54:05 (0) ~ > netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 192.168.1.85.smtp *.* LISTEN tcp4 0 0 192.168.1.85.ssh *.* LISTEN tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.ssh *.* LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 192.168.1.85.syslog *.* udp4 0 0 192.168.1.84.syslog *.* Issue not confused, but it did give me some "try this" tests. Unfortunately I still cant connect to anything outside of the jail, not even to the host. SSHing into jail does not work, into host does. [EMAIL PROTECTED] 07:54:40 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh %ssh -x 192.168.1.84 ^C And as a last test I should have thought of before: [EMAIL PROTECTED] 07:59:13 (0) /usr/ports > sysctl security.jail.allow_raw_sockets security.jail.allow_raw_sockets: 1 [EMAIL PROTECTED] 07:59:26 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh %ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ^C --- 127.0.0.1 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss %ifconfig nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 oh, and for testing purposes, I unhid everything in /jail/dev [EMAIL PROTECTED] 08:04:20 (0) /usr/ports > devfs rule -s 666 show 100 path acd* hide 200 path ad10* hide 300 path audio* hide 400 path dsp* hide 500 path apm* hide 600 path dev* hide 700 path geom* hide 800 path kmem* hide 900 path mem* hide 1000 path nfs* hide 1100 path pci* hide 1200 path nvidia* hide 1300 path snd* hide 1400 path sysmouse* hide 1500 path ukbd0* hide 1600 path usb* hide 1700 path ums* hide 1800 path net* mode 755 1900 path ata* hide 2000 path atkbd* hide 2100 path kbd* hide 2200 path fd* hide 2300 path fid* hide 2400 path net* mode 777 2500 path show 2600 path * unhide Still no luck. Thanks everyone for all the help, hopefully this is enough information to indicate the problem. -Jim Stapleton
sockstat (referenced at the end of the netstat man page) will show you process names/ports. To get any given service to work inside the jail, that IP:Port must not be bound anywhere else, but it must be bound within the jail. That is, you need an sshd listening on the host machine port 22, and a separate sshd listening on the jail port 22. The same applies for every service you want to run in both machines. This can get confusing, too. It's generally best to always explicitly limit services by IP on the host, even if you have no intention of running the same service in a jail. This will prevent confusion--imagine that you are wanting to run a webserver on the host, but not the jail (for some weird reason). If apache is listening on all IPs that the host has, it will be listening on the jail IP, using the host filesystem. Hope that didn't confuse the issue or anything. On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote: > addendum, I fixed syslogd by adding this to my rc.conf: > syslogd_flags="-b 192.168.1.84" > > However, looking through netstat's man page, I couldn't find the name > of the flag (if it exists) that will show the process name. Does that > require a different tool? > > Thank you, > -Jim Stapleton > > > > On 2/24/07, Jim Stapleton <[EMAIL PROTECTED]> wrote: > >OK, I have a fairly sizeable list, but it looks like most stuff is > >bound to 192.168.1.84 except two things, one is closed, and the other > >is syslog (guess I have to look at it's man page). It also looks like > >there is something else there. I guess I'll be looking at the netstat > >man page to figure out how to get the name of the daemon touch it: > > > > > netstat -f inet -a; netstat -f inet6 -a > >Active Internet connections (including servers) > >Proto Recv-Q Send-Q Local Address Foreign Address (state) > >tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http > >ESTABLISHED > >tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol > >TIME_WAIT > >tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol > >TIME_WAIT > >tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol > >TIME_WAIT > >tcp4 0 0 192.168.1.84.ssh *.* LISTEN > >tcp4 0 0 *.* *.* CLOSED > >tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http > >ESTABLISHED > >tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http > >ESTABLISHED > >udp4 0 0 *.syslog *.* > >Active Internet connections (including servers) > >Proto Recv-Q Send-Q Local Address Foreign Address (state) > >udp6 0 0 *.syslog *.* > > > > > > > >On 2/24/07, Harald Schmalzbauer <[EMAIL PROTECTED]> wrote: > >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton: > >> > I did the ssh after you did the previous mail, but it didn't fix the > >> > problem. > >> > > >> > I'm not having problems senmail or named, they were simply mentioned > >> > in the man page. I never had named running, and I didn't realize > >> > sendmail was running. The latter was my problem with sendmail. That > >> > problem as I said is fixed. Beyond that I don't even know which > >> > process on my system are daemons at this point, except usbd and devd, > >> > neither of which (to my knowledge) should be listening to any sockets. > >> > Actually there are a couple of kernel processes (pagedaemon, vmdaemon, > >> > and bufdaemon), but I don't know where to find documentation on them, > >> > X, and KDM. I can't find anything on limiting sockets of these to a > >> > specific IP only. > >> > >> To see what daemons are listening you can use 'netstat -f inet -a'. Then > >you > >> see if you have to limit some other daemons (use -f inet6 for IPv6 if > >> configured). > >> > >> Please post the output of the command above to see why you get ssh > >connections > >> to your jail IP answered by the host's ssh daemon. > >> > >> -Harry > >> > >> -- > >> OmniSEC - UNIX und Windows Netzwerke - Sicher > >> Harald Schmalzbauer > >> Flintsbacher Str. 3 > >> 80686 München > >> +49 (0) 89 18947781 > >> +49 (0) 160 93860101 > >> > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"