OK, I managed to get it so something else wasn't grabbing *.*, dunno
what made that happen. What you said made me think "Hey, there was
something in the man pages about starting services", I figured I ought
test that out. So I did:
Pre-Jail process/netstat:
[EMAIL PROTECTED] 07:52:14 (0) /usr/ports > ps -A | grep syslog
2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84
[EMAIL PROTECTED] 07:52:17 (0) /usr/ports > ps -A | grep send
5489 p2 S+ 0:00.00 grep send
[EMAIL PROTECTED] 07:52:25 (0) /usr/ports > ps -A | grep name
[EMAIL PROTECTED] 07:52:29 (0) /usr/ports > ps -A | grep inet
[EMAIL PROTECTED] 07:52:31 (0) /usr/ports > ps -A | grep ssh
2474 ?? Is 0:00.01 /usr/sbin/sshd
5498 p2 R+ 0:00.00 grep ssh
[EMAIL PROTECTED] 07:51:08 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.84.syslog *.*
starting jail
[EMAIL PROTECTED] 07:52:50 (0) /usr/ports > jail /jail/
[EMAIL PROTECTED] 192.168.1.85 /bin/sh /etc/rc
Loading configuration files.
[EMAIL PROTECTED]
Setting hostname: [EMAIL PROTECTED]
Creating and/or trimming log files:.
ln: /dev/log: Operation not permitted
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Clearing /tmp (X related).
Starting local daemons:.
Updating motd.
Starting sshd.
Starting cron.
Local package initialization:.
Sat Feb 24 07:54:40 UTC 2007
Jailed port/binding list:
[EMAIL PROTECTED] 07:54:05 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.85.smtp *.* LISTEN
tcp4 0 0 192.168.1.85.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.85.syslog *.*
udp4 0 0 192.168.1.84.syslog *.*
Issue not confused, but it did give me some "try this" tests.
Unfortunately I still cant connect to anything outside of the jail,
not even to the host.
SSHing into jail does not work, into host does.
[EMAIL PROTECTED] 07:54:40 (0) /usr/ports > jail /jail/ legolas 92.168.1.85
/bin/csh
%ssh -x 192.168.1.84
^C
And as a last test I should have thought of before:
[EMAIL PROTECTED] 07:59:13 (0) /usr/ports > sysctl
security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1
[EMAIL PROTECTED] 07:59:26 (0) /usr/ports > jail /jail/ legolas 92.168.1.85
/bin/csh
%ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
^C
--- 127.0.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
%ifconfig
nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:13:d4:2e:2f:62
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
oh, and for testing purposes, I unhid everything in /jail/dev
[EMAIL PROTECTED] 08:04:20 (0) /usr/ports > devfs rule -s 666 show
100 path acd* hide
200 path ad10* hide
300 path audio* hide
400 path dsp* hide
500 path apm* hide
600 path dev* hide
700 path geom* hide
800 path kmem* hide
900 path mem* hide
1000 path nfs* hide
1100 path pci* hide
1200 path nvidia* hide
1300 path snd* hide
1400 path sysmouse* hide
1500 path ukbd0* hide
1600 path usb* hide
1700 path ums* hide
1800 path net* mode 755
1900 path ata* hide
2000 path atkbd* hide
2100 path kbd* hide
2200 path fd* hide
2300 path fid* hide
2400 path net* mode 777
2500 path show
2600 path * unhide
Still no luck. Thanks everyone for all the help, hopefully this is
enough information to indicate the problem.
-Jim Stapleton
sockstat (referenced at the end of the netstat man page) will show you
process names/ports.
To get any given service to work inside the jail, that IP:Port must
not be bound anywhere else, but it must be bound within the jail.
That is, you need an sshd listening on the host machine port 22, and
a separate sshd listening on the jail port 22. The same applies for
every service you want to run in both machines.
This can get confusing, too. It's generally best to always explicitly
limit services by IP on the host, even if you have no intention of
running the same service in a jail. This will prevent
confusion--imagine that you are wanting to run a webserver on the
host, but not the jail (for some weird reason). If apache is
listening on all IPs that the host has, it will be listening on the
jail IP, using the host filesystem.
Hope that didn't confuse the issue or anything.
On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote:
> addendum, I fixed syslogd by adding this to my rc.conf:
> syslogd_flags="-b 192.168.1.84"
>
> However, looking through netstat's man page, I couldn't find the name
> of the flag (if it exists) that will show the process name. Does that
> require a different tool?
>
> Thank you,
> -Jim Stapleton
>
>
>
> On 2/24/07, Jim Stapleton <[EMAIL PROTECTED]> wrote:
> >OK, I have a fairly sizeable list, but it looks like most stuff is
> >bound to 192.168.1.84 except two things, one is closed, and the other
> >is syslog (guess I have to look at it's man page). It also looks like
> >there is something else there. I guess I'll be looking at the netstat
> >man page to figure out how to get the name of the daemon touch it:
> >
> > > netstat -f inet -a; netstat -f inet6 -a
> >Active Internet connections (including servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> >tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http
> >ESTABLISHED
> >tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.ssh *.* LISTEN
> >tcp4 0 0 *.* *.* CLOSED
> >tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http
> >ESTABLISHED
> >tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http
> >ESTABLISHED
> >udp4 0 0 *.syslog *.*
> >Active Internet connections (including servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> >udp6 0 0 *.syslog *.*
> >
> >
> >
> >On 2/24/07, Harald Schmalzbauer <[EMAIL PROTECTED]> wrote:
> >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton:
> >> > I did the ssh after you did the previous mail, but it didn't fix the
> >> > problem.
> >> >
> >> > I'm not having problems senmail or named, they were simply mentioned
> >> > in the man page. I never had named running, and I didn't realize
> >> > sendmail was running. The latter was my problem with sendmail. That
> >> > problem as I said is fixed. Beyond that I don't even know which
> >> > process on my system are daemons at this point, except usbd and devd,
> >> > neither of which (to my knowledge) should be listening to any sockets.
> >> > Actually there are a couple of kernel processes (pagedaemon, vmdaemon,
> >> > and bufdaemon), but I don't know where to find documentation on them,
> >> > X, and KDM. I can't find anything on limiting sockets of these to a
> >> > specific IP only.
> >>
> >> To see what daemons are listening you can use 'netstat -f inet -a'. Then
> >you
> >> see if you have to limit some other daemons (use -f inet6 for IPv6 if
> >> configured).
> >>
> >> Please post the output of the command above to see why you get ssh
> >connections
> >> to your jail IP answered by the host's ssh daemon.
> >>
> >> -Harry
> >>
> >> --
> >> OmniSEC - UNIX und Windows Netzwerke - Sicher
> >> Harald Schmalzbauer
> >> Flintsbacher Str. 3
> >> 80686 München
> >> +49 (0) 89 18947781
> >> +49 (0) 160 93860101
> >>
> >
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
