Re: Jails on FreeBSD 9.0

2012-07-23 Thread Eitan Adler 
On 22 July 2012 21:55, Herbert J. Skuhra h.sku...@gmail.com wrote:
 On Sat, 21 Jul 2012 16:10:56 +0200
 Herbert J. Skuhra h.sku...@gmail.com wrote:

 On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com 
 wrote:
  Hi,
 
  ok, this is obviously a pf problem and the reason why the network in
  the jail doesn't work.
 
  ifconfig lo1 create
  ifconfig lo1 10.0.0.10 netmask 0xff00
  nc -s 10.0.0.10 xx.xx.xx.xx 25
 
  With pf: connections fails; server receives SYN-ACK, but nc continues
  sending SYNs until nc gives up
 
  With ipfw: connection OK
 
  On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works.

 Could this be a bug in the fxp driver?
 I have a 2nd machine with a fxp nic. Same problem.

 Thanks to yongari@ the issue could be resolved on both machines by
 disabling receive checksum offloading (ifconfig fxp0 -rxsum).

If this is a fxp bug, can you please file a PR explaining the issue
and how to reproduce it?


-- 
Eitan Adler
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-23 Thread Herbert J. Skuhra 
On Mon, Jul 23, 2012 at 8:31 AM, Eitan Adler li...@eitanadler.com wrote:

 If this is a fxp bug, can you please file a PR explaining the issue
 and how to reproduce it?

kern/170081

-- 
Herbert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-22 Thread Herbert J. Skuhra 
On Sat, 21 Jul 2012 16:10:56 +0200
Herbert J. Skuhra h.sku...@gmail.com wrote:

 On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com 
 wrote:
  Hi,
 
  ok, this is obviously a pf problem and the reason why the network in
  the jail doesn't work.
 
  ifconfig lo1 create
  ifconfig lo1 10.0.0.10 netmask 0xff00
  nc -s 10.0.0.10 xx.xx.xx.xx 25
 
  With pf: connections fails; server receives SYN-ACK, but nc continues
  sending SYNs until nc gives up
 
  With ipfw: connection OK
 
  On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works.
 
 Could this be a bug in the fxp driver?
 I have a 2nd machine with a fxp nic. Same problem.

Thanks to yongari@ the issue could be resolved on both machines by
disabling receive checksum offloading (ifconfig fxp0 -rxsum).

-- 
Herbert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-21 Thread Herbert J. Skuhra 
Hi,

ok, this is obviously a pf problem and the reason why the network in
the jail doesn't work.

ifconfig lo1 create
ifconfig lo1 10.0.0.10 netmask 0xff00
nc -s 10.0.0.10 xx.xx.xx.xx 25

With pf: connections fails; server receives SYN-ACK, but nc continues
sending SYNs until nc gives up

With ipfw: connection OK

On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works.

Thanks.

-- 
Herbert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-21 Thread Herbert J. Skuhra 
On Sat, Jul 21, 2012 at 11:24 AM, Herbert J. Skuhra h.sku...@gmail.com wrote:
 Hi,

 ok, this is obviously a pf problem and the reason why the network in
 the jail doesn't work.

 ifconfig lo1 create
 ifconfig lo1 10.0.0.10 netmask 0xff00
 nc -s 10.0.0.10 xx.xx.xx.xx 25

 With pf: connections fails; server receives SYN-ACK, but nc continues
 sending SYNs until nc gives up

 With ipfw: connection OK

 On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works.

Could this be a bug in the fxp driver?
I have a 2nd machine with a fxp nic. Same problem.

-- 
Herbert
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-17 Thread Kalle Møller 
On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote:
 On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com wrote:
 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com:
 On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com 
 wrote:
 Hi,

 although I've followed the instructions in jail(8) and jail.conf(5) I
 cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).

 The symptons:

 * ssh'ing to jail works, but it takes about 20 seconds until password
   prompt appears

 Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?

 No, I can login instantly.

 * netstat -r in the jail takes about 150 seconds to finish

 Does netstat -rn does the same ?

 No, the output appears immediately.

 * connections to the internet time out; with tcpdump I see that
   packets leave and enter the public interface on the host, but never
   reach the jail

 I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
 interface is fxp0 with both an IPv4 and an IPv6 address assigned.
 Of course, nat is enable via pf on the public interface.

 Can you post your PF configuration ?

 After switching to ipfw/natd networking in the jail works.
 Could this be a bug?

 I think you had an issue with firewall that block name resolution and
 makes everything goes slow. At least you need one single line on your
 pf.conf :

 nat on $public_interface form $jail_ip to any - ($public_interface)

 Even when loading only the nat rule it doesn't work:

 nat on fxp0 from  192.168.1.0/24 to any - $ext_addr

 Thanks.
 Herbert
 ___
 freebsd-j...@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-jail
 To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org


As Mark Felder wrote

You don't have anything in /etc/resolv.conf, in the jail do you? :-)

-- 

Med Venlig Hilsen

Kalle R. Møller
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Jails on FreeBSD 9.0

2012-07-17 Thread Herbert J. Skuhra 
On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller
freebsd-questi...@k-moeller.dk wrote:
 On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra h.sku...@gmail.com wrote:
 On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu joris.ded...@gmail.com 
 wrote:
 2012/7/12 Herbert J. Skuhra h.sku...@gmail.com:
 On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra h.sku...@gmail.com 
 wrote:
 Hi,

 although I've followed the instructions in jail(8) and jail.conf(5) I
 cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).

 The symptons:

 * ssh'ing to jail works, but it takes about 20 seconds until password
   prompt appears

 Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?

 No, I can login instantly.

 * netstat -r in the jail takes about 150 seconds to finish

 Does netstat -rn does the same ?

 No, the output appears immediately.

 * connections to the internet time out; with tcpdump I see that
   packets leave and enter the public interface on the host, but never
   reach the jail

 I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
 interface is fxp0 with both an IPv4 and an IPv6 address assigned.
 Of course, nat is enable via pf on the public interface.

 Can you post your PF configuration ?

 After switching to ipfw/natd networking in the jail works.
 Could this be a bug?

 I think you had an issue with firewall that block name resolution and
 makes everything goes slow. At least you need one single line on your
 pf.conf :

 nat on $public_interface form $jail_ip to any - ($public_interface)

 Even when loading only the nat rule it doesn't work:

 nat on fxp0 from  192.168.1.0/24 to any - $ext_addr

 Thanks.
 Herbert


 As Mark Felder wrote

 You don't have anything in /etc/resolv.conf, in the jail do you? :-)

I have two nameservers listed!
If I boot a kernel with ipfirewall/ipdivert and run natd the network
in the jail works!

With pf:

I see the packets going out/coming in on fxp0 but somehow the jail
does not see them.

A 'dig www.google.com' in the jail fails with connection timed out;
no servers could be reached, but

11:39:45.30 IP xxx.yyy.zzz.64452 
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:45.694045 IP google-public-dns-a.google.com.domain 
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.177, A 173.194.35.176, A 173.194.35.179, A 173.194.35.180,
A 173.194.35.178 (132)
11:39:50.667799 IP xxx.yyy.zzz.64452 
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:50.687083 IP google-public-dns-a.google.com.domain 
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.177, A 173.194.35.178, A 173.194.35.179, A 173.194.35.180,
A 173.194.35.176 (132)
11:39:55.668783 IP xxx.yyy.zzz.64452 
google-public-dns-a.google.com.domain: 10794+ A? www.google.com. (32)
11:39:55.675917 IP google-public-dns-a.google.com.domain 
xxx.yyy.zzz.64452: 10794 6/0/0 CNAME www.l.google.com., A
173.194.35.180, A 173.194.35.177, A 173.194.35.179, A 173.194.35.176,
A 173.194.35.178 (132)

And 'nc 173.194.35.177 80':

11:41:52.176904 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445658553 ecr 8593173,nop,wscale 6], length 0
11:41:53.382320 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445659753 ecr 8593173,nop,wscale 6], length 0
11:41:54.088585 IP xxx.yyy.zzz.56936  muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 8596173 ecr 0], length 0
11:41:54.098838 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445660466 ecr 8593173,nop,wscale 6], length 0
11:41:55.796638 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445662155 ecr 8593173,nop,wscale 6], length 0
11:41:57.288596 IP xxx.yyy.zzz.56936  muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,nop,wscale
6,sackOK,TS val 8599373 ecr 0], length 0
11:41:57.299125 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445663650 ecr 8593173,nop,wscale 6], length 0
11:42:00.488595 IP xxx.yyy.zzz.56936  muc03s02-in-f17.1e100.net.http:
Flags [S], seq 2143442670, win 65535, options [mss 1460,sackOK,eol],
length 0
11:42:00.498606 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445666834 ecr 8593173,nop,wscale 6], length 0
11:42:00.621724 IP muc03s02-in-f17.1e100.net.http  xxx.yyy.zzz.56936:
Flags [S.], seq 1156402837, ack 2143442671, win 14180, options [mss
1430,sackOK,TS val 1445666957 ecr 8593173,nop,wscale 6],