Re: Allowing routing table visibility in jails to make multiple IPs work properly
On Fri, Jan 3, 2014 at 9:10 AM, Ian Smith wrote: > On Fri, 3 Jan 2014 08:05:55 -0500, Alejandro Imass wrote: > > On Fri, Jan 3, 2014 at 3:00 AM, Rudy (bulk) > wrote: > > > > > > I'm having issues when putting multiple IPs on a jail... one external, > one > > > internal (on a different vlan). The source IP from the jail is always > the > > > first IP, so a solution is to use ipfw_nat to nat when using the internal > > > vlan to the 'second ip'. Ugly hack. and it doesn't work when there is an > > > MTU difference between the vlans: > > > > > > > Greetings Rudy, > > > > I had the same exact problem and found that the problem is natd. > > Actually it is mentioned in natd's documentation. > > Alejandro, hi, > > can you point out where in natd(8) it indicates .. what exactly? > It's what natd does "It changes all packets destined for another host so that their source IP address is that of the current machine." The problem is that it chooses the first IP assigned to the interface so for example if you have several public IP's assigned to the same physical interface and assign one to each jail, any outbound connection from either jail will show the first IP regardless of what IP is assigned to what jail. In fact outbound connections from the base host will also show the first IP even if using the -b switch which make FBSD behave like Linux when natd is running. When natd is in operation all source address will always be the first IP address assigned to that interface. You can test this with outbound ssh even by forcing with the -b switch in an outbound ssh from a jail and you will see it uses the first IP always. Turn off natd and you will see it uses the correct IP. I had a long discussion a while back, check the archives. > > If you want to get rid of this problem you need to get rid of natd and > > nat your jail traffic with some other means. Kernel nat should be a > > solution but I've never gotten around to test if it actually solves > > the problem. Please share if you find a way to fix this. > > I may have missed it, but I've yet to see anyone report any functional > differences between natd and ipfw_nat, ie of something working in one > but not the other. Both use the underlying libalias(3) after all. > I have never been able to solve this but thought I read somewhere that by using specific ipfw nat it could be solved. I still have the problem and is not my expertise obviously and I haven't had the time to investigate the problem further. I just know that using natd causes any outbound connection from a jail to always show the first IP assigned to that interface. Best, Alejandro Imass ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Allowing routing table visibility in jails to make multiple IPs work properly
On Fri, 3 Jan 2014 08:05:55 -0500, Alejandro Imass wrote: > On Fri, Jan 3, 2014 at 3:00 AM, Rudy (bulk) wrote: > > > > I'm having issues when putting multiple IPs on a jail... one external, one > > internal (on a different vlan). The source IP from the jail is always the > > first IP, so a solution is to use ipfw_nat to nat when using the internal > > vlan to the 'second ip'. Ugly hack. and it doesn't work when there is an > > MTU difference between the vlans: > > > > Greetings Rudy, > > I had the same exact problem and found that the problem is natd. > Actually it is mentioned in natd's documentation. Alejandro, hi, can you point out where in natd(8) it indicates .. what exactly? > If you want to get rid of this problem you need to get rid of natd and > nat your jail traffic with some other means. Kernel nat should be a > solution but I've never gotten around to test if it actually solves > the problem. Please share if you find a way to fix this. I may have missed it, but I've yet to see anyone report any functional differences between natd and ipfw_nat, ie of something working in one but not the other. Both use the underlying libalias(3) after all. cheers, Ian ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Allowing routing table visibility in jails to make multiple IPs work properly
On Fri, Jan 3, 2014, at 2:00, Rudy (bulk) wrote: > > I'm having issues when putting multiple IPs on a jail... one external, > one internal (on a different vlan). The source IP from the jail is > always the first IP, so a solution is to use ipfw_nat to nat when using > the internal vlan to the 'second ip'. Ugly hack. and it doesn't work > when there is an MTU difference between the vlans: > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=184389 > Re: kern/184389: libalias fails to adjust MTU from jails > > > The other solution is to let the jail 'see' the routing table: > devfs -m /data/example.monkeybrains.net/dev rule apply path kmem unhide > devfs -m /data/example.monkeybrains.net/dev rule apply path mem unhide > > Is there anyway (or plans for) a method to reveal the routing table but > not all of mem and kmem to the jail? > > Hi! You've hit a bug I found a while back. Can you reconfirm the findings that myself and bz had? The issue is not that the first IP is used for *all* traffic, but only for traffic that uses raw sockets (like ICMP). I actually have patches bz@ provided me for ping and fping which work around this issue, but the fix should be done in the kernel instead. Here's my PR, please take a look. http://www.freebsd.org/cgi/query-pr.cgi?pr=168678 Your solution with the kmem/mem unhide is interesting. I do not have a system that I could try that on at this time; my needs were temporary/transitional (moving a monitoring server from 32bit to 64bit... architecture dependent RRDs, etc... ) Thanks! ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Allowing routing table visibility in jails to make multiple IPs work properly
On Fri, Jan 3, 2014 at 3:00 AM, Rudy (bulk) wrote: > > I'm having issues when putting multiple IPs on a jail... one external, one > internal (on a different vlan). The source IP from the jail is always the > first IP, so a solution is to use ipfw_nat to nat when using the internal > vlan to the 'second ip'. Ugly hack. and it doesn't work when there is an > MTU difference between the vlans: > Greetings Rudy, I had the same exact problem and found that the problem is natd. Actually it is mentioned in natd's documentation. If you want to get rid of this problem you need to get rid of natd and nat your jail traffic with some other means. Kernel nat should be a solution but I've never gotten around to test if it actually solves the problem. Please share if you find a way to fix this. Best, Alejandro Imass ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Allowing routing table visibility in jails to make multiple IPs work properly
I'm having issues when putting multiple IPs on a jail... one external, one internal (on a different vlan). The source IP from the jail is always the first IP, so a solution is to use ipfw_nat to nat when using the internal vlan to the 'second ip'. Ugly hack. and it doesn't work when there is an MTU difference between the vlans: http://www.freebsd.org/cgi/query-pr.cgi?pr=184389 Re: kern/184389: libalias fails to adjust MTU from jails The other solution is to let the jail 'see' the routing table: devfs -m /data/example.monkeybrains.net/dev rule apply path kmem unhide devfs -m /data/example.monkeybrains.net/dev rule apply path mem unhide Is there anyway (or plans for) a method to reveal the routing table but not all of mem and kmem to the jail? Rudy ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: configuration of multiple IPs for a jail
On 29/01/2010 09:24, Bjoern A. Zeeb wrote: On Thu, 28 Jan 2010, t...@diogunix.com wrote: Hi, Jase, This behaviour has been addressed in RELENG_7 recently with r202924 [1]. thank you very much. That's what I was watching out for :-). I somehow could not find that hint in all the resources I used. This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , which makes the kernel use the first IP passed to jail (8) as the default source address instead of the default behaviour which picks the first matching ip for that jail on the interface. That's not exactly true. Source address uses the first "matching" address for the destination on the outgoing interface if possible. There is a route lookup involved as well. So if you are serving more than one subnet it won't necessarily be the first IP of the interface seen within the jail. For the case given, it most likely will, though. Yes, indeed. My answer was based on the configuraton example presented and the assumption that all the IPs given were located in the same subnet. Regards, Jase. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: configuration of multiple IPs for a jail
On Thu, 28 Jan 2010, t...@diogunix.com wrote: Hi, Jase, This behaviour has been addressed in RELENG_7 recently with r202924 [1]. thank you very much. That's what I was watching out for :-). I somehow could not find that hint in all the resources I used. This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , which makes the kernel use the first IP passed to jail (8) as the default source address instead of the default behaviour which picks the first matching ip for that jail on the interface. That's not exactly true. Source address uses the first "matching" address for the destination on the outgoing interface if possible. There is a route lookup involved as well. So if you are serving more than one subnet it won't necessarily be the first IP of the interface seen within the jail. For the case given, it most likely will, though. Just great. I run 7.2 stable on most machines and thanks to your information it will be much easier than what I meanwhile did to fix things. A workaround (if you're not able to update to a RELENG_7 following that commit) is to reorder your interface aliases in /etc/rc.conf ,so that your primary jail ip has a lower alias # than any secondary ips for that jail. Yes. I've meanwhile found exactly that out the hard way and by trial and error. Works nice (or however, it works), even when the kernel setting method of course is much more elegant. Hope this helps, I did already. Though it might help, if you only need it for postfix, using the smtp_bind_address (and smtp_bind_address6) options might be more elegant rather than using the hammer of forcing things in the kernel. See man 5 postconf. If more services across all jails should be using the intended behavior using the sysctl and kernel is probably the right thing. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: configuration of multiple IPs for a jail
Jase, > This behaviour has been addressed in RELENG_7 recently with r202924 [1]. thank you very much. That's what I was watching out for :-). I somehow could not find that hint in all the resources I used. > This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , > which makes the kernel use the first IP passed to jail (8) as the > default source address instead of the default behaviour which picks the > first matching ip for that jail on the interface. Just great. I run 7.2 stable on most machines and thanks to your information it will be much easier than what I meanwhile did to fix things. > A workaround (if you're not able to update to a RELENG_7 following that > commit) is to reorder your interface aliases in /etc/rc.conf ,so that > your primary jail ip has a lower alias # than any secondary ips for that > jail. Yes. I've meanwhile found exactly that out the hard way and by trial and error. Works nice (or however, it works), even when the kernel setting method of course is much more elegant. > Hope this helps, I did already. Many thanks Tom ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: configuration of multiple IPs for a jail
On 27/01/2010 02:08, t...@diogunix.com wrote: Greetings to the community. That's my first post to this list. I run a mailserver (postfix/dovecot) in a jail on a 7.2 stable system. My question is about configuring multiple IP addresses for that jail. My IP configuration is just done via # jail blabla 123.123.123.249,123.123.123.227,123.123.123.248 blabla I want to use 123.123.123.249 as my primary IP within the jail and futhermore use the same IP for outgoing SMTP connections. Everything works nice so far. The only issue is, that postfix obviously insists to use the second IP (227) to send out the Emails though it should use the primary IP (249). Trying to bind postfix to the right address did not help. I've read tons about jail configuration but could not find the one hint needed. So my question is: Does a jail always use the 'lowest' IP from a bunch of multiple IPs given with the jail start command ? I can't find any other explanation. Nothing else points to the 227 address. And if true - is there a way to change this behaviour ? Thanks a lot in advance Tom Hi Tom, This behaviour has been addressed in RELENG_7 recently with r202924 [1]. This commit allows you to set : sysctl security.jail.ip4_saddrsel 0 , which makes the kernel use the first IP passed to jail (8) as the default source address instead of the default behaviour which picks the first matching ip for that jail on the interface. A workaround (if you're not able to update to a RELENG_7 following that commit) is to reorder your interface aliases in /etc/rc.conf ,so that your primary jail ip has a lower alias # than any secondary ips for that jail. Hope this helps, Jase. [1] http://svn.freebsd.org/changeset/base/202924 ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
configuration of multiple IPs for a jail
Greetings to the community. That's my first post to this list. I run a mailserver (postfix/dovecot) in a jail on a 7.2 stable system. My question is about configuring multiple IP addresses for that jail. My IP configuration is just done via # jail blabla 123.123.123.249,123.123.123.227,123.123.123.248 blabla I want to use 123.123.123.249 as my primary IP within the jail and futhermore use the same IP for outgoing SMTP connections. Everything works nice so far. The only issue is, that postfix obviously insists to use the second IP (227) to send out the Emails though it should use the primary IP (249). Trying to bind postfix to the right address did not help. I've read tons about jail configuration but could not find the one hint needed. So my question is: Does a jail always use the 'lowest' IP from a bunch of multiple IPs given with the jail start command ? I can't find any other explanation. Nothing else points to the 227 address. And if true - is there a way to change this behaviour ? Thanks a lot in advance Tom ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: 7.x and multiple IPs in jails
On Thu, 30 Oct 2008, Michael Butler wrote: Hi, Hi, there's a patch by Bjoern A.Zeeb, available at http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff which succeeds and works well with 7.1-PRERELEASE currently. I had similar issues to solve and patched several hosts with it, so far with success. Sadly, SVN rev 184481 (of today) breaks these patches :-( Is there an updated patch-set available or planned? I wonder if that was one of my MFCs - I guess so. One of the reasons I am doing those MFCs is to keep the diff between HEAD and 7 down to a minimum so that I have to ship less patches integrated into the jail patch for 7. So yes the plan is to finish the MFCs and generate a new patch for 7 the next days (most likely beginning of next week). Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
>>> Hi, there's a patch by Bjoern A.Zeeb, available at >>> http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff >>> >>> which succeeds and works well with 7.1-PRERELEASE currently. >>> I had similar issues to solve and patched several hosts >>> with it, so far with success. Sadly, SVN rev 184481 (of today) breaks these patches :-( Is there an updated patch-set available or planned? Michael ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. I'm not convinced vimage is the only kind of network virtualization we want to give the option of. The IP addresses assigned to jails seems a lighter weight alternative, and allows some things that vimage doesn't do easily, such as system processes that listen on the virtual addresses for some services, leaving the jail to handle others. - Jamie ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: On Tue, 28 Oct 2008, Chris St Denis wrote: Hi, [ jail patches ] Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? Well, the multi-ipv4 patch has been for a while - what we are talking about at the moment is more. If you look at older status reports they said soemthing like "there is the need for this at the moment but it's not considered to be the right thing". There are multiple reasons for that, that I can think of: 1) some larger parts (of the network stack|kernel) get plastered with all kinds of if (this) if (that) checks complicating code, making it unreadbale, having to be maintained, not ignored for security, ... It's important to really catch all the places, .. which it seems we had been doing well though not 100% well as I just found out currerntly preparing more if (this) if (that) checks for something not really important but still being a problem - since the first day it turns out. 2) there is questionable logic in them and while we had been living with it up to now, it came up during review process for the commit to HEAD (so it could be merged to stable) and it turns out that properly solving it isn't a easy or simple task and multiple people have been pondering over this for days now. Even after removing some optional code paths for simplicity things are still not always definite in what would happen. 3) Nonetheless they are very helpful and very usable (else I wouldn't have worked on it). The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. /bz Thanks for the info from all who responded. I hadn't heard of vimage before, but after doing some searching on it it sounds like it will be very good improvement to jails. If we can get resource limits on jails too in a near future release, Jails will become a competitive solution for VPS systems. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
On Wed, 29 Oct 2008, Anton - Valqk wrote: Hi, Just a quick question regarding full virtualization net stack? Is vimage the name of the virtualization stack? :) I'd *LOVE* to see it in stable!!! :) Are there any plans when it will be in HEAD or something? (I'm not following head and not running even 7.x yet). These patches also have been for years (as far as I can remember from 4.10?) and we haven't seen it working just asking curiously (no trolling)! It will not be in stable before 8-STABLE though I think Marko has it also for 7-STABLE (in perforce). Parts of the framework have been merged to HEAD already and more is to come. freebsd-virtualization@ is the list for this. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
Hi there group, Just a quick question regarding full virtualization net stack? Is vimage the name of the virtualization stack? :) I'd *LOVE* to see it in stable!!! :) Are there any plans when it will be in HEAD or something? (I'm not following head and not running even 7.x yet). These patches also have been for years (as far as I can remember from 4.10?) and we haven't seen it working just asking curiously (no trolling)! cheers, valqk. Bjoern A. Zeeb wrote: > On Tue, 28 Oct 2008, Chris St Denis wrote: > > Hi, > > [ jail patches ] > >> Serious question here (not trolling). >> >> These patches have been around for years, why have they never been >> committed to trunk/stable? > > Well, the multi-ipv4 patch has been for a while - what we are talking > about at the moment is more. > > If you look at older status reports they said soemthing like "there is > the need for this at the moment but it's not considered to be the > right thing". > > There are multiple reasons for that, that I can think of: > > 1) some larger parts (of the network stack|kernel) get plastered with >all kinds of if (this) if (that) checks complicating code, making >it unreadbale, having to be maintained, not ignored for security, ... >It's important to really catch all the places, .. which it seems we >had been doing well though not 100% well as I just found out >currerntly preparing more if (this) if (that) checks for something >not really important but still being a problem - since the first >day it turns out. > > 2) there is questionable logic in them and while we had been living >with it up to now, it came up during review process for the commit >to HEAD (so it could be merged to stable) and it turns out that >properly solving it isn't a easy or simple task and multiple people >have been pondering over this for days now. Even after removing >some optional code paths for simplicity things are still not always >definite in what would happen. > > 3) > > > Nonetheless they are very helpful and very usable (else I wouldn't > have worked on it). > > The plan as the status report will say is to get this in, merge it to > stable/7 before 7.2 and keep it in 8. > > 8 will also have vimages and ideally I'd like to see this entire jail > IP hacks be gone for 9, when vimage will provide the infrastructure, > etc. This means that 8 would be the transition period. But that's > just me and my ideas - we'll see how it'll go. > > > /bz > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
On Tue, 28 Oct 2008, Chris St Denis wrote: Hi, [ jail patches ] Serious question here (not trolling). These patches have been around for years, why have they never been committed to trunk/stable? Well, the multi-ipv4 patch has been for a while - what we are talking about at the moment is more. If you look at older status reports they said soemthing like "there is the need for this at the moment but it's not considered to be the right thing". There are multiple reasons for that, that I can think of: 1) some larger parts (of the network stack|kernel) get plastered with all kinds of if (this) if (that) checks complicating code, making it unreadbale, having to be maintained, not ignored for security, ... It's important to really catch all the places, .. which it seems we had been doing well though not 100% well as I just found out currerntly preparing more if (this) if (that) checks for something not really important but still being a problem - since the first day it turns out. 2) there is questionable logic in them and while we had been living with it up to now, it came up during review process for the commit to HEAD (so it could be merged to stable) and it turns out that properly solving it isn't a easy or simple task and multiple people have been pondering over this for days now. Even after removing some optional code paths for simplicity things are still not always definite in what would happen. 3) Nonetheless they are very helpful and very usable (else I wouldn't have worked on it). The plan as the status report will say is to get this in, merge it to stable/7 before 7.2 and keep it in 8. 8 will also have vimages and ideally I'd like to see this entire jail IP hacks be gone for 9, when vimage will provide the infrastructure, etc. This means that 8 would be the transition period. But that's just me and my ideas - we'll see how it'll go. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 7.x and multiple IPs in jails
Bjoern A. Zeeb wrote: >> This seems to imply that, at last, IPv6 addresses can be used in jails - >> is that true? > yes Woohoo! THANKS! :-) Michael ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: udp problem in multiple ips jail??
Hi, It wasn't jail problem after all. seems a local dns problem in my computer. DNS and UDP packets works very good under multiple ips jail. Sami On Sun, Oct 12, 2008 at 9:22 PM, Sami Halabi <[EMAIL PROTECTED]> wrote: > thanks, > the problem was that the dns conf didn't allow queries for > non-authoritative > requests so it always failed. > > jail works fine:) > > Sami > > On Sun, Oct 12, 2008 at 6:32 PM, Bjoern A. Zeeb < > [EMAIL PROTECTED]> wrote: > >> On Sun, 12 Oct 2008, Sami Halabi wrote: >> >> Hi, >>> >>> I have the latest Multiple ips jail patch from bz, my problem is that the >>> outer world >>> can't reach the jail which i installed in it a DNS server... >>> from the jail/host enviromet it works, but from other hosts >>> it simply refuses. >>> >>> dns uses udp port 53... >>> >>> >>> help... >>> >> >> netstat -an >> tcpdump >> sockstat >> ps ax >> netatst -rn >> ifconfig -a >> firewall >> ping >> >> check that all of those are ok. >> >> I'd start to see if I can reach the jail from outside the local >> network by ping/ssh and more forward... >> >> >> -- >> Bjoern A. Zeeb Stop bit received. Insert coin for new game. >> > > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: udp problem in multiple ips jail??
On Sun, 12 Oct 2008, Sami Halabi wrote: Hi, I have the latest Multiple ips jail patch from bz, my problem is that the outer world can't reach the jail which i installed in it a DNS server... from the jail/host enviromet it works, but from other hosts it simply refuses. dns uses udp port 53... help... netstat -an tcpdump sockstat ps ax netatst -rn ifconfig -a firewall ping check that all of those are ok. I'd start to see if I can reach the jail from outside the local network by ping/ssh and more forward... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
udp problem in multiple ips jail??
Hi, I have the latest Multiple ips jail patch from bz, my problem is that the outer world can't reach the jail which i installed in it a DNS server... from the jail/host enviromet it works, but from other hosts it simply refuses. dns uses udp port 53... help... Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
On Wed, 2008-10-01 at 12:39 +, Bjoern A. Zeeb wrote: > thoughts on MFCing it to 7-STABLE so it could be in 7.2-R. I cannot Someone might be encouraged by the idea of a nice 21 year scotch under the Christmas tree. Although I'm not holding my breath (Bjoern -- I have to talk to you about that FAST_IPSEC NAT-T patch for FreeBSD), I'm just glad that this wont involve / require a full pullup of Julian Elischer's Vimage and FIB+Multi-Routing-Table changes. Chances of those making way into 7.x are low like Skylab. -- Brian A. Seklecki <[EMAIL PROTECTED]> Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
On Wed, 1 Oct 2008, Steven Hartland wrote: Hi, I would dearly like to see this make the 7.1 release, multi IP's in order to support backend interfaces in jails, is something that we hit against all the time. Whatever your wishes or backends are, the multi-IP jail patches will NOT be in 7.1-RELEASE. full stop. You will need the patch. full stop. So I am trying to get it into HEAD at the moment and in 2 months or so once 7.1-R is out and things have settled in HEAD we can waste thoughts on MFCing it to 7-STABLE so it could be in 7.2-R. I cannot garantuee it will happen as the patch is intrusive and cannot keep the KPI. The best thing you can do until then is to actually take the patch, test it, report problems, ... /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
On Wed, 1 Oct 2008, Sami Halabi wrote: Hi, your right. i've posted that link :) Yes, seen it, your mail came in, when mine was out. UUCP works so fine;) You want to read the comments from then though as at least jls user space and some kernel stuff had changed: http://lists.freebsd.org/pipermail/freebsd-jail/2008-September/000459.html http://lists.freebsd.org/pipermail/freebsd-jail/2008-September/000468.html In case you have any problems, etc. let me know. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
hi, i didn't try it. i just saw a new path from bz and tried it, now compiling, here is it: http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff Sami royalshells.com, loyalness.com, On Wed, Oct 1, 2008 at 1:56 PM, Steven Hartland <[EMAIL PROTECTED]>wrote: > I would dearly like to see this make the 7.1 release, multi IP's in order > to support backend interfaces in jails, is something that we hit against > all the time. > > Regards > Steve > - Original Message - From: "Sami Halabi" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, October 01, 2008 12:21 PM > Subject: Multiple IPS - Freebsd 7.1 > > > hi everyone, >> >> I saw a lot of messages about this so here is it - i just patched it (took >> me a day but okay :) >> >> i just downloaded the latest src using this sup file - cvsup: >> http://www.royalshells.com/download/freebsd/stable-supfile >> >> # cvsup stable-supfile >> >> >> i applied the following patch (which i changed to get to work with the >> current src): >> >> http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff >> >> to patch do: >> # cd /usr/src >> # patch -p6 < bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff >> >> after done re-compile the kernel: >> # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/ >> # cp /usr/src/sys/sys/jail.h /usr/include/sys/ >> >> clean obj dir: >> --- >> # rm -Rf /usr/obj/* >> >> compile jail and jls: >> >> # cd /usr/src/usr.sbin/jail/ >> # make clean && make depend && make install >> # cd /usr/src/usr.sbin/jls/ >> # make clean && make depend && make install >> >> compile the kernel: >> - >> # cd /usr/src >> # make buildworld >> # make buildkernel KERNCONF=GENERIC >> # make installworld >> # make installkernel KERNCONF=GENERIC >> # mergemaster -U >> >> after reboot: >> # uname -a >> FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30 >> 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC >> i386 >> # >> >> check the patch: >> # jail >> usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u >> username | -U username] path hostname [ip[,..]] command ... >> # >> >> Enjoy. >> >> Sami >> ___ >> freebsd-jail@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "[EMAIL PROTECTED]" >> >> > > This e.mail is private and confidential between Multiplay (UK) Ltd. and the > person or entity to whom it is addressed. In the event of misdirection, the > recipient is prohibited from using, copying, printing or otherwise > disseminating it or any information contained in it. > In the event of misdirection, illegible or incomplete transmission please > telephone +44 845 868 1337 > or return the E.mail to [EMAIL PROTECTED] > > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
bz, your right. i've posted that link :) Sami On Wed, Oct 1, 2008 at 2:08 PM, Bjoern A. Zeeb < [EMAIL PROTECTED]> wrote: > On Wed, 1 Oct 2008, Sami Halabi wrote: > > Hi, > > i applied the following patch (which i changed to get to work with the >> current src): >> >> http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff >> > > I do not know what the "Fixed_By_Sody_1.10.08" part is but > it's at least based on a backlevel patch of mine so I hope > someone fixed the locking for 7.1-PRE. > > I had posted a patch for 7-STABLE (7.1-PRE) last month > http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff > so taking that one you could have save yourself a lot of time I guess. > > In case you have changes it would be good to know what you did > or what I do not have so the do not have forks as my version will hit > HEAD soon and has changed (also the user space) since July. > > /bz > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
I would dearly like to see this make the 7.1 release, multi IP's in order to support backend interfaces in jails, is something that we hit against all the time. Regards Steve - Original Message - From: "Sami Halabi" <[EMAIL PROTECTED]> To: Sent: Wednesday, October 01, 2008 12:21 PM Subject: Multiple IPS - Freebsd 7.1 hi everyone, I saw a lot of messages about this so here is it - i just patched it (took me a day but okay :) i just downloaded the latest src using this sup file - cvsup: http://www.royalshells.com/download/freebsd/stable-supfile # cvsup stable-supfile i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff to patch do: # cd /usr/src # patch -p6 < bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff after done re-compile the kernel: # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/ # cp /usr/src/sys/sys/jail.h /usr/include/sys/ clean obj dir: --- # rm -Rf /usr/obj/* compile jail and jls: # cd /usr/src/usr.sbin/jail/ # make clean && make depend && make install # cd /usr/src/usr.sbin/jls/ # make clean && make depend && make install compile the kernel: - # cd /usr/src # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U after reboot: # uname -a FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # check the patch: # jail usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u username | -U username] path hostname [ip[,..]] command ... # Enjoy. Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]" This e.mail is private and confidential between Multiplay (UK) Ltd. and the person or entity to whom it is addressed. In the event of misdirection, the recipient is prohibited from using, copying, printing or otherwise disseminating it or any information contained in it. In the event of misdirection, illegible or incomplete transmission please telephone +44 845 868 1337 or return the E.mail to [EMAIL PROTECTED] ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
On Wed, 1 Oct 2008, Sami Halabi wrote: Hi, i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff I do not know what the "Fixed_By_Sody_1.10.08" part is but it's at least based on a backlevel patch of mine so I hope someone fixed the locking for 7.1-PRE. I had posted a patch for 7-STABLE (7.1-PRE) last month http://people.freebsd.org/~bz/bz_jail7-20080920-01-at150161.diff so taking that one you could have save yourself a lot of time I guess. In case you have changes it would be good to know what you did or what I do not have so the do not have forks as my version will hit HEAD soon and has changed (also the user space) since July. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: jail/broadcast IP [was: Multiple IPS - Freebsd 7.1]
On Wed, 1 Oct 2008, Nejc S(koberne wrote: Hi, does this patch maybe also makes it possible for a jail to listen at a broadcast address? So before you are going to post this to another thread -- what are you trying to achive? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPS - Freebsd 7.1
Hello, > I saw a lot of messages about this so here is it - i just patched it (took > me a day but okay :) does this patch maybe also makes it possible for a jail to listen at a broadcast address? Thanks, Nejc ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Multiple IPS - Freebsd 7.1
hi everyone, I saw a lot of messages about this so here is it - i just patched it (took me a day but okay :) i just downloaded the latest src using this sup file - cvsup: http://www.royalshells.com/download/freebsd/stable-supfile # cvsup stable-supfile i applied the following patch (which i changed to get to work with the current src): http://www.royalshells.com/download/freebsd/bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff to patch do: # cd /usr/src # patch -p6 < bz_jail7-20080727-11-at146062-Fixed_By_Sody_1.10.08.diff after done re-compile the kernel: # cp /usr/src/sys/netinet/in_pcb.h /usr/include/netinet/ # cp /usr/src/sys/sys/jail.h /usr/include/sys/ clean obj dir: --- # rm -Rf /usr/obj/* compile jail and jls: # cd /usr/src/usr.sbin/jail/ # make clean && make depend && make install # cd /usr/src/usr.sbin/jls/ # make clean && make depend && make install compile the kernel: - # cd /usr/src # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U after reboot: # uname -a FreeBSD server.com 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Sep 30 20:03:00 UTC 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 # check the patch: # jail usage: jail [-hi] [-n jailname] [-J jid_file] [-s securelevel] [-l -u username | -U username] path hostname [ip[,..]] command ... # Enjoy. Sami ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
Bjoern A. Zeeb wrote: # make world DESTDIR=$D that should be make installworld DESTDIR=$D If thats true, the jail(8) man page is wrong. Though both should work ? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
Bjoern, is there a new patch available by any chance? can you at least post somewhere latest patch that was working? also, would your know if your patch be included in 7.1-RELEASE? Thanks in advance, and thanks for good work! On Mon, Sep 1, 2008 at 6:15 PM, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote: > On Tue, 2 Sep 2008, Matkhamtkha Brekher wrote: > >> this patch is broken >> >> today ive tried to compile the patched world and it stops compiling >> with due to error: > > I bet you got errors over errors when you tried to apply it. > > check the output or the return code from patch in your scripts... > patch < > case $? in >0) ;; # all fine >* echo "PATCH DID NOT APPLY CLEANLY" >&2 >exit 1 >;; > esac > > You could try with patch -C first btw to not hose your src tre... > > > > I am wroking towards getting it into HEAD and once 7 will be in freeze > I'll generate a new patch but 7 has been hosed for a while and people > are doing last minute MFCs now so I would have had to regen it every > few hours. > > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > ___ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > -- http://alexus.org/ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
On Tue, 2 Sep 2008, Matkhamtkha Brekher wrote: this patch is broken today ive tried to compile the patched world and it stops compiling with due to error: I bet you got errors over errors when you tried to apply it. check the output or the return code from patch in your scripts... patch < case $? in 0) ;; # all fine * echo "PATCH DID NOT APPLY CLEANLY" >&2 exit 1 ;; esac You could try with patch -C first btw to not hose your src tre... I am wroking towards getting it into HEAD and once 7 will be in freeze I'll generate a new patch but 7 has been hosed for a while and people are doing last minute MFCs now so I would have had to regen it every few hours. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
this patch is broken today ive tried to compile the patched world and it stops compiling with due to error: cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_i386.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_cptime.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_file.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_getloadavg.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_getswapinfo.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_pcpu.c cc -O2 -fno-strict-aliasing -pipe -DLIBC_SCCS -I/usr/src/lib/libkvm -DSUPPORT_OLD_XPRISON -c /usr/src/lib/libkvm/kvm_proc.c /usr/src/lib/libkvm/kvm_proc.c: In function 'kvm_read_prison_id': /usr/src/lib/libkvm/kvm_proc.c:113: error: storage size of 'xp' isn't known /usr/src/lib/libkvm/kvm_proc.c: In function 'kvm_proclist': /usr/src/lib/libkvm/kvm_proc.c:430: warning: passing argument 1 of 'bintime2timeval' from incompatible pointer type *** Error code 1 Stop in /usr/src/lib/libkvm. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. > # cd /usr/src > # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > # patch -p6 bz_jail7-20080727-11-at146062.diff > # make buildworld > # make buildkernel KERNCONF=GENERIC > # make installworld > # make installkernel KERNCONF=GENERIC > # mergemaster -U ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
Redd Vinylene wrote: Good evening Bjoern, Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i rl0 but I don't know how to filter out all the noise. But actually, identd works just fine here with the jail's first IP, 66.252.2.4. The problem must be elsewhere. Just a shot in the dark. How about redirecting all IPs to the jail's primary IP with PF or similar? This might get you going - temporarily. Regards, Mikhail. -- Mikhail Goriachev Webanoide ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
Bjoern, How much do you need to help me? I really need to get this stuff working. My friend who runs this server is regretting ever saying yes to my suggestion, as his customers are calling him every day giving him a hard time. On Thu, Aug 7, 2008 at 12:54 AM, Redd Vinylene <[EMAIL PROTECTED]> wrote: > On Wed, Aug 6, 2008 at 11:01 PM, Redd Vinylene <[EMAIL PROTECTED]> wrote: >> Could it be a DNS misconfiguration perhaps? > > No it's not, I just had it confirmed. Either I got the basics wrong, > or you got the patch wrong ;) > > Thank you so much for the help so far. Hopefully one of these days > I'll be able to donate you guys a nice sum of money. > > Best regards, > Redd > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
On Wed, Aug 6, 2008 at 11:01 PM, Redd Vinylene <[EMAIL PROTECTED]> wrote: > Could it be a DNS misconfiguration perhaps? No it's not, I just had it confirmed. Either I got the basics wrong, or you got the patch wrong ;) Thank you so much for the help so far. Hopefully one of these days I'll be able to donate you guys a nice sum of money. Best regards, Redd -- http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
Could it be a DNS misconfiguration perhaps? On Wed, Aug 6, 2008 at 10:58 PM, Redd Vinylene <[EMAIL PROTECTED]> wrote: > Good evening Bjoern, > > Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i > rl0 but I don't know how to filter out all the noise. > > But actually, identd works just fine here with the jail's first IP, > 66.252.2.4. The problem must be elsewhere. > > When I change the IP to 66.252.2.5, or any other IP besides the first, > I get errors like: > > ERROR Closing Link: 0.0.0.0 (A-banned: [AKILL ID:1212791563K-a] > [exp/idsh] Connections from this netrange are required to respond to > identd requests in order to connect to DALnet. Visit > http://kline.dal.net/exploits/ident.htm for more information. Contact > your provider if identd is not working (2008/08/04 02.07)) > > When connecting to irc.freenode.net though, it defaults back to > 66.252.2.4 no matter what IP I use. > > Maybe I've just twisted some of the basics? > > - > > The host (mother)'s rc.conf http://pastie.org/248762 (you've probably > seen that one before though) > > - > > 66.252.2.4# cat /etc/rc.conf > sshd_enable="YES" > inetd_enable="YES" > linux_enable="YES" > clear_tmp_enable="YES" > update_motd="NO" > > - > > 66.252.2.4# cat /etc/resolv.conf > # Same as the host. Perhaps it should only contain "nameserver 66.252.2.2"? > nameserver 69.65.17.101 > nameserver 69.65.16.102 > > - > > 66.252.2.4# cat /etc/hosts > 127.0.0.1 localhost localhost.fox-host.net > 66.252.2.2 mother.fox-host.net mother > 66.252.2.3 camel.fox-host.net camel > 66.252.2.4 box.fox-host.net box > > - > > 66.252.2.4# uname -a > FreeBSD mother.fox-host.net 7.0-STABLE FreeBSD 7.0-STABLE #3: Sat Aug > 2 18:55:18 CDT 2008 > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 > > - > > Maybe you'd be willing to log onto the box yourself and boss it around a > little? > > Cheers, > Redd > > On Wed, Aug 6, 2008 at 10:18 PM, Bjoern A. Zeeb > <[EMAIL PROTECTED]> wrote: >> On Wed, 6 Aug 2008, Redd Vinylene wrote: >> >>> I cannot seem to make identd work on a jail with multiple IPs (Bjoern >>> Zeeb's patch): >> >> So do you have any kind of error message? packet traces or anything to >> further isolate the problem rather than "does not work"? >> >> -- >> Bjoern A. Zeeb Stop bit received. Insert coin for new game. >> > > > > -- > http://www.home.no/reddvinylene > -- http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
Good evening Bjoern, Exactly how do I do a packet trace? I could do a tcpdump -n -e -ttt -i rl0 but I don't know how to filter out all the noise. But actually, identd works just fine here with the jail's first IP, 66.252.2.4. The problem must be elsewhere. When I change the IP to 66.252.2.5, or any other IP besides the first, I get errors like: ERROR Closing Link: 0.0.0.0 (A-banned: [AKILL ID:1212791563K-a] [exp/idsh] Connections from this netrange are required to respond to identd requests in order to connect to DALnet. Visit http://kline.dal.net/exploits/ident.htm for more information. Contact your provider if identd is not working (2008/08/04 02.07)) When connecting to irc.freenode.net though, it defaults back to 66.252.2.4 no matter what IP I use. Maybe I've just twisted some of the basics? - The host (mother)'s rc.conf http://pastie.org/248762 (you've probably seen that one before though) - 66.252.2.4# cat /etc/rc.conf sshd_enable="YES" inetd_enable="YES" linux_enable="YES" clear_tmp_enable="YES" update_motd="NO" - 66.252.2.4# cat /etc/resolv.conf # Same as the host. Perhaps it should only contain "nameserver 66.252.2.2"? nameserver 69.65.17.101 nameserver 69.65.16.102 - 66.252.2.4# cat /etc/hosts 127.0.0.1 localhost localhost.fox-host.net 66.252.2.2 mother.fox-host.net mother 66.252.2.3 camel.fox-host.net camel 66.252.2.4 box.fox-host.net box - 66.252.2.4# uname -a FreeBSD mother.fox-host.net 7.0-STABLE FreeBSD 7.0-STABLE #3: Sat Aug 2 18:55:18 CDT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/GENERIC i386 - Maybe you'd be willing to log onto the box yourself and boss it around a little? Cheers, Redd On Wed, Aug 6, 2008 at 10:18 PM, Bjoern A. Zeeb <[EMAIL PROTECTED]> wrote: > On Wed, 6 Aug 2008, Redd Vinylene wrote: > >> I cannot seem to make identd work on a jail with multiple IPs (Bjoern >> Zeeb's patch): > > So do you have any kind of error message? packet traces or anything to > further isolate the problem rather than "does not work"? > > -- > Bjoern A. Zeeb Stop bit received. Insert coin for new game. > -- http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: identd on jail with multiple IPs
On Wed, 6 Aug 2008, Redd Vinylene wrote: I cannot seem to make identd work on a jail with multiple IPs (Bjoern Zeeb's patch): So do you have any kind of error message? packet traces or anything to further isolate the problem rather than "does not work"? -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
identd on jail with multiple IPs
Greetings! I cannot seem to make identd work on a jail with multiple IPs (Bjoern Zeeb's patch): jail # cat /etc/inetd.conf auth stream tcp nowait root internal auth -r -f -n -o UNKNOWN -t 30 - jail # grep inetd /etc/rc.conf inetd_enable="YES" - host # grep jail /etc/rc.conf jail_enable="YES" jail_list="box" jail_box_ip="80.252.2.4,80.252.2.5,80.252.2.6,80.252.2.7,80.252.2.8,80.252.2.9,80.252.2.10,80.252.2.11,80.252.2.12,80.252.2.13,80.252.2.14,80.252.2.15,80.252.2.16,80.252.2.17,80.252.2.18,80.252.2.19,80.252.2.20,80.252.2.21,80.252.2.22,80.252.2.23,80.252.2.24,80.252.2.25,80.252.2.26,80.252.2.27,80.252.2.28,80.252.2.29,80.252.2.30,80.252.2.31,80.252.2.32,80.252.2.33,80.252.2.34,80.252.2.35,80.252.2.36,80.252.2.37,80.252.2.38,80.252.2.39,80.252.2.40,80.252.2.41,80.252.2.42,80.252.2.43,80.252.2.44,80.252.2.45,80.252.2.46,80.252.2.47,80.252.2.48,80.252.2.49,80.252.2.50,80.252.2.51,80.252.2.52,80.252.2.53,80.252.2.54,80.252.2.55,80.252.2.56,80.252.2.57,80.252.2.58,80.252.2.59,80.252.2.60,80.252.2.61,80.252.2.62,80.252.2.63,80.252.2.64,80.252.2.65,80.252.2.80,80.252.2.67,80.252.2.68,80.252.2.69,80.252.2.70,80.252.2.71,80.252.2.72,80.252.2.73,80.252.2.74,80.252.2.75,80.252.2.76,80.252.2.77,80.252.2.78,80.252.2.79,80.252.2.80,80.252.2.81,80.252.2.82,80.252.2.83,80.252.2.84,80.252.2.85,80.252.2.86,80.252.2.87,80.252.2.88,80.252.2.89,80.252.2.90,80.252.2.91,80.252.2.92,80.252.2.93,80.252.2.94,80.252.2.95,80.252.2.96,80.252.2.97,80.252.2.98,80.252.2.99,80.252.2.100,80.252.2.101,80.252.2.102,80.252.2.103,80.252.2.104,80.252.2.105,80.252.2.106,80.252.2.107,80.252.2.108,80.252.2.109,80.252.2.110,80.252.2.111,80.252.2.112,80.252.2.113,80.252.2.114,80.252.2.115,80.252.2.116,80.252.2.117,80.252.2.118,80.252.2.119,80.252.2.120,80.252.2.121,80.252.2.122,80.252.2.123,80.252.2.124,80.252.2.125,80.252.2.126,80.252.2.127" jail_box_rootdir="/usr/jail/box" jail_box_hostname="box.fox-host.net" jail_box_devfs_enable="YES" jail_box_devfs_ruleset="devfsrules_jail" - It worked when I had just one IP in jail_box_ip. Is there a way to make auth listen to all my IPs, or should I switch to oidentd or pidentd? Many thanks! -- http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
On Fri, 1 Aug 2008, Redd Vinylene wrote: Hi, # patch -p6 < bz_jail7-20080727-11-at146062.diff could be that it needs to be -p7 Try with patch -C -p6/7 (with -C) first and check that it does not complain. Yeah that's more like it ;) On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene <[EMAIL PROTECTED]> wrote: Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his friendly support service ;) I'd just like to confirm, however, if this is how it's done? # cd /usr/src # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff preferably use "fetch" as it comes with base;-) # patch -p6 bz_jail7-20080727-11-at146062.diff see above # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC you do not need KERNCONF=GENERIC (that's the default) for both commands. # mergemaster -U Now to the jail part (this is exactly how I created the jail in the first place) # export D=/usr/jail/camel # mkdir -p $D # make world DESTDIR=$D that should be make installworld DESTDIR=$D # cd etc/ nope, no longer needed # make distribution DESTDIR=$D yes # mount -t devfs devfs $D/dev Rather not. Set jail_camel_devfs_enable="YES" in /etc/rc.conf (assuming the `name' of the jail will be camel). See the Jails section at the end of /etc/defaults/rc.conf for the other options. The IP addresses will need to be given as a ',' sepcarated list like: jail_camel_ip="192.0.2.1,192.0.2.17,192.0.2.255" You'll need a reboot somewhen for the new kernel etc. you can do sh /etc/rc.d/jail stop sh /etc/rc.d/jail start sh /etc/rc.d/jail stop camel sh /etc/rc.d/jail start camel ... I hope that helps. -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Multiple IPs
Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his friendly support service ;) I'd just like to confirm, however, if this is how it's done? # cd /usr/src # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff # patch -p6 bz_jail7-20080727-11-at146062.diff # make buildworld # make buildkernel KERNCONF=GENERIC # make installworld # make installkernel KERNCONF=GENERIC # mergemaster -U Now to the jail part (this is exactly how I created the jail in the first place) # export D=/usr/jail/camel # mkdir -p $D # make world DESTDIR=$D # cd etc/ # make distribution DESTDIR=$D # mount -t devfs devfs $D/dev Thank you all! Redd Vinylene http://www.home.no/reddvinylene ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
Also, under jail_X_ip in rc.conf, must I enter the IPs one by one or can I specify an entire range? Much obliged! On Fri, Aug 1, 2008 at 10:17 AM, Redd Vinylene <[EMAIL PROTECTED]> wrote: > Whooops, > > # patch -p6 < bz_jail7-20080727-11-at146062.diff > > Yeah that's more like it ;) > > On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene <[EMAIL PROTECTED]> wrote: >> Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his >> friendly support service ;) >> >> I'd just like to confirm, however, if this is how it's done? >> >> # cd /usr/src >> # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff >> # patch -p6 bz_jail7-20080727-11-at146062.diff >> # make buildworld >> # make buildkernel KERNCONF=GENERIC >> # make installworld >> # make installkernel KERNCONF=GENERIC >> # mergemaster -U >> >> Now to the jail part (this is exactly how I created the jail in the first >> place) >> >> # export D=/usr/jail/camel >> # mkdir -p $D >> # make world DESTDIR=$D >> # cd etc/ >> # make distribution DESTDIR=$D >> # mount -t devfs devfs $D/dev >> >> Thank you all! >> >> Redd Vinylene >> http://www.home.no/reddvinylene >> > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple IPs
Whooops, # patch -p6 < bz_jail7-20080727-11-at146062.diff Yeah that's more like it ;) On Fri, Aug 1, 2008 at 10:05 AM, Redd Vinylene <[EMAIL PROTECTED]> wrote: > Big ups to Bjoern A. Zeeb for his multiple IP patch as well as his > friendly support service ;) > > I'd just like to confirm, however, if this is how it's done? > > # cd /usr/src > # wget http://people.freebsd.org/~bz/bz_jail7-20080727-11-at146062.diff > # patch -p6 bz_jail7-20080727-11-at146062.diff > # make buildworld > # make buildkernel KERNCONF=GENERIC > # make installworld > # make installkernel KERNCONF=GENERIC > # mergemaster -U > > Now to the jail part (this is exactly how I created the jail in the first > place) > > # export D=/usr/jail/camel > # mkdir -p $D > # make world DESTDIR=$D > # cd etc/ > # make distribution DESTDIR=$D > # mount -t devfs devfs $D/dev > > Thank you all! > > Redd Vinylene > http://www.home.no/reddvinylene > ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD-7.0 MULTIPLE-IPs
Hi Bjorn, On Jun 3, 2008, at 5:38 AM, Bjoern A. Zeeb wrote: On Tue, 3 Jun 2008, Isaac Levy wrote: Hi ike, I first learned Marko Zec's work on the virtual IP stack at EuroBSDCon 2007: http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html If you knew about things that happened at BSDCan 2008;-) Where have you been? Oh, work :) I was pulled into a job which I let consume my entire life for a while here, I'll be out of the thick of it for summer. However, Bjoern Zeeb has resumed a jail-specific multi-ip implimentation- the current status seems to be updated soemwhat frequently here (yay!): http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf "The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce based on FreeBSD 7.x?/8.x" Sadly for you however, at the time of this writing, it seems the 7.x patches are 'in progress'. Well the entire things is "in progress" and as this is a FAQ the RELENG_7 patch that is out there is a bit outdated and I am working on an updated version as soon as I have tested what is in p4 on HEAD and feel that it still is as stable as the old patch was. BTW. Any HEAD version would be as old as the RELENG_7 one. Go here to find your way to the (old but stable) patch: http://www.freebsd.org/news/status/report-2008-01-2008-03.html#Multi-IPv4/ v6/no-IP-jails I'll keep people updated on this list as soon as I have anything new. Excellent! Thanks for posting the update! Rocket, .ike ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD-7.0 MULTIPLE-IPs
On Tue, 3 Jun 2008, Isaac Levy wrote: Hi ike, I first learned Marko Zec's work on the virtual IP stack at EuroBSDCon 2007: http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html If you knew about things that happened at BSDCan 2008;-) Where have you been? However, Bjoern Zeeb has resumed a jail-specific multi-ip implimentation- the current status seems to be updated soemwhat frequently here (yay!): http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf "The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce based on FreeBSD 7.x?/8.x" Sadly for you however, at the time of this writing, it seems the 7.x patches are 'in progress'. Well the entire things is "in progress" and as this is a FAQ the RELENG_7 patch that is out there is a bit outdated and I am working on an updated version as soon as I have tested what is in p4 on HEAD and feel that it still is as stable as the old patch was. BTW. Any HEAD version would be as old as the RELENG_7 one. Go here to find your way to the (old but stable) patch: http://www.freebsd.org/news/status/report-2008-01-2008-03.html#Multi-IPv4/v6/no-IP-jails I'll keep people updated on this list as soon as I have anything new. /bz -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD-7.0 MULTIPLE-IPs
Hello Alexus, I haven't been very close to this lately, so I may be stepping out of turn- but there's one big reason: The Virtual IP stack implementation underway (separate from the jail mechanism, but of course, QUITE perfect for jailing uses). I first learned Marko Zec's work on the virtual IP stack at EuroBSDCon 2007: http://2007.eurobsdcon.org/tutorial-virtualized-network-stack.html However, Bjoern Zeeb has resumed a jail-specific multi-ip implimentation- the current status seems to be updated soemwhat frequently here (yay!): http://wiki.freebsd.org/Jails#head-27743b977485318e421b24962498cf007f70dacf "The multi-IPv4/v6 jails project was resumed in early January after previous work had been abandoned in 2006. As an alternate solution to full network stack virtualization, this work shall provide a lightweight solution for multi-IP virtualization. Perforce based on FreeBSD 7.x?/8.x" Sadly for you however, at the time of this writing, it seems the 7.x patches are 'in progress'. -- To answer the dragonfly jail patch question- Dragonfly is a fork of the 4.x FreeBSD code, and with that, is now extremely different from FreeBSD 5.x onward. Therefore, many patches from the 4.x era code are straight inline with Dragonfly. Hope that answers your question or provides some direction, even if the answer doesn't meet your needs. Best, .ike On Jun 2, 2008, at 7:52 PM, alexus wrote: anyone? On Mon, May 12, 2008 at 2:28 PM, alexus <[EMAIL PROTECTED]> wrote: Hello, I saw there is a few patches out there that gives jail ability to have more then 1(one) IP address, however all those patches are very old and jail in FreeBSD-7.0 has more then it had even 2-3 years ago, so I was wondering if there is a new patch that works with FreeBSD-7, maybe implmenting this patch is somewhat easier in 7.0 vs older releases? I think DragonFly implmeneted one of the patches directly into core, why FreeBSD won't do it already? -- http://alexus.org/ -- http://alexus.org/ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail- [EMAIL PROTECTED]" ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD-7.0 MULTIPLE-IPs
anyone? On Mon, May 12, 2008 at 2:28 PM, alexus <[EMAIL PROTECTED]> wrote: > Hello, > > I saw there is a few patches out there that gives jail ability to have > more then 1(one) IP address, however all those patches are very old > and jail in FreeBSD-7.0 has more then it had even 2-3 years ago, so I > was wondering if there is a new patch that works with FreeBSD-7, maybe > implmenting this patch is somewhat easier in 7.0 vs older releases? I > think DragonFly implmeneted one of the patches directly into core, why > FreeBSD won't do it already? > -- > http://alexus.org/ > -- http://alexus.org/ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD-7.0 MULTIPLE-IPs
Hello, I saw there is a few patches out there that gives jail ability to have more then 1(one) IP address, however all those patches are very old and jail in FreeBSD-7.0 has more then it had even 2-3 years ago, so I was wondering if there is a new patch that works with FreeBSD-7, maybe implmenting this patch is somewhat easier in 7.0 vs older releases? I think DragonFly implmeneted one of the patches directly into core, why FreeBSD won't do it already? -- http://alexus.org/ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "[EMAIL PROTECTED]"