Re: loopback in jail
2010/11/10 Michael Scheidell michael.scheid...@secnap.com for amavisd-new, right? On 11/10/10 12:16 PM, Andrei Kolu wrote: Hi, I have problem with binding port to localhost inside of jail (ezjail). can only have one '127.0.0.1'. even with vnet, I am sure. /usr/local/etc/amavisd.conf:$inet_socket_port = 10024; should be fine. however, you also need this: @inet_acl = ( qw [ 0.0.0.0/0 ] ); plus a lot of things. We have a commercial hosted email security product with multiple dozens of amavisd based VPS's and it took a while to get it to work. try the amavisd users group as well. -- Michael Scheidell, CTO I see. But I am testing right now kernel with options VIMAGE and here is the results: # ifconfig epair create # jail -c vnet name=test1 host.hostname=test1 path=/ persist # ifconfig epair0b vnet 1 # jexec 1 ifconfig epair0b 192.168.11.2 # jexec 1 ifconfig lo0: flags=8008LOOPBACK,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM epair0b: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 02:62:68:00:05:0b inet 192.168.11.2 netmask 0xff00 broadcast 192.168.11.255 inet6 fe80::62:68ff:fe00:50b%epair0b prefixlen 64 scopeid 0x2 nd6 options=3PERFORMNUD,ACCEPT_RTADV Now I'll try to configure localhost! # jexec 1 ifconfig lo0 localhost Let me see what's happened # jexec 1 ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=3PERFORMNUD,ACCEPT_RTADV epair0b: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 02:62:68:00:05:0b inet6 fe80::62:68ff:fe00:50b%epair0b prefixlen 64 scopeid 0x2 inet 192.168.11.2 netmask 0xff00 broadcast 192.168.11.255 nd6 options=3PERFORMNUD,ACCEPT_RTADV Wow, I have local ip address now. Can't do same thing without VIMAGE # ifconfig lo0 localhost ifconfig: ioctl (SIOCDIFADDR): permission denied This is only preliminary testing but things are looking quite different I guess. FreeBSD 8.1-STABLE #1: Thu Nov 11 09:36:29 EET 2010 ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: loopback in jail
2010/11/11 Nikos Vassiliadis nvass9...@gmx.com: Hi, I have problem with binding port to localhost inside of jail (ezjail). instead of this: vscan perl 51376 5 tcp4 194.xxx.yyy.22:10024 I need this: vscan perl 51376 5 tcp4 127.0.0.1:10024 Is it possible to bind anything inside jail to 127.0.0.1? Yes, if the jail has rights to the 127.0.0.1 address. raidmadi# jail -c persist ip4.addr=127.0.0.1 raidmadi# jls JID IP Address Hostname Path 1 - nik /jails/nik 2 - test / 3 - testo / 4 - isudhfius /jails/nik 5 - / 8 127.0.0.1 / raidmadi# jexec 8 csh # nc -l [1] 38411 # sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root nc 38411 3 tcp4 127.0.0.1: *:* Is this a multi-IP jail? The case is slightly different with multi-IP jails. From jail(8): ip4.addr A comma-separated list of IPv4 addresses assigned to the prison. If this is set, the jail is restricted to using only these address. Any attempts to use other addresses fail, and attempts to use wildcard addresses silently use the jailed address instead. For IPv4 the first address given will be kept used as the source address in case source address selection on unbound sockets cannot find a better match. It is only possible to start multiple jails with the same IP address, if none of the jails has more than this single overlapping IP address assigned to itself. HTH, Nikos OK, I tried this way: ezjail config: export jail_crashtest_ip=194.xxx.yyy.22,127.0.0.1 I have loopback ip address now: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 But, can't bind anything to 127.0.0.1 anyway. Is this a bug or something? ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: loopback in jail
2010/11/11 Freddy DISSAUX freddy@free.fr: Le Thu, Nov 11, 2010 at 12:15:09PM +0200, Andrei Kolu wrote: OK, I tried this way: ezjail config: export jail_crashtest_ip=194.xxx.yyy.22,127.0.0.1 I have loopback ip address now: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 But, can't bind anything to 127.0.0.1 anyway. Is this a bug or something? Hum, i don't understand. You *must* have a lo0 with 127.0.0.1 ? lo0 with 127.0.0.x is not good for you (or your app) ? Regards, OK, I figured it out- only problem was that operating system become unresponsive for couple of minutes after I changed ip addres for jail localhost, I thought that system crashed, but wow. export jail_crashtest_ip=194.xxx.yyy.22,lo0|127.0.0.2 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.2 netmask 0x Now: # sockstat -4 vscanperl 98672 5 tcp4 127.0.0.2:10024 *:* Should I change /etc/hosts file too? 127.0.0.2 localhost localhost.my.domain First I thought that 127.0.0.1 address is locally significant but looks like I was wrong. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: loopback in jail
On Thu, 11 Nov 2010, Andrei Kolu wrote: OK, I tried this way: ezjail config: export jail_crashtest_ip=194.xxx.yyy.22,127.0.0.1 I have loopback ip address now: lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=3RXCSUM,TXCSUM inet 127.0.0.1 netmask 0xff00 But, can't bind anything to 127.0.0.1 anyway. Is this a bug or something? No, it's intentional. You would bind to your public 194.x.x.x IP. Quoting from jail(2): All connec- tions to/from the loopback address (127.0.0.1 for IPv4, ::1 for IPv6) will be changed to be to/from the primary address of the jail for the given address family. /bz -- Bjoern A. Zeeb Welcome a new stage of life. ks Going to jail sucks -- bz All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
loopback in jail
Hi, I have problem with binding port to localhost inside of jail (ezjail). instead of this: vscanperl 51376 5 tcp4 194.xxx.yyy.22:10024 I need this: vscanperl 51376 5 tcp4 127.0.0.1:10024 Is it possible to bind anything inside jail to 127.0.0.1? FreeBSD 8.1-STABLE #1: Sat Oct 30 19:27:48 EEST 2010 ezjail-3.1 ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: loopback in jail
for amavisd-new, right? On 11/10/10 12:16 PM, Andrei Kolu wrote: Hi, I have problem with binding port to localhost inside of jail (ezjail). can only have one '127.0.0.1'. even with vnet, I am sure. /usr/local/etc/amavisd.conf:$inet_socket_port = 10024; should be fine. however, you also need this: @inet_acl = ( qw [ 0.0.0.0/0 ] ); plus a lot of things. We have a commercial hosted email security product with multiple dozens of amavisd based VPS's and it took a while to get it to work. try the amavisd users group as well. -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org