Re : Re : Re : How to connect a jail to the web ?

2010-08-14 Thread Brice ERRANDONEA 
, length 327
09:08:50.858573 IP FreeBSD.22077  neufbox.domain: 24445+ PTR? 
250.255.255.239.in-addr.arpa. (46)
09:08:50.906882 IP neufbox.domain  FreeBSD.22077: 24445 NXDomain 0/1/0 (103)
09:08:50.917164 IP FreeBSD.59750  neufbox.domain: 24446+ PTR? 
1.1.168.192.in-addr.arpa. (42)
09:08:50.918253 IP neufbox.domain  FreeBSD.59750: 24446* 1/0/0 PTR[|domain]
09:08:51.917971 IP FreeBSD.32837  neufbox.domain: 24447+ PTR? 
38.1.168.192.in-addr.arpa. (43)
09:08:51.918870 IP neufbox.domain  FreeBSD.32837: 24447* 1/0/0 (64)
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel
FreeBSD#

Then, I started the jail. Firefox immediatly stopped being able to browse 
websites. I tried a tcpdump on the host while running portsnap fetch in the 
jail 
:

FreeBSD# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
09:43:50.333169 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 263
09:43:50.333621 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 335
09:43:50.334064 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 331
09:43:50.334499 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 311
09:43:50.334966 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 343
09:43:50.335402 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 325
09:43:50.335944 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 327
09:43:50.336560 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 327
09:44:20.41 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 263
09:44:20.333807 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 335
09:44:20.334246 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 331
09:44:20.334684 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 311
09:44:20.335165 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 343
09:44:20.335603 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 325
09:44:20.336040 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 327
09:44:20.336480 IP 192.168.1.1.32774  239.255.255.250.1900: UDP, length 327
^C
16 packets captured
16 packets received by filter
0 packets dropped by kernel
FreeBSD#

If you compare these two tcpdump, you can see that the word neufbox is 
replaced by 192.168.1.1. It confirms that DNS is no longer running.

Not easy...

Brice




De : Oliver Fromme o...@lurza.secnetix.de
À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr
Envoyé le : Jeu 12 août 2010, 17h 52min 24s
Objet : Re: Re : Re : How to connect a jail to the web ?

Brice ERRANDONEA berrando...@yahoo.fr wrote:
 On the host, when the jail is not running :
 
 %ifconfig
 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=8VLAN_MTU
 ether 00:11:09:15:72:6a
 inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255
 media: Ethernet autoselect (100baseTX full-duplex)

OK, so 192.168.1.38 is the only (non-localnet) IP address that
you have.  You should use that one for your jail.

 On the host when the jail is running :
 
 FreeBSD# jls
JID  IP Address  Hostname  Path
  1  93.0.168.242MaPrison  /usr/prison
 FreeBSD# ifconfig
 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
 options=8VLAN_MTU
 ether 00:11:09:15:72:6a
 inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255
 inet 93.0.168.242 netmask 0x broadcast 93.0.168.242
 media: Ethernet autoselect (100baseTX full-duplex)

Where did you get that second IP address from?  Did you just
add it manually?  Or is that the address that your gateway
(DSL router, whatever) got assigned from your ISP?

I assume that IP address is not really routed to your host,
but that NAT (Network Address Translation) is used on your
router.  So you cannot use that address on the host.
(If that's not true, please exlain the structure of your
network in more detail.)

So, if my assumptions are true, you must use the address
192.168.1.38 for your jail.  Make sure that DNS is working
inside the jail ...  It should be sufficient to copy
/etc/resolv.conf from the host to /usr/prison/etc/resolv.conf

If it still doesn't work:  Are you using any packet filter
(ipfw, ipf, pf)?  If so, please show the complete list of
rules.

Otherwise, it might help to run tcpdump(1) on the host, so
you can see the actual packets that are transmitted and
received.

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH  Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

C++ is the only current language making

Re : How to connect a jail to the web ?

2010-08-12 Thread Brice ERRANDONEA 
192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the 
public one. I tried both as the jail's address. With the private one, neither 
portsnap nor ping work at all.

With the public one, I get this result :


FreeBSD# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 - 1
FreeBSD# /etc/rc.d/jail onestart server
Configuring jails:.
Starting jails: MaPrison.
FreeBSD# jexec 1 portsnap fetch
jexec: jail_attach(1): Invalid argument
FreeBSD# jls
   JID  IP Address  Hostname  Path
 2  93.0.168.242MaPrison  /usr/prison
FreeBSD# jexec 2 portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.
FreeBSD# jexec 2 ping www.yahoo.fr
ping: cannot resolve www.yahoo.fr: Host name lookup failure
FreeBSD# jexec 2 ping 69.147.83.33
PING 69.147.83.33 (69.147.83.33): 56 data bytes

Then, nothing during a few minutes, so I used :

^C  
--- 69.147.83.33 ping statistics ---
32 packets transmitted, 0 packets received, 100.0% packet loss

Data can be sent to the net now but it seems they can't come back.

I also tried after opening the jail the same way you do :

FreeBSD# jail /usr/prison MaPrison 93.0.168.242 /bin/sh -E
# ping 69.147.83.33
PING 69.147.83.33 (69.147.83.33): 56 data bytes
^C
--- 69.147.83.33 ping statistics ---
30 packets transmitted, 0 packets received, 100.0% packet loss
# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.
#





De : Oliver Fromme o...@lurza.secnetix.de
À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr
Envoyé le : Mer 11 août 2010, 22h 55min 11s
Objet : Re: How to connect a jail to the web ?

Brice ERRANDONEA berrando...@yahoo.fr wrote:
 Oliver Fromme wrote:
  sysctl security.jail.allow_raw_sockets=1
 
 I did it but ping still doesn't work.

Which IP address are you using for the jail now?

If you're using 127.0.0.1, you can only ping the host's
own IP addresses, because packets with a localnet IP
never leave a machine.

If you're using the real address (192.168.1.38) for
the jail, then you should be able to ping all addresses
that you can ping from the host.  I just did a quick
test on my machine; it has the IP address 172.20.0.2
(which is being translated with NAT on my router, but
that doesn't matter):

HOST# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0 - 1
HOST# jail / testjail 172.20.0.2 /bin/sh -E
# ping www.google.com
PING www.l.google.com (66.102.13.105): 56 data bytes
64 bytes from 66.102.13.105: icmp_seq=0 ttl=54 time=31.196 ms
64 bytes from 66.102.13.105: icmp_seq=1 ttl=54 time=25.553 ms
64 bytes from 66.102.13.105: icmp_seq=2 ttl=54 time=27.086 ms

   192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.
 
  Well, localnet addresses are not routed.  If you give your
  jail a localnet address, it won't be able to access the
  network outside of the host.  (Unless you take measures
  to rewrite/translate the addresses and forward them.)
  That's why DNS and portsnap don't work.
 
  I suggest using the address 192.168.1.38 for the jail,
  at least during installation.  Make sure that the file
  /etc/resolv.conf inside the jail is correct, so DNS will
  work.  Copying it from the host should be sufficient.
 
 Isn't 192.168.1.38 a localnet address too ?

It's a private address (RFC 1918).  I assume that you've got
a NAT router that translates it to a public IP address.

 Do you mean I should use the public ip of my computer here  ?

Do you have one?  So far you only mentioned 192.168.1.38.

 I thought it was intended to be impossible to access the host from the jail.

It depends on what you want to do with the jail.  Jails can
be used for vastly different purposes.

 But you're right : I'll forget that.

Good.  :-)

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH  Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

Clear perl code is better than unclear awk code; but NOTHING
comes close to unclear perl code  (taken from comp.lang.awk FAQ)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re : Re : How to connect a jail to the web ?

2010-08-12 Thread Brice ERRANDONEA 
Here they are.

On the host, when the jail is not running :

%ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 00:11:09:15:72:6a
inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255
media: Ethernet autoselect (100baseTX full-duplex)
status: active
fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 02:11:06:99:8a:ff
ch 1 dma -1
fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=3RXCSUM,TXCSUM
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
nd6 options=3PERFORMNUD,ACCEPT_RTADV
%netstat -rnfinet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default192.168.1.1UGS16  434rl0
127.0.0.1  link#5 UH  0   20lo0
192.168.1.0/24 link#1 U   1   98rl0
192.168.1.38   link#1 UHS 00lo0

On the host when the jail is running :

FreeBSD# jls
   JID  IP Address  Hostname  Path
 1  93.0.168.242MaPrison  /usr/prison
FreeBSD# ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 00:11:09:15:72:6a
inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255
inet 93.0.168.242 netmask 0x broadcast 93.0.168.242
media: Ethernet autoselect (100baseTX full-duplex)
status: active
fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 02:11:06:99:8a:ff
ch 1 dma -1
fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=3RXCSUM,TXCSUM
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
nd6 options=3PERFORMNUD,ACCEPT_RTADV
FreeBSD# netstat -rnfinet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default192.168.1.1UGS 0  474rl0
93.0.168.242   link#1 UHS 0   20lo0 =
93.0.168.242/32link#1 U   00rl0
127.0.0.1  link#5 UH  0   20lo0
192.168.1.0/24 link#1 U   0  102rl0
192.168.1.38   link#1 UHS 00lo0

In the jail (running, of course) :

FreeBSD# jexec 1 ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 00:11:09:15:72:6a
inet 93.0.168.242 netmask 0x broadcast 93.0.168.242
media: Ethernet autoselect (100baseTX full-duplex)
status: active
fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 02:11:06:99:8a:ff
ch 1 dma -1
fwip0: flags=8802BROADCAST,SIMPLEX,MULTICAST metric 0 mtu 1500
lladdr 0.11.6.66.0.99.8a.ff.a.2.ff.fe.0.0.0.0
plip0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST metric 0 mtu 1500
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384
options=3RXCSUM,TXCSUM
FreeBSD# jexec 1 netstat -rnfinet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
default192.168.1.1UGS 0  480rl0
93.0.168.242   link#1 UHS 0   20lo0 =
93.0.168.242/32link#1 U   00rl0
127.0.0.1  link#5 UH  0   20lo0
192.168.1.0/24 link#1 U   0  102rl0
192.168.1.38   link#1 UHS 00lo0

Do you find what's wrong ?

Brice






De : Oliver Fromme o...@lurza.secnetix.de
À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr
Envoyé le : Jeu 12 août 2010, 14h 52min 00s
Objet : Re: Re : How to connect a jail to the web ?

Brice ERRANDONEA berrando...@yahoo.fr wrote:
 192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the 
 public one. I tried both as the jail's address. With the private one, neither 
 portsnap nor ping work at all.
 
 With the public one, I get this result :
 [...]
 FreeBSD# jexec 2 ping www.yahoo.fr
 ping: cannot resolve www.yahoo.fr: Host name lookup failure
 FreeBSD# jexec 2 ping 69.147.83.33
 PING

Re : Re : Re : How to connect a jail to the web ?

2010-08-12 Thread Brice ERRANDONEA 


 Where did you get that second IP address from?  Did you just
 add it manually?  Or is that the address that your gateway
 (DSL router, whatever) got assigned from your ISP?

I added it manually in rc.conf (on the host) :

hostname=FreeBSD.ici
ifconfig_rl0=DHCP
keymap=fr.iso.acc   (yes, I'm french)
moused_enable=YES
saver=dragon
hald_enable=YES
dbus_enable=YES
devfs_system_ruleset=localrules

jail_enable=NO
jail_list=MaPrison
jail_interface=rl0
jail_devfs_ruleset=devfsrules_jail
jail_devfs_enable=YES

jail_server_rootdir=/usr/prison
jail_server_hostname=MaPrison
jail_server_ip=93.0.168.242

I choosed it because that's my computer's public ip, at least according to this 
website : http://whatismyipaddress.com/

 I assume that IP address is not really routed to your host,
 but that NAT (Network Address Translation) is used on your
 router.  So you cannot use that address on the host.
 (If that's not true, please exlain the structure of your
 network in more detail.)

My network is VERY simple. I've got a modem (or box) provided by my phone 
company. It's called a neufbox and acts as a gateway. The computer with 
FreeBSD is connected to this box through an ethernet cable. Two other 
computers are connected to it via wifi.

 So, if my assumptions are true, you must use the address
 192.168.1.38 for your jail.  Make sure that DNS is working
 inside the jail ...  It should be sufficient to copy
 /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf

OK, I'll try this.

 If it still doesn't work:  Are you using any packet filter
 (ipfw, ipf, pf)?  If so, please show the complete list of
 rules.

No, I don't. I've tried pf but you told it was not necessary.

 Otherwise, it might help to run tcpdump(1) on the host, so
 you can see the actual packets that are transmitted and
 received.

Allright. I try it too.

Good bye for the moment and thanks for your help.

Brice



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re : How to connect a jail to the web ?

2010-08-11 Thread Brice ERRANDONEA 
I tried all of this without any result. But I won't give up.

What I want is a jail with an Apache http server running inside. So, the jail 
must have a public IPv4 and access to the web.

What I'd understood of the jails' role (but I must have misunderstood) is that 
it will have a different public ip than the host, so that if a pirate manage to 
crack the server, he will only have access to the jail (the real public ip of 
the host remaining secret). Then I'm surprised to learn that such traffic will 
be routed through the host.

The jail is created. The next step now is to install the ports collection 
inside 
with portsnap fetch. But each time I try to run this command inside the jail 
(with jexec), I get the same answer :

Looking up portsnap.FreeBSD.org mirrors... none found.
Fetching public key from portsnap.FreeBSD.org... failed.
No mirrors remaining, giving up.

This makes me think my jail is not connected to the web. To check this, I tried 
to ping various know websites. When I tried domain names, like ping 
www.freebsd.org, this error message appears :

ping: cannot resolve www.freebsd.org : Host name lookup failure

So, I can't contact DNS servers able to translate www.freebsd.org to its ip. 
Since I know this ip, I tried : ping 69.147.83.33. This time, the error 
message is :

ping: socket: Operation not permitted

From this, I concluded my jail was not connected to the web. Meanwhile, I've 
understood that, anyway, the ping command is forbidden inside a jail. But the 
portsnap fetch one is not.

It seems that the local ip given to the jail has to be an alias of an existing 
one. I'm not on a local network so I only have 2 real network interfaces : rl0 
(192.168.1.38) and the loopack lo0 (127.0.0.1).

192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail. By the way, I 
wonder which one I will be able to choose if I ever have to create a second 
jail. And also how the computer knows which data is for the jail and which one 
is for the loopback.

I also added the line net.inet.ip.forwarding=1 to sysctl.conf (on the host). 
And here is the rc.conf of my jail :

devfs_system_ruleset=devfsrules_jail
network_interfaces=
sshd_enable=YES
sendmail_enable=NO
rpcbind_enable=NO

Despite the sshd_enable=YES line, I can't ssh from the host to the jail. 
Well, 
I can... The first time I did it, I was asked if I wanted to add the jail to 
the 
list of known hosts. I did it. No problem there. But, immediatly after that, 
instead of displaying login :, the system displayed passwd :. And none of 
the passwords I had set with sysinstall (for the root and the common user) were 
accepted. That's why I can only run commands inside the jail running jexec. 
It's 
not that big problem for the moment but one purpose of the jail is also (I 
believe) to ssh into them from a distant computer without accessing to the host.

It was not clear after the various answers I received if I had to use a 
firewall 
or not so I tried both ways.

Without the firewall, the rc.conf of my host is :

hostname=FreeBSD.ici
ifconfig_rl0=DHCP
keymap=fr.iso.acc   (yes, I'm french)
moused_enable=YES
saver=dragon
hald_enable=YES
dbus_enable=YES
devfs_system_ruleset=localrules

jail_enable=NO
jail_list=MaPrison
jail_interface=lo0(I also tried rl0 here)
jail_devfs_ruleset=devfsrules_jail
jail_devfs_enable=YES

jail_server_rootdir=/usr/prison
jail_server_hostname=MaPrison
jail_server_ip=127.0.0.1

gateway_enable=YES
router_enable=YES

Since I've added this last line (router_enable=YES), I have to press Enter at 
the end of the bootup process to obtain the login :. Again, it's not a big 
problem but nonetheless a strange one.

With this configuration, portsnap fetch continues to give me the same error 
message I told before.

With the firewall (pf), now, the rc.conf of my host becomes :

hostname=FreeBSD.ici
ifconfig_rl0=DHCP
keymap=fr.iso.acc
moused_enable=YES
saver=dragon
hald_enable=YES
dbus_enable=YES
devfs_system_ruleset=localrules

jail_enable=NO
jail_list=MaPrison
jail_interface=lo0
jail_devfs_ruleset=devfsrules_jail
jail_devfs_enable=YES

jail_server_rootdir=/usr/prison
jail_server_hostname=MaPrison
jail_server_ip=127.0.0.1

gateway_enable=YES
pf_enable=YES
pf_rules=/etc/pf.conf
pflog_enable=YES
pflog_logfile=/var/log/pflog

And here's the /etc/pf.conf :

ext_if=rl0
int_if=rl0

Same result for portsnap fetch.


A lot of questions, isn't it. I guess I must have made a lot of mistakes. But I 
can't believe I'm the first one who tries to install a web server in a jail. 
This must be a well known process.

Thanks to those who helped me and to those who will !

Good evening

Brice





De : Roland Smith rsm...@xs4all.nl
À : Brice ERRANDONEA berrando...@yahoo.fr
Envoyé le : Mer 11 août 2010, 13h 23min 34s
Objet : Re: Re : Re : How to connect a jail to the web ?

On Wed, Aug 11, 2010 at 11:07:59AM +, Brice ERRANDONEA wrote:

  OK, I'll try this. And, as you suggested, I switch my jail's IP

Re : Re : How to connect a jail to the web ?

2010-08-11 Thread Brice ERRANDONEA 
Thank you very much for your answer. It helped me understand some elements. But 
portsnap still doesn't work.


 So, I can't contact DNS servers able to translate www.freebsd.org to
 its ip.  Since I know this ip, I tried : ping 69.147.83.33. This
 time, the error message is :

 ping: socket: Operation not permitted

ping(1) uses raw sockets in order to be able to send and
receive ICMP packets.  By default, raw sopckets or disallowed
in jails.  To change that, use this command on the host:

sysctl security.jail.allow_raw_sockets=1

Add an entry to /etc/sysctl.conf so the setting will survive
reboots.

I did it but ping still doesn't work.

 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.

Well, localnet addresses are not routed.  If you give your
jail a localnet address, it won't be able to access the
network outside of the host.  (Unless you take measures
to rewrite/translate the addresses and forward them.)
That's why DNS and portsnap don't work.

I suggest using the address 192.168.1.38 for the jail,
at least during installation.  Make sure that the file
/etc/resolv.conf inside the jail is correct, so DNS will
work.  Copying it from the host should be sufficient.

Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public 
ip of my computer here ?

 By the way, you don't have to build ports inside the jail.
 Of course you *can* do that, but there are other ways, too.
 For example, you could build packages (apache etc.) on
 the host, or in a different jail, or even on a different
 machine, and then use pkg_add(8) inside your jail to
 install them.

I prefer doing that way. I will use apache later so I will have to connect the 
jail to internet anyway.

 And also how the computer knows which data is for the jail and which
 one is for the loopback.

Services (such as apache) listen on certain ports for
connections.  For example, the default port for the HTTP
protocol is 80.  So, when someone is trying to open a
connection to your IP address on port 80, your kernel
looks it up in its table of listening TCP sockets and
find the apache process which is running inside the jail.
So the connection is handed to the jail.

(This is a bit oversimplifying, but basically that's how
it works.)

OK. This is clear. And it explains how multiple jails can share the same 
address.

 Despite the sshd_enable=YES line, I can't ssh from the host to the
 jail. Well, I can... The first time I did it, I was asked if I wanted
 to add the jail to the list of known hosts. I did it. No problem
 there. But, immediatly after that, instead of displaying login :,
 the system displayed passwd :.

That's normal. ssh never asks for the login.  You can use the -l
option if you need to specify a different user name (or put it in your
~/.ssh/config).

Of course. I'm loosing my mind with all that jail trouble. It works perfectly 
well with le -l option.

 Some paranoid people have a special login jail.  They
 ssh into the login jail, then log into the host or into
 other jails from there.  The host accepts ssh only from
 localhost.  But please forget this immediately; we don't
 want to make things more complicated than necessary.

I thought it was intended to be impossible to access the host from the jail. 
But 
you're right : I'll forget that.

So, we're progressing. But the problem is not over yet. Any other idea ?

Have a good evening, anyway.

Brice








-- 
Oliver Fromme, secnetix GmbH  Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606,  Geschäftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün-
chen, HRB 125758,  Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart

FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd

Above all, they contribute to the genetic diversity in the
operating system pool.  Which is a good thing.
  -- Ruben van Staveren, on the question which BSD OS is the best one.




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: How to connect a jail to the web ?

2010-08-11 Thread Brice ERRANDONEA 
Thank you very much for your answer. It helped me understand some elements. But 
portsnap still doesn't work.

 So, I can't contact DNS servers able to translate www.freebsd.org to
 its ip.  Since I know this ip, I tried : ping 69.147.83.33. This
 time, the error message is :

 ping: socket: Operation not permitted

ping(1) uses raw sockets in order to be able to send and
receive ICMP packets.  By default, raw sopckets or disallowed
in jails.  To change that, use this command on the  host:

sysctl security.jail.allow_raw_sockets=1

Add an entry to /etc/sysctl.conf so the setting will survive
reboots.

I did it but ping still doesn't work.

 192.168.1.38 is the host's ip so I use 127.0.0.1 for the jail.

Well, localnet addresses are not routed.  If you give your
jail a localnet address, it won't be able to access the
network outside of the host.  (Unless you take measures
to rewrite/translate the addresses and forward them.)
That's why DNS and portsnap don't work.

I suggest using the address 192.168.1.38 for the jail,
at least during installation.  Make sure that the file
/etc/resolv.conf inside the jail is correct, so DNS will
work.  Copying it from the host should be sufficient.

Isn't 192.168.1.38 a localnet address too ? Do you mean I should use the public 
ip of my computer here  ?

 By the way, you don't have to build ports inside the jail.
 Of course you *can* do that, but there are other ways, too.
 For example, you could build packages (apache etc.) on
 the host, or in a different jail, or even on a different
 machine, and then use pkg_add(8) inside your jail to
 install them.

I prefer doing that way. I will use apache later so I will have to connect the 
jail to internet anyway.

 And also how the computer knows which data is for the jail and which
 one is for the loopback.

Services (such as apache) listen on certain ports for
connections.  For example, the default port for the HTTP
protocol is 80.  So, when someone is trying to open a
connection to your IP address on port 80, your kernel
looks it up in its table of listening TCP sockets and
find the apache process which is running inside the  jail.
So the connection is handed to the jail.

(This is a bit oversimplifying, but basically that's how
it works.)

OK. This is clear. And it explains how multiple jails can share the same 
address.

 Despite the sshd_enable=YES line, I can't ssh from the host to the
 jail. Well, I can... The first time I did it, I was asked if I wanted
 to add the jail to the list of known hosts. I did it. No problem
 there. But, immediatly after that, instead of displaying login :,
 the system displayed passwd :.

That's normal. ssh never asks for the login.  You can use the -l
option if you need to specify a different user name (or put it in your
~/.ssh/config).

Of course. I'm loosing my mind with all that jail trouble. It works perfectly 
well with le -l option.

 Some paranoid people have a special login jail.   They
 ssh into the login jail, then log into the host or into
 other jails from there.  The host accepts ssh only from
 localhost.  But please forget this immediately; we don't
 want to make things more complicated than necessary.

I thought it was intended to be impossible to access the host from the jail. 
But 
you're right : I'll forget that.

So, we're progressing. But the problem is not over yet. Any other idea ?

Have a good evening, anyway.

Brice




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

How to connect a jail to the web ?

2010-08-10 Thread Brice ERRANDONEA 
Hello,

I've just created my first FreeBSD jail in order to install a web server 
inside. 
But I don't know how to connect it to the web. When I try pinging a http 
website, it doesn't work. Of course, it works when I do it from outside the 
jail.

Another problem, probably linked to the first one, I can't run rc within the 
jail, even as the jail's root. It says : permission denied.

Here's how I built and started my jail. I had already run make buildworld when 
upgrading to 8.1 release :

# mkdir /usr/prison
# cd /usr/src
# make installworld DESTDIR=/usr/prison
# make distribution DESTDIR=/usr/prison
# mount -t devfs devfs /usr/prison/dev
# jail -c path=/usr/prison host.hostname=ServeurWeb ip4.addr=192.1.1.1 persist
# jail /usr/prison ServeurWeb 192.1.1.1 csh

I guess this must be a very basic question but please help me.



  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org