I had a break with this yesterday. I've just tried your suggestions. It still
doesn't work but the error message has changed.
On the host when the jail is running :
FreeBSD# jls
JID IP Address Hostname Path
1 93.0.168.242MaPrison
192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the
public one. I tried both as the jail's address. With the private one, neither
portsnap nor ping work at all.
With the public one, I get this result :
FreeBSD# sysctl security.jail.allow_raw_sockets=1
David Allen the.real.david.al...@gmail.com wrote:
I've read comments in the past about setting up jails using local
loopback addresses, but I'm wondering if you wouldn't mind elaborating
on what the actual pf rules would look like.
Say you have 3 jails and more than one public IP
Brice ERRANDONEA berrando...@yahoo.fr wrote:
192.168.1.38 is the private address of rl0 on my host. 93.0.168.242 is the
public one. I tried both as the jail's address. With the private one,
neither
portsnap nor ping work at all.
With the public one, I get this result :
[...]
Here they are.
On the host, when the jail is not running :
%ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 00:11:09:15:72:6a
inet 192.168.1.38 netmask 0xff00 broadcast 192.168.1.255
media: Ethernet
Brice ERRANDONEA berrando...@yahoo.fr wrote:
On the host, when the jail is not running :
%ifconfig
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500
options=8VLAN_MTU
ether 00:11:09:15:72:6a
inet 192.168.1.38 netmask 0xff00 broadcast
Where did you get that second IP address from? Did you just
add it manually? Or is that the address that your gateway
(DSL router, whatever) got assigned from your ISP?
I added it manually in rc.conf (on the host) :
hostname=FreeBSD.ici
ifconfig_rl0=DHCP
keymap=fr.iso.acc (yes, I'm
On 11/08/2010 9:09, Randal L. Schwartz wrote:
fbsd8 man 8 ifconfig
Yup, and using that, I can give a private 10.x address to my jail.
How do I get it to face the public without a firewall rule?
you need natd and firewall divert rule on jail host. Everything that
involve outside jail need
On 11/08/2010 01:55, Randal L. Schwartz wrote:
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 2. Using the hosts firewall to drive traffic to a jail is a sign
Fbsd8 you have your jail incorrectly configured or do not understand
Fbsd8 how jails are intended to work.
OK, I'll bite. I
Randal L. Schwartz wrote:
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 No. Your jail is assigned it's ip address when you create it. The
Fbsd8 alias gives the jail network access when you start the jail. Both
Fbsd8 ip address must match.
Yup, and if that's a 10.x address, I'm not on
On Wednesday 11 August 2010 03:07:32 Rocky Borg wrote:
You should probably preface this by saying you're the author of Qjail
and have been actively promoting it in a few places including the fbsd
forums.
That's interesting, given that you're replying to Fbsd8
fb...@a1poweruser.com. The
Matthew == Matthew Seaman m.sea...@infracaninophile.co.uk writes:
Matthew Yes, you can achieve the same effect using firewall rules, but
Matthew as I have occasionally said before, firewalls should be
Matthew optional -- ideally your system should be secure even if you
Matthew turn the firewall
Thomas == Thomas Wahyudi tho...@sanbe-farma.com writes:
Thomas On 11/08/2010 9:09, Randal L. Schwartz wrote:
fbsd8 man 8 ifconfig
Yup, and using that, I can give a private 10.x address to my jail.
How do I get it to face the public without a firewall rule?
Thomas you need natd and
On 11/08/2010 14:29, Randal L. Schwartz wrote:
Matthew == Matthew Seaman m.sea...@infracaninophile.co.uk writes:
Matthew Yes, you can achieve the same effect using firewall rules, but
Matthew as I have occasionally said before, firewalls should be
Matthew optional -- ideally your system
I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.
For the second case, you would need pf to do the
I tried all of this without any result. But I won't give up.
What I want is a jail with an Apache http server running inside. So, the jail
must have a public IPv4 and access to the web.
What I'd understood of the jails' role (but I must have misunderstood) is that
it will have a different
Brice ERRANDONEA berrando...@yahoo.fr wrote:
I tried all of this without any result. But I won't give up.
What I want is a jail with an Apache http server running inside.
So, the jail must have a public IPv4 and access to the web.
Not necessarily. Of course, the jail _can_ have a public
Thank you very much for your answer. It helped me understand some elements. But
portsnap still doesn't work.
So, I can't contact DNS servers able to translate www.freebsd.org to
its ip. Since I know this ip, I tried : ping 69.147.83.33. This
time, the error message is :
ping: socket:
It seems that you have DNS problems.
Login in your jail
go to /etc
Make a file called resolv.conf
which contains:
domainyour_jail_domain
nameserveryour_namerserver
and it will work...
Jack
PS sorry for the top posting.
I'm using outlook express :-(
- Original Message -
Thank you very much for your answer. It helped me understand some elements. But
portsnap still doesn't work.
So, I can't contact DNS servers able to translate www.freebsd.org to
its ip. Since I know this ip, I tried : ping 69.147.83.33. This
time, the error message is :
ping: socket:
On 8/11/2010 8:35 AM, Brice ERRANDONEA wrote:
I tried all of this without any result. But I won't give up.
What I want is a jail with an Apache http server running inside. So, the jail
must have a public IPv4 and access to the web.
I've been in the same boat as you and there isn't a lot of
On 11/08/2010 15:10:06, David Allen wrote:
I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.
For the
Brice ERRANDONEA berrando...@yahoo.fr wrote:
Oliver Fromme wrote:
sysctl security.jail.allow_raw_sockets=1
I did it but ping still doesn't work.
Which IP address are you using for the jail now?
If you're using 127.0.0.1, you can only ping the host's
own IP addresses, because packets
On 08/10/2010 13:01, Brice ERRANDONEA wrote:
Hello,
I've just created my first FreeBSD jail in order to install a web server inside.
But I don't know how to connect it to the web. When I try pinging a http
website, it doesn't work. Of course, it works when I do it from outside the
jail.
On Tue, Aug 10, 2010 at 2:01 PM, Brice ERRANDONEA berrando...@yahoo.frwrote:
Hello,
I've just created my first FreeBSD jail in order to install a web server
inside.
But I don't know how to connect it to the web. When I try pinging a http
website, it doesn't work. Of course, it works when I
On Tue, Aug 10, 2010 at 11:01:24AM +, Brice ERRANDONEA wrote:
Hello,
I've just created my first FreeBSD jail in order to install a web server
inside. But I don't know how to connect it to the web. When I try pinging a
http website, it doesn't work. Of course, it works when I do it from
On 8/10/2010 4:01 AM, Brice ERRANDONEA wrote:
Hello,
I've just created my first FreeBSD jail in order to install a web server inside.
But I don't know how to connect it to the web. When I try pinging a http
website, it doesn't work. Of course, it works when I do it from outside the
jail.
Brice ERRANDONEA wrote:
Hello,
I've just created my first FreeBSD jail in order to install a web server inside.
But I don't know how to connect it to the web. When I try pinging a http
website, it doesn't work. Of course, it works when I do it from outside the
jail.
Another problem,
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 2. Using the hosts firewall to drive traffic to a jail is a sign
Fbsd8 you have your jail incorrectly configured or do not understand
Fbsd8 how jails are intended to work.
OK, I'll bite. I thought this was the only way to do this. Can you
On 8/10/2010 5:02 PM, Fbsd8 wrote:
1. ping is a security risk from within a jail and is disabled by
design. (read jail(8) for details). No use using a jail if the first
thing you do is re-enable ping in the jail. To test for public
internet connection from within a jail use dig or whois
Randal L. Schwartz wrote:
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 2. Using the hosts firewall to drive traffic to a jail is a sign
Fbsd8 you have your jail incorrectly configured or do not understand
Fbsd8 how jails are intended to work.
OK, I'll bite. I thought this was the only
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 ifconfig alias
Fbsd8 man 8 ifconfig
Yup, and using that, I can give a private 10.x address to my jail.
How do I get it to face the public without a firewall rule?
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777
Rocky Borg wrote:
On 8/10/2010 5:02 PM, Fbsd8 wrote:
1. ping is a security risk from within a jail and is disabled by
design. (read jail(8) for details). No use using a jail if the first
thing you do is re-enable ping in the jail. To test for public
internet connection from within a jail use
Randal L. Schwartz wrote:
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 ifconfig alias
Fbsd8 man 8 ifconfig
Yup, and using that, I can give a private 10.x address to my jail.
How do I get it to face the public without a firewall rule?
No. Your jail is assigned it's ip address when
Fbsd8 == Fbsd8 fb...@a1poweruser.com writes:
Fbsd8 No. Your jail is assigned it's ip address when you create it. The
Fbsd8 alias gives the jail network access when you start the jail. Both
Fbsd8 ip address must match.
Yup, and if that's a 10.x address, I'm not on the net. So I have to
route
35 matches
Mail list logo