Re: problems with jail
OK, I managed to get it so something else wasn't grabbing *.*, dunno what made that happen. What you said made me think Hey, there was something in the man pages about starting services, I figured I ought test that out. So I did: Pre-Jail process/netstat: [EMAIL PROTECTED] 07:52:14 (0) /usr/ports ps -A | grep syslog 2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84 [EMAIL PROTECTED] 07:52:17 (0) /usr/ports ps -A | grep send 5489 p2 S+ 0:00.00 grep send [EMAIL PROTECTED] 07:52:25 (0) /usr/ports ps -A | grep name [EMAIL PROTECTED] 07:52:29 (0) /usr/ports ps -A | grep inet [EMAIL PROTECTED] 07:52:31 (0) /usr/ports ps -A | grep ssh 2474 ?? Is 0:00.01 /usr/sbin/sshd 5498 p2 R+ 0:00.00 grep ssh [EMAIL PROTECTED] 07:51:08 (0) ~ netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.ssh *.*LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 192.168.1.84.syslog*.* starting jail [EMAIL PROTECTED] 07:52:50 (0) /usr/ports jail /jail/ [EMAIL PROTECTED] 192.168.1.85 /bin/sh /etc/rc Loading configuration files. [EMAIL PROTECTED] Setting hostname: [EMAIL PROTECTED] Creating and/or trimming log files:. ln: /dev/log: Operation not permitted Starting syslogd. ELF ldconfig path: /lib /usr/lib /usr/lib/compat a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout Clearing /tmp (X related). Starting local daemons:. Updating motd. Starting sshd. Starting cron. Local package initialization:. Sat Feb 24 07:54:40 UTC 2007 Jailed port/binding list: [EMAIL PROTECTED] 07:54:05 (0) ~ netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.85.smtp *.*LISTEN tcp4 0 0 192.168.1.85.ssh *.*LISTEN tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED tcp4 0 0 192.168.1.84.ssh *.*LISTEN tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 192.168.1.85.syslog*.* udp4 0 0 192.168.1.84.syslog*.* Issue not confused, but it did give me some try this tests. Unfortunately I still cant connect to anything outside of the jail, not even to the host. SSHing into jail does not work, into host does. [EMAIL PROTECTED] 07:54:40 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ssh -x 192.168.1.84 ^C And as a last test I should have thought of before: [EMAIL PROTECTED] 07:59:13 (0) /usr/ports sysctl security.jail.allow_raw_sockets security.jail.allow_raw_sockets: 1 [EMAIL PROTECTED] 07:59:26 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ^C --- 127.0.0.1 ping statistics --- 7 packets transmitted, 0 packets received, 100% packet loss %ifconfig nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 oh, and for testing purposes, I unhid everything in /jail/dev [EMAIL PROTECTED] 08:04:20 (0) /usr/ports devfs rule -s 666 show 100 path acd* hide 200 path ad10* hide 300 path audio* hide 400 path dsp* hide 500 path apm* hide 600 path dev* hide 700 path geom* hide 800 path kmem* hide 900 path mem* hide 1000 path nfs* hide 1100 path pci* hide 1200 path nvidia* hide 1300 path snd* hide 1400 path sysmouse* hide 1500 path ukbd0* hide 1600 path usb* hide 1700 path ums* hide 1800 path net* mode 755 1900 path ata* hide 2000 path atkbd* hide 2100 path kbd* hide 2200 path fd* hide 2300 path fid* hide 2400 path net* mode 777 2500 path show 2600 path * unhide Still no luck. Thanks everyone for all the help, hopefully this is enough information to indicate the problem. -Jim Stapleton sockstat (referenced at the end of the netstat man page) will show you process names/ports. To get any given service to work inside the jail, that IP:Port must not be bound anywhere else, but it must be bound
Re: problems with jail
Jim Stapleton wrote: Issue not confused, but it did give me some try this tests. Unfortunately I still cant connect to anything outside of the jail, not even to the host. SSHing into jail does not work, into host does. [EMAIL PROTECTED] 07:54:40 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ssh -x 192.168.1.84 ^C And as a last test I should have thought of before: [EMAIL PROTECTED] 07:59:13 (0) /usr/ports sysctl security.jail.allow_raw_sockets security.jail.allow_raw_sockets: 1 [EMAIL PROTECTED] 07:59:26 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ^C There is missing a 1 in front of 92.168.1.85 If you do ifconfig inside the jail and you don't see the ipaddr. of the jail configured on any of the network interfaces, you did something wrong. Either forgot to configure the ipaddr. or used the wrong in the jail command. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Thank you, that fixed it. After all the other stuff (some of which also had it broke), it was a 1... ARGH! Thanks again, I am now the proud owner of a shiny new jail to put all my processes behind bars inside of. :-) On 2/24/07, Philipp Wuensche [EMAIL PROTECTED] wrote: Jim Stapleton wrote: Issue not confused, but it did give me some try this tests. Unfortunately I still cant connect to anything outside of the jail, not even to the host. SSHing into jail does not work, into host does. [EMAIL PROTECTED] 07:54:40 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ssh -x 192.168.1.84 ^C And as a last test I should have thought of before: [EMAIL PROTECTED] 07:59:13 (0) /usr/ports sysctl security.jail.allow_raw_sockets security.jail.allow_raw_sockets: 1 [EMAIL PROTECTED] 07:59:26 (0) /usr/ports jail /jail/ legolas 92.168.1.85 /bin/csh %ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ^C There is missing a 1 in front of 92.168.1.85 If you do ifconfig inside the jail and you don't see the ipaddr. of the jail configured on any of the network interfaces, you did something wrong. Either forgot to configure the ipaddr. or used the wrong in the jail command. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Thank you, it still did not connect using that. The mail server is a SMTP server. Also I copied over my host's resolve.conf file. With all these hassles/headaches, would it be better/more secure for me to settup Bochs or QEmu running a virtual BSD server? Thanks, -Jim Stapleton On 2/23/07, Jonathan Chen [EMAIL PROTECTED] wrote: On Fri, Feb 23, 2007 at 01:49:25AM +, Jim Stapleton wrote: oops, did a reply instead of reply all, sorry. My question was what's the best way to test net connectivity in jail, csup?, and i did try csup (using a copy of my standard ports supfile), it failed: %csup -g -L 2 /etc/supfile-ports Parsing supfile /etc/supfile-ports Connecting to cvsup12.FreeBSD.org Name lookup failure for cvsup12.FreeBSD.org: hostname nor servname provided, or not known Will retry at 20:52:12 You need to set up the jail's /etc/resolv.conf to query a suitable DNS. If you want to check connectivity from within the jail to out, you could always telnet mail-server-ip 25. To check connectivity in, you could try enabling the jail's sendmail server... Hope this helps. -- Jonathan Chen | To do is to be -- Nietzsche [EMAIL PROTECTED] | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
At 08:22 PM 2/22/2007, you wrote: I'd like to get Apache running in jail, but I can't seem to get network working in jail. ..snip.. Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted You can't ping from a jail unless you set the security.jail.allow_raw_sockets sysctl on the host OS. - Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Am Freitag, 23. Februar 2007 02:49 schrieb Jim Stapleton: oops, did a reply instead of reply all, sorry. My question was what's the best way to test net connectivity in jail, csup?, and i did try csup (using a copy of my standard ports For ping (and other ICMP tools etc.) you have to change the following on the host: 'sysctl security.jail.allow_raw_sockets=1' See the man (8) jail for more info! Greetings, -Harry supfile), it failed: %csup -g -L 2 /etc/supfile-ports Parsing supfile /etc/supfile-ports Connecting to cvsup12.FreeBSD.org Name lookup failure for cvsup12.FreeBSD.org: hostname nor servname provided, or not known Will retry at 20:52:12 I'm only using one jail (it'll run apache, mysql and possibly sftp) Thanks, -Jim Stapleton On 2/23/07, Jonathan Chen [EMAIL PROTECTED] wrote: On Fri, Feb 23, 2007 at 01:22:53AM +, Jim Stapleton wrote: I'd like to get Apache running in jail, but I can't seem to get network working in jail. [...] Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted This is normal. You can't ping out from a jail. If you're going to manage several jails on a box, I would suggest you try the ezjail port. Cheers. -- Jonathan Chen [EMAIL PROTECTED] --- I love deadlines. I like the whooshing sound they make as they fly by - Douglas Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Thank you, that's at least useful testing, but it did not work. Jail is definetly not getting any network action. Would a host netstat output be useful? I looks pretty cryptic. Thanks, -Jim Stapleton On 2/23/07, Jeff Palmer [EMAIL PROTECTED] wrote: At 08:22 PM 2/22/2007, you wrote: I'd like to get Apache running in jail, but I can't seem to get network working in jail. ..snip.. Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted You can't ping from a jail unless you set the security.jail.allow_raw_sockets sysctl on the host OS. - Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Jim Stapleton wrote: Thank you, that's at least useful testing, but it did not work. Jail is definetly not getting any network action. Would a host netstat output be useful? I looks pretty cryptic. Can you please post the output of ifconfig and jls. From your rc.conf it seems the ipaddr. for the jail is not or wrong configured on your interface. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
On Fri, Feb 23, 2007 at 03:25:00PM +, Jim Stapleton wrote: Thank you, it still did not connect using that. The mail server is a SMTP server. Also I copied over my host's resolve.conf file. Hmm. Did you remember to set up the alias entry on your host machine? What about firewall changes? With all these hassles/headaches, would it be better/more secure for me to settup Bochs or QEmu running a virtual BSD server? Dunno. I don't use those tools. My jail setup sent surprisingly smooth when I did it. -- Jonathan Chen [EMAIL PROTECTED] We laugh in the face of danger, we drop icecubes down the vest of fear - Edmond Blackadder III ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Jail: [EMAIL PROTECTED] 14:04:11 (0) ~ sudo jail /jail/ legolas 192.168.1.85 /bin/csh %telnet 192.168.1.4 25 Trying 192.168.1.4... ^Z Suspended %kill %1 [1]Terminatedtelnet 192.168.1.4 25 %ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 OK, from host: [EMAIL PROTECTED] 14:02:11 (0) ~ ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] 14:04:08 (0) ~ jls JID IP Address Hostname Path 1 192.168.1.85legolas /jail Is that what you needed Thanks, -Jim Stapleton Jim Stapleton wrote: Thank you, that's at least useful testing, but it did not work. Jail is definetly not getting any network action. Would a host netstat output be useful? I looks pretty cryptic. Can you please post the output of ifconfig and jls. From your rc.conf it seems the ipaddr. for the jail is not or wrong configured on your interface. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Am Freitag, 23. Februar 2007 20:07 schrieb Jim Stapleton: Jail: [EMAIL PROTECTED] 14:04:11 (0) ~ sudo jail /jail/ legolas 192.168.1.85 /bin/csh %telnet 192.168.1.4 25 Trying 192.168.1.4... ^Z Suspended %kill %1 [1]Terminatedtelnet 192.168.1.4 25 %ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 OK, from host: [EMAIL PROTECTED] 14:02:11 (0) ~ ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active You are missing ifconfig_nve0_alias0=192.168.1.85/32 in rc.conf. The host hast to have the ip of a jail, network stak is not virtualized (yet?) -Harry plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] 14:04:08 (0) ~ jls JID IP Address Hostname Path 1 192.168.1.85legolas /jail Is that what you needed Thanks, -Jim Stapleton Jim Stapleton wrote: Thank you, that's at least useful testing, but it did not work. Jail is definetly not getting any network action. Would a host netstat output be useful? I looks pretty cryptic. Can you please post the output of ifconfig and jls. From your rc.conf it seems the ipaddr. for the jail is not or wrong configured on your interface. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
At 02:07 PM 2/23/2007, Jim Stapleton wrote: Jail: [EMAIL PROTECTED] 14:04:11 (0) ~ sudo jail /jail/ legolas 192.168.1.85 /bin/csh %telnet 192.168.1.4 25 ..snip.. [EMAIL PROTECTED] 14:02:11 (0) ~ ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] 14:04:08 (0) ~ jls JID IP Address Hostname Path 1 192.168.1.85legolas /jail Is that what you needed Thanks, -Jim Stapleton I don't see where you have 192.168.1.85 as an alias on the host OS. ifconfig nve0 alias 192.168.1.85 netmask 255.255.255.255 then launch the jail - Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Nope, I didn't. I fixed that. It now doesn't give me an error, but at the same time I still don't get incoming/outgoing network traffick: (after turning on the variable to allow raw sockets - note: telnet to my mailserver IP doesn't work either.): jail /jail/ legolas 92.168.1.85 /bin/csh %ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes ^C --- 192.168.1.1 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss %exit exit On Fri, Feb 23, 2007 at 03:25:00PM +, Jim Stapleton wrote: Thank you, it still did not connect using that. The mail server is a SMTP server. Also I copied over my host's resolve.conf file. Hmm. Did you remember to set up the alias entry on your host machine? What about firewall changes? With all these hassles/headaches, would it be better/more secure for me to settup Bochs or QEmu running a virtual BSD server? Dunno. I don't use those tools. My jail setup sent surprisingly smooth when I did it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Jim Stapleton wrote: Jail: [EMAIL PROTECTED] 14:04:11 (0) ~ sudo jail /jail/ legolas 192.168.1.85 /bin/csh %telnet 192.168.1.4 25 Trying 192.168.1.4... ^Z Suspended %kill %1 [1]Terminatedtelnet 192.168.1.4 25 %ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 OK, from host: [EMAIL PROTECTED] 14:02:11 (0) ~ ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] 14:04:08 (0) ~ jls JID IP Address Hostname Path 1 192.168.1.85legolas /jail Is that what you needed You only have configured the 192.168.1.84 ipaddr on your nve0 interface, you need to configure the 192.168.1.85 ipaddr. on the interface too. Delete the ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 line in rc.conf and replace it with ipv4_addrs_nve0=192.168.1.84-85/24 and do a reboot. If you don't want to reboot, use ifconfig nve0 alias 192.168.1.85/32 to configure the alias while the system is running. You could also use the jail_example_interface=nve0 option in rc.conf and reboot, but I don't recommend that because it is somewhat broken and poorly implemented. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES sendmail_enable=NO inetd_flags=-wW -a 192.168.1.84 rpcbind_enable=NO attempts after rebooting still fail. The jail rc.conf: #hostname=legolas.ameritech.net #ifconfig_nve0=inet 192.168.1.85 netmask 255.255.255.0 #defaultrouter=192.168.1.1 rpcbind_enable=NO ifconfig_nve0= I have tried this with both the above setup, and one setup commenting out the ifconfig_nve0= line, and uncommenting the other ifconfig_nve0/defaultrouter lines (just in case I misread something). Neither worked. Thanks -Jim Stapleton On 2/23/07, Philipp Wuensche [EMAIL PROTECTED] wrote: Jim Stapleton wrote: Jail: [EMAIL PROTECTED] 14:04:11 (0) ~ sudo jail /jail/ legolas 192.168.1.85 /bin/csh %telnet 192.168.1.4 25 Trying 192.168.1.4... ^Z Suspended %kill %1 [1]Terminatedtelnet 192.168.1.4 25 %ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 OK, from host: [EMAIL PROTECTED] 14:02:11 (0) ~ ifconfig -a nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 [EMAIL PROTECTED] 14:04:08 (0) ~ jls JID IP Address Hostname Path 1 192.168.1.85legolas /jail Is that what you needed You only have configured the 192.168.1.84 ipaddr on your nve0 interface, you need to configure the 192.168.1.85 ipaddr. on the interface too. Delete the ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 line in rc.conf and replace it with ipv4_addrs_nve0=192.168.1.84-85/24 and do a reboot. If you don't want to reboot, use ifconfig nve0 alias 192.168.1.85/32 to configure the alias while the system is running. You could also use the jail_example_interface=nve0 option in rc.conf and reboot, but I don't recommend that because it is somewhat broken and poorly implemented. greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
At 02:38 PM 2/23/2007, Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES sendmail_enable=NO inetd_flags=-wW -a 192.168.1.84 rpcbind_enable=NO Jim: try the following: hostname=elrond.ameritech.net ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ifconfig_nve0_alias0=192.168.1.85 netmask 255.255.255.255 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES - Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
It still does not function. I noticed the netmask and broadcast do not look right, could this be it? [EMAIL PROTECTED] 16:26:28 (0) ~ ifconfig nve0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.84 netmask 0xff00 broadcast 192.168.1.255 inet 192.168.1.85 netmask 0x broadcast 192.168.1.85 ether 00:13:d4:2e:2f:62 media: Ethernet autoselect (100baseTX full-duplex) status: active plip0: flags=108810POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 On 2/23/07, Jeff Palmer [EMAIL PROTECTED] wrote: At 02:38 PM 2/23/2007, Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES sendmail_enable=NO inetd_flags=-wW -a 192.168.1.84 rpcbind_enable=NO Jim: try the following: hostname=elrond.ameritech.net ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ifconfig_nve0_alias0=192.168.1.85 netmask 255.255.255.255 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES - Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 /24 is already the netmask. Can you ping the ipaddr. from another host in your network? greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
yes, I can ping it from this machine, other machines and jail. Going on that line, I tried to ssh to it, and I got into the host system. My problem is in the sshd config I think then? I'm pretty sure there are no other daemons running on this system... Oh, I guess I have devd and usbd, they shouldn't be causing issues: [EMAIL PROTECTED] 20:05:26 (0) ~ ps -A | grep -e 'd$' 484 ?? Is 0:00.01 /sbin/devd 648 ?? Ss 0:00.01 /usr/sbin/usbd 699 ?? Is 0:00.00 /usr/sbin/sshd 1930 ?? Is 0:00.00 /usr/sbin/moused -p /dev/ums0 -t auto -I /var/run/moused.ums0.pid 1957 ?? Ss 0:00.09 /usr/sbin/moused -p /dev/ums1 -t auto -I /var/run/moused.ums1.pid Thanks, -Jim Stapleton On 2/23/07, Philipp Wuensche [EMAIL PROTECTED] wrote: Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 /24 is already the netmask. Can you ping the ipaddr. from another host in your network? greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Am Samstag, 24. Februar 2007 02:06 schrieb Jim Stapleton: yes, I can ping it from this machine, other machines and jail. Going on that line, I tried to ssh to it, and I got into the host system. My problem is in the sshd config I think then? I'm pretty sure Please, read man (8) jail. All your pitfalls are very well explained! there are no other daemons running on this system... Oh, I guess I have devd and usbd, they shouldn't be causing issues: [EMAIL PROTECTED] 20:05:26 (0) ~ ps -A | grep -e 'd$' 484 ?? Is 0:00.01 /sbin/devd 648 ?? Ss 0:00.01 /usr/sbin/usbd 699 ?? Is 0:00.00 /usr/sbin/sshd 1930 ?? Is 0:00.00 /usr/sbin/moused -p /dev/ums0 -t auto -I /var/run/moused.ums0.pid 1957 ?? Ss 0:00.09 /usr/sbin/moused -p /dev/ums1 -t auto -I /var/run/moused.ums1.pid Thanks, -Jim Stapleton On 2/23/07, Philipp Wuensche [EMAIL PROTECTED] wrote: Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 /24 is already the netmask. Can you ping the ipaddr. from another host in your network? greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
I saw them in there, but that section seemed to be lacking in what I needed to do... I admit I missed the alias until someone reminded me. by lacking I mean: To configure sshd(8), it is necessary to modify /etc/ssh/sshd_config. doesn't tell me what I need to change, and I couldn't find the answer in the docs about sshd. I assume that having the listen port set to 192.168.1.84 should be sufficient, but that doesn't fix the problem OK, I didn't bother editing sendmail and named's files, I thought the suggested: sendmail_enable=NO would keep it from starting. I did turn off sendmail, but that didn't fix the problem. named is not running, and hasn't run on this machine. and I did read the jail man page, I'm still stuck. -Jim Stapleton On 2/24/07, Harald Schmalzbauer [EMAIL PROTECTED] wrote: Am Samstag, 24. Februar 2007 02:06 schrieb Jim Stapleton: yes, I can ping it from this machine, other machines and jail. Going on that line, I tried to ssh to it, and I got into the host system. My problem is in the sshd config I think then? I'm pretty sure Please, read man (8) jail. All your pitfalls are very well explained! there are no other daemons running on this system... Oh, I guess I have devd and usbd, they shouldn't be causing issues: [EMAIL PROTECTED] 20:05:26 (0) ~ ps -A | grep -e 'd$' 484 ?? Is 0:00.01 /sbin/devd 648 ?? Ss 0:00.01 /usr/sbin/usbd 699 ?? Is 0:00.00 /usr/sbin/sshd 1930 ?? Is 0:00.00 /usr/sbin/moused -p /dev/ums0 -t auto -I /var/run/moused.ums0.pid 1957 ?? Ss 0:00.09 /usr/sbin/moused -p /dev/ums1 -t auto -I /var/run/moused.ums1.pid Thanks, -Jim Stapleton On 2/23/07, Philipp Wuensche [EMAIL PROTECTED] wrote: Jim Stapleton wrote: new host rc.conf: hostname=elrond.ameritech.net #ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 ipv4_addrs_nve0=192.168.1.84-85/24 netmask 255.255.255.0 /24 is already the netmask. Can you ping the ipaddr. from another host in your network? greetings, philipp ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
I did the ssh after you did the previous mail, but it didn't fix the problem. I'm not having problems senmail or named, they were simply mentioned in the man page. I never had named running, and I didn't realize sendmail was running. The latter was my problem with sendmail. That problem as I said is fixed. Beyond that I don't even know which process on my system are daemons at this point, except usbd and devd, neither of which (to my knowledge) should be listening to any sockets. Actually there are a couple of kernel processes (pagedaemon, vmdaemon, and bufdaemon), but I don't know where to find documentation on them, X, and KDM. I can't find anything on limiting sockets of these to a specific IP only. -Jim STapleton On 2/24/07, Harald Schmalzbauer [EMAIL PROTECTED] wrote: Am Samstag, 24. Februar 2007 04:01 schrieben Sie: I saw them in there, but that section seemed to be lacking in what I needed to do... I admit I missed the alias until someone reminded me. by lacking I mean: To configure sshd(8), it is necessary to modify /etc/ssh/sshd_config. doesn't tell me what I need to change, and I couldn't find the answer in the docs about sshd. I assume that having the listen port set to 192.168.1.84 should be sufficient, but that doesn't fix the problem Well, have you sighuped sshd? If you have ListenAddress 192.168.1.84 in /etc/ssh/sshd_config (and sighuped/restarted sshd) it's impossible that it answers connections to 192.168.1.85 OK, I didn't bother editing sendmail and named's files, I thought the suggested: sendmail_enable=NO would keep it from starting. I did turn off sendmail, but that didn't fix the problem. named is not running, and hasn't run on this machine. What problems do you have with named and sendmail? If you don't need them don't care about, just keep them disabled. You have to limit listening sockets of all daemons running on the host system. That's all. Best regards, -Harry -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton: I did the ssh after you did the previous mail, but it didn't fix the problem. I'm not having problems senmail or named, they were simply mentioned in the man page. I never had named running, and I didn't realize sendmail was running. The latter was my problem with sendmail. That problem as I said is fixed. Beyond that I don't even know which process on my system are daemons at this point, except usbd and devd, neither of which (to my knowledge) should be listening to any sockets. Actually there are a couple of kernel processes (pagedaemon, vmdaemon, and bufdaemon), but I don't know where to find documentation on them, X, and KDM. I can't find anything on limiting sockets of these to a specific IP only. To see what daemons are listening you can use 'netstat -f inet -a'. Then you see if you have to limit some other daemons (use -f inet6 for IPv6 if configured). Please post the output of the command above to see why you get ssh connections to your jail IP answered by the host's ssh daemon. -Harry -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
OK, I have a fairly sizeable list, but it looks like most stuff is bound to 192.168.1.84 except two things, one is closed, and the other is syslog (guess I have to look at it's man page). It also looks like there is something else there. I guess I'll be looking at the netstat man page to figure out how to get the name of the daemon touch it: netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http ESTABLISHED tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol TIME_WAIT tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol TIME_WAIT tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol TIME_WAIT tcp4 0 0 192.168.1.84.ssh *.*LISTEN tcp4 0 0 *.**.*CLOSED tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http ESTABLISHED tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 *.syslog *.* Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp6 0 0 *.syslog *.* On 2/24/07, Harald Schmalzbauer [EMAIL PROTECTED] wrote: Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton: I did the ssh after you did the previous mail, but it didn't fix the problem. I'm not having problems senmail or named, they were simply mentioned in the man page. I never had named running, and I didn't realize sendmail was running. The latter was my problem with sendmail. That problem as I said is fixed. Beyond that I don't even know which process on my system are daemons at this point, except usbd and devd, neither of which (to my knowledge) should be listening to any sockets. Actually there are a couple of kernel processes (pagedaemon, vmdaemon, and bufdaemon), but I don't know where to find documentation on them, X, and KDM. I can't find anything on limiting sockets of these to a specific IP only. To see what daemons are listening you can use 'netstat -f inet -a'. Then you see if you have to limit some other daemons (use -f inet6 for IPv6 if configured). Please post the output of the command above to see why you get ssh connections to your jail IP answered by the host's ssh daemon. -Harry -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
addendum, I fixed syslogd by adding this to my rc.conf: syslogd_flags=-b 192.168.1.84 However, looking through netstat's man page, I couldn't find the name of the flag (if it exists) that will show the process name. Does that require a different tool? Thank you, -Jim Stapleton On 2/24/07, Jim Stapleton [EMAIL PROTECTED] wrote: OK, I have a fairly sizeable list, but it looks like most stuff is bound to 192.168.1.84 except two things, one is closed, and the other is syslog (guess I have to look at it's man page). It also looks like there is something else there. I guess I'll be looking at the netstat man page to figure out how to get the name of the daemon touch it: netstat -f inet -a; netstat -f inet6 -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http ESTABLISHED tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol TIME_WAIT tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol TIME_WAIT tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol TIME_WAIT tcp4 0 0 192.168.1.84.ssh *.*LISTEN tcp4 0 0 *.**.*CLOSED tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http ESTABLISHED tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED udp4 0 0 *.syslog *.* Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp6 0 0 *.syslog *.* On 2/24/07, Harald Schmalzbauer [EMAIL PROTECTED] wrote: Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton: I did the ssh after you did the previous mail, but it didn't fix the problem. I'm not having problems senmail or named, they were simply mentioned in the man page. I never had named running, and I didn't realize sendmail was running. The latter was my problem with sendmail. That problem as I said is fixed. Beyond that I don't even know which process on my system are daemons at this point, except usbd and devd, neither of which (to my knowledge) should be listening to any sockets. Actually there are a couple of kernel processes (pagedaemon, vmdaemon, and bufdaemon), but I don't know where to find documentation on them, X, and KDM. I can't find anything on limiting sockets of these to a specific IP only. To see what daemons are listening you can use 'netstat -f inet -a'. Then you see if you have to limit some other daemons (use -f inet6 for IPv6 if configured). Please post the output of the command above to see why you get ssh connections to your jail IP answered by the host's ssh daemon. -Harry -- OmniSEC - UNIX und Windows Netzwerke - Sicher Harald Schmalzbauer Flintsbacher Str. 3 80686 München +49 (0) 89 18947781 +49 (0) 160 93860101 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
problems with jail
I'd like to get Apache running in jail, but I can't seem to get network working in jail. I followed the instructions in the man page for jail so far, breating the world install in my jail directory (/jail), which is the only BSD partition on the drive (ad8s3d, ad8s3b is swap, and ad8s3c is that weird partition chunk that always appears after a swap chunk). In doing this I should be able to remove the main system disk from the devfs in the jail, which seemed to be a good idea. But I hadn't gotten that far yet... Regardless, I didn't squash out any devices just yet with devfs, instead, I ensure any 'net*' device had mode 755 (basic jail test, ping the tail on the router), an modified the rc.conf files as the manual page suggested. Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted from my normal system prompt (out of jail): ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1): 56 data bytes 64 bytes from 192.168.1.1: icmp_seq=0 ttl=150 time=0.489 ms 64 bytes from 192.168.1.1: icmp_seq=1 ttl=150 time=0.468 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=150 time=0.465 ms ... I figure I messed something up pretty oddy for this not to work. System: FreeBSD 6.2 i386 CSUP run 2007-02-10 Ports [and their required deps] installed x11/xorg, x11/kde3, editors/xemacs, editors/openoffice.org-2, editors/nano, editors/pico, x11-wm/WMaker, lang/python25, net-im/gaim, www/firefox System rc.conf hostname=elrond.ameritech.net ifconfig_nve0=inet 192.168.1.84 netmask 255.255.255.0 defaultrouter=192.168.1.1 #ifconfig_nve0=DHCP usbd_enable=YES linux_enable=YES sshd_enable=YES sendmail_enable=NO inetd_flags=-wW -a 192.168.1.84 rpcbind_enable=NO jail rc.conf rpcbind_enable=NO #I had the nve0 interface setup with 192.168.1.85 and with assigned to it also jail command (run from root for testing purposes only - I'll narrow it down to a less privledged host/jailed system user later) jail /jail/ [EMAIL PROTECTED] 192.168.1.85 /bin/csh The machine was rebooted since I set everything up. Thank you, -Jim Stapleton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
On Fri, Feb 23, 2007 at 01:22:53AM +, Jim Stapleton wrote: I'd like to get Apache running in jail, but I can't seem to get network working in jail. [...] Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted This is normal. You can't ping out from a jail. If you're going to manage several jails on a box, I would suggest you try the ezjail port. Cheers. -- Jonathan Chen [EMAIL PROTECTED] --- I love deadlines. I like the whooshing sound they make as they fly by - Douglas Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
oops, did a reply instead of reply all, sorry. My question was what's the best way to test net connectivity in jail, csup?, and i did try csup (using a copy of my standard ports supfile), it failed: %csup -g -L 2 /etc/supfile-ports Parsing supfile /etc/supfile-ports Connecting to cvsup12.FreeBSD.org Name lookup failure for cvsup12.FreeBSD.org: hostname nor servname provided, or not known Will retry at 20:52:12 I'm only using one jail (it'll run apache, mysql and possibly sftp) Thanks, -Jim Stapleton On 2/23/07, Jonathan Chen [EMAIL PROTECTED] wrote: On Fri, Feb 23, 2007 at 01:22:53AM +, Jim Stapleton wrote: I'd like to get Apache running in jail, but I can't seem to get network working in jail. [...] Anyway, when I go to jail, running csh (as root) in jail, I try/get: %ping 192.168.1.1 ping: socket: Operation not permitted This is normal. You can't ping out from a jail. If you're going to manage several jails on a box, I would suggest you try the ezjail port. Cheers. -- Jonathan Chen [EMAIL PROTECTED] --- I love deadlines. I like the whooshing sound they make as they fly by - Douglas Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
On Fri, Feb 23, 2007 at 01:49:25AM +, Jim Stapleton wrote: oops, did a reply instead of reply all, sorry. My question was what's the best way to test net connectivity in jail, csup?, and i did try csup (using a copy of my standard ports supfile), it failed: %csup -g -L 2 /etc/supfile-ports Parsing supfile /etc/supfile-ports Connecting to cvsup12.FreeBSD.org Name lookup failure for cvsup12.FreeBSD.org: hostname nor servname provided, or not known Will retry at 20:52:12 You need to set up the jail's /etc/resolv.conf to query a suitable DNS. If you want to check connectivity from within the jail to out, you could always telnet mail-server-ip 25. To check connectivity in, you could try enabling the jail's sendmail server... Hope this helps. -- Jonathan Chen | To do is to be -- Nietzsche [EMAIL PROTECTED] | To be is to do -- Sartre | Scooby do be do -- Scooby ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: problems with jail
On Fri, Feb 23, 2007 at 01:49:25AM +, Jim Stapleton wrote: [...] I'm only using one jail (it'll run apache, mysql and possibly sftp) The reason why I'm using ezjail to manage multiple jails is that each jail only provides *one* external service, to minimise effects from intrusion/breakage. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- If you wish your merit to be known, acknowledge that of other people ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Still a few problems in jail
Hey, Using (FreeBSD 4.7-Release) It takes considerably long to login from a workstation to a jailed ssh server or sometimes I even can't login. The login: appears, and then Sent username 'xyz' and then nothing happens or after 20 or even far more seconds I can enter my password! For information: login in from a workstation with ssh on the host itself causes no problems! The only option in the jail sshd_config file which is set, is the ListenAddress which has the ip address of the jail! As you can see below there are problems with timeout. (Some comments on the other errors opensocket_f bind etc.. Are welcomed!! I replaced the original ip address with jail_ip_address, I'm also running bind in a sandbox see the previous posting in the list with the titel Jail problems) I have deleted the /var/log/messages and rebooted this is the output after a fresh reboot! %tail /var/log/messages Dec 5 20:15:46 dns named[321]: not listening on any interfaces Dec 5 20:15:46 dns named[321]: opensocket_f: bind([jail_ip_address].53): Address already in use Dec 5 20:15:46 dns named[321]: opensocket_f: bind([jail_ip_address].53): Address already in use Dec 5 20:15:46 dns sshd[331]: error: Bind to port 22 on jail_ip_address failed: Address already in use. Dec 5 20:15:46 dns sshd[331]: fatal: Cannot bind any address. Dec 5 20:15:46 dns syslogd: exiting on signal 15 Dec 5 20:16:55 dns named[198]: starting (/etc/named.conf). named 8.3.3-REL Wed Dec 4 09:59:37 CET 2002 xyz@xyz:/usr/obj/usr/src/usr.sbin/named Dec 5 20:16:55 dns named[198]: limit files set to fdlimit (1024) Dec 5 20:16:55 dns named[199]: Ready to answer queries. Dec 5 20:17:44 dns sshd[237]: fatal: Timeout before authentication for my_pc_somewhere Here is rc.conf from the jail: hostname=x.y.z portmap_enable=NO network_interface= sshd_enable=YES sendmail_enable=NONE syslog_enable=YES syslogd_flags=-ss -l /etc/namedb/dev/log named_enable=YES named_flags=-u bind -g bind -t /etc/namedb /etc/named.conf Here is sshd_config from the jail: Many many many thanks for any Help or comments didier To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Still a few problems in jail
Hi, On Thu, 5 Dec 2002, Didier Wiroth wrote: Hey, Using (FreeBSD 4.7-Release) It takes considerably long to login from a workstation to a jailed ssh server or sometimes I even can't login. The login: appears, and then Sent username 'xyz' and then nothing happens or after 20 or even far more seconds I can enter my password! [rest snipped] you most propably have dns resolution problems in the jail. Do you have a correctly setup resolv.conf in your jail ? Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: [EMAIL PROTECTED] Phone: +49 7452 889-135Open Software Solutions, Network Security Fax:+49 7452 889-136FreeBSD spoken here! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message