jails in CURRENT: can not reach hosts on same network

[O. Hartmann]

Hello list.

I struggle with setting up jails on most recent CURRENT.

The machine containing the jails has two NICs (bce0 and bce1). the host itself
is supposed to own NIC bce0 exclusively - means, the services running on that
NIC - syslogd, named and others - are bound to that NIC and should not be
shared with the bce1 or jails bound to bce1.

I followed the instructions given in the most recent version of the handbook
setting up a jail. So far, so good. The NIC bce1 (the second one) is "aliased"
with IPs from the local network. forwarding is disabled
(net.inet.ip.forwarding: 0).

Setup of each jail is straigh forward, with "ip4.addr=" set to the specific IP
and interface="bce1".

Within a jail, I can not reach an IP on the same network, not even the gateway
by pinging or doing name resolutions using the DNS server on the local net! The
curious thing is, by setting "nameserver 8.8.8.8" in /etc/resolv.conf, I can
ping "outer world systems" and performing name resolutions as well - this
implies, that the IP pakets are delegated to the local gateway and then further
to the DNS of Google's. But pinging the local gateway directly (192.168.0.1)
seems to be prohibited as well as pinging or reching any other IP on the net,
including the bce0 of the same host (via default gateway?) or any other aliased
IP.

Since I'm new to jails and the complicated handling with networks, I miss
something here which is probably not well documented. I found some notes on the
forum about setfib, FIB, but I lack in the correct manpage to read more about
this concept, the meaning for a jail and its probable impact in my situation.

Following the suggestion setting

net.add_addr_allfibs=0

in /boot/loader.conf seems to be senseless - after a reboot this OID is always
set back to 1 (net.add_addr_allfibs=1).

maybe someone has an idea what's wrong in principle with my attempts.

thanks in advance for your patience,

Oliver
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"

[Alan Somers]

Firstly, ping doesn't work in a jail, because jailed processes aren't
allowed to open raw sockets. To lift that restriction, you can do
"sysctl security.jail.allow_raw_sockets". Depending on what your
security environment is like, you may or may not want to leave that
set permanently. You can also control it on a per-jail basis. If
you're using iocage to manage your jails, just do "iocage set
allow_raw_sockets=1 <jailtag>". If that doesn't work, then post the
output of "ifconfig". You shouldn't need to screw with fibs unless
your jails need to use a different gateway than the host.

-Alan

[Ernie Luzar]

First of all trying to teach your self about LAN & jail usage using
[CURRENT] is the wrong version of FreeBSD to be using because it's the
bleeding edge where all the OS updates are tested. You should be using
10.3 or soon to be published 11.0. With CURRENT you can't tell if
problems are caused by you not configuring something correctly or you
fell into a OS bug.

Now if you have a LAN & jail setup working on a RELEASE version and you
really think your problem is caused by a bug in CURRENT then you need to
come out and state that. But based on the tone of your post that is not
the case.

Secondly, the "current" list is the incorrect list to be posting this
type of question. You should post this to the "questions" or the "jail"
list.

The ping command from within a jail is a considered a security risk and
disabled by jail(8) design.

It seems to me that you are mixing 2 separate problems, LAN
configuration and jail configuration. You need to first get your LAN
nodes talking to each other and with the host, before you add jail(8)
into the mix.

The standard LAN configuration runs a DHCP server on the host to assign
private IP address to the LAN PC's when they power on.

Since your host box functions as a [gateway box] with a LAN behind it
you need to have gateway_enable="YES" in your hosts rc.conf file.

You also need a firewall to NAT the private LAN IP addresses to the
hosts public ISP issued IP address. I recommend ipfilter which is in the
base system, it's open source and runs on most all other Unix flavored
OS's making it very easy to use the same firewall rule set across other
OS's.

After you have your LAN nodes being able to ping the host and other
nodes on the LAN, and also access the pubic internet, Then is the time
to play with jails.

I recommend you use the jail utility sysutil/qjail port. It simplifies
jail management and is very user friendly. Be sure not to assign private
IP addresses to jails that are controlled by DHCP or the LAN node will
stop working when the jail starts using the same IP address.

A detailed description of how you intend to us jails would go a long way
to customizing any additional help you may require from posts to the
"questions" list.