Hello, I have configured jail for users with sshd ftpd and auth. I started this jail on IP 127.0.0.10(there is an alias on lo0 interface), there was not any bigger problem to start it. But i have a problem with internet in this jail. I can log in to this jail through ssh or ftpd but i can't connect to the internet. I try to set up some kind of nat but it doesn't work. Can anybody help me with that problem. For now i set it up on external IP and everythig is okej. But i want to have this jail on diffrent iface that is not an external iface and is set for example on 127.0.0.10. I also want close in jail named service. I configured named that it is only a caching server.And i tryied start it on 127.0.0.53 ip alias but it doesnt work because it cannot comunicate with other dns. Thanks for any advice in my problem -- Best Regards: GiZmen
Hello!> Can anybody help me with that problem. For now i set it up on external IP > and everythig is okej. But i want to have this jail on diffrent iface that > is not an external iface and is set for example on 127.0.0.10.You should probably use a real ip for jail, not from 127.0.0.0/8. -- Regards, Ilya
> > > Can anybody help me with that problem. For now i set it up on external IP > > and everythig is okej. But i want to have this jail on diffrent iface that > > is not an external iface and is set for example on 127.0.0.10. > > You should probably use a real ip for jail, not from 127.0.0.0/8. >So there is no chance to set it up on 127.0.0.0/8 and have access to internet ? I wanted to have some daemons listenig on aliased IP on lo0 iface. And then set up few rules on firewall to forward traffic from external IP to those ip on lo0 interface. THX -- Best Regards: GiZmen
Hello!> > > Can anybody help me with that problem. For now i set it up on external IP > > > and everythig is okej. But i want to have this jail on diffrent iface that > > > is not an external iface and is set for example on 127.0.0.10. > > > > You should probably use a real ip for jail, not from 127.0.0.0/8. > > > > So there is no chance to set it up on 127.0.0.0/8 and have access to > internet ? I wanted to have some daemons listenig on aliased IP on lo0 > iface. And then set up few rules on firewall to forward traffic from external > IP to those ip on lo0 interface.In case you just want it to be on lo0, you can set up a real ip alias on lo0. If you need both lo0 AND 127.0.0.0/8... Well, do you _really_ need such a configuration? -- Regards, Ilya
On Dec 19, 2003, at 12:13 PM, Ilya Kiselyov wrote:> Hello! > >>>> Can anybody help me with that problem. For now i set it up on >>>> external IP >>>> and everythig is okej. But i want to have this jail on diffrent >>>> iface that >>>> is not an external iface and is set for example on 127.0.0.10. >>> >>> You should probably use a real ip for jail, not from 127.0.0.0/8. >>> >> >> So there is no chance to set it up on 127.0.0.0/8 and have access to >> internet ? I wanted to have some daemons listenig on aliased IP on lo0 >> iface. And then set up few rules on firewall to forward traffic from >> external >> IP to those ip on lo0 interface. > > In case you just want it to be on lo0, you can set up a real ip alias > on lo0. If you need both lo0 AND 127.0.0.0/8... Well, do you _really_ > need such a configuration? >Changing the ip on lo0 can be break things or expose you, a lot of sensitive stuff goes over localhost, so be very very carfeul mucking with the ip on lo0. --Larry
> As i understood your problem you need addition alias on lo0 interface > for gateway ip purpose. So you have lo0 interface and lo0_alias0 > 192.168.1.1 as default gateway for jails. And now you create new jails' > ip as aliases on lo0 iface. > > For example: > > no jail, only gateway - lo0_alias0 192.168.1.1/24 > > jail1 - lo0_alias1 192.168.1.2/24 - hostname jail1.domain.com > in this jail set default gateway to 192.168.1.1 > > jail2 - lo0_alias2 192.168.1.3/24 - hostname jail2.domain.com > in this jail set default gateway to 192.168.1.1 also > > Your host machine have to be gateway enabled. > > Now if you want to switch on internet access from jail1 you only need to > add nat rule to translate jail1's ip to the host primary ip. > > Alesha.I dont know how can it work? AFAIK in jail i cant change the default gateway. -- Best Regards: GiZmen
On Fri, Dec 19, 2003 at 08:13:41PM +0300, Ilya Kiselyov wrote:> In case you just want it to be on lo0, you can set up a real ip alias on lo0. If you need both lo0 AND 127.0.0.0/8... Well, do you _really_ need such a configuration?The lo(4) driver is cloneable in -CURRENT for things like this, amongst other things. BMS