Hi all,
Is it mandatory to add device mem to jails to enable network via the gateway?
Left ezjail with FreeBSD-6.3 (and a hardware replacement of my server)
and am now starting again with FreeBSD-7.1.
Early this week, I upgraded from 7.0 to 7.1 (not having 'used' jails
on 7.0). After creating the jail with
`ezjail-admin update -i`
I created a 'ports build' jail
`ezjail-admin create build 127.0.0.3`
and forgot to add the alias to lo0, so no networking off-course. So I
added the 127.0.0.3 alias to lo0
`ifconfig lo0 inet 127.0.0.3 alias`
and restarted the jail
Then I could get to the host machine, but not outside via the gateway.....
`netstat -nr` was returning errors
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
But I could use the dns on the host, but was restricted to the host.
After adding mem to the devfs_rules for my jail, I can see the routing
tables....
And with mem added to devfs, I can also connect via the gateway on the
host (NAT)
If it's required to add 'mem' to the devfs rules to enable
networking
in the jail, it may be worth adding to the FAQ and/or the man-pages
for ezjail-admin and jail? (and perhaps add a devfsrules_netjail to
the default/devfs.rules)
Kind regards,
Spil.
Hi Peter,
Thanks a lot! Will read up on that. (luckily I do speak
german/swiss-german). From discussions on ##FreeBSD IRC I learned that
it is not recommended to use lo0 for jails!
On FreeBSD-6.3 I succesfully used lo0/127.0.0.2 for my mysql jail that
needed to be addressed only locally, but ONLY LOCALLY, no other
access. It may be possible to add a line similar to
00100 divert 8668 ip from any to any in via xl0
to my ipfw/NAT config, but being warned, I'm not going down that path.
Since I moved my portbuild jail to bridge0/172.17.2.17 it works as
expected, without device mem!
And to boot I made errors when creating my aliases (ifconfig bridge0
inet 172.17.2.17 netmask *172.17.2.255* in stead of 255.255.255.0)
I will protect the jails that only need to be connected to from local
by adding rules to my ipfw setup
Now Iet's hope that my failures/problems serve as reference for future
users of (ez)jail!
Kind regards,
Spil.
2009/1/8 Oliver Peter <lists@peter.de.com>:> On Thu, 8 Jan 2009 11:07:04 +0100
> "Spil Oss" <spil.oss@googlemail.com> wrote:
>
>> Early this week, I upgraded from 7.0 to 7.1 (not having 'used'
jails
>> on 7.0). After creating the jail with
>> `ezjail-admin update -i`
>> I created a 'ports build' jail
>> `ezjail-admin create build 127.0.0.3`
>> and forgot to add the alias to lo0, so no networking off-course. So I
>> added the 127.0.0.3 alias to lo0
>> `ifconfig lo0 inet 127.0.0.3 alias`
>> and restarted the jail
>
> If you use the loopback device for your jails you have to add NAT rules
> to your host machine, this documentation is very useful:
>
>
http://www.rootforum.de/wiki/freebsd/04_jail_infrastructure#packet_filter_einrichten
>
> (The article is in German, but the configuration stuff should be
> understandable anyway)
>
> --
> Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174
> "If it feels good, you're doing something wrong."
> -- Coach McTavish
>
>
On Thu, 8 Jan 2009 11:07:04 +0100 "Spil Oss" <spil.oss@googlemail.com> wrote:> Early this week, I upgraded from 7.0 to 7.1 (not having 'used' jails > on 7.0). After creating the jail with > `ezjail-admin update -i` > I created a 'ports build' jail > `ezjail-admin create build 127.0.0.3` > and forgot to add the alias to lo0, so no networking off-course. So I > added the 127.0.0.3 alias to lo0 > `ifconfig lo0 inet 127.0.0.3 alias` > and restarted the jailIf you use the loopback device for your jails you have to add NAT rules to your host machine, this documentation is very useful: http://www.rootforum.de/wiki/freebsd/04_jail_infrastructure#packet_filter_einrichten (The article is in German, but the configuration stuff should be understandable anyway) -- Oliver PETER, email: oliver@peter.de.com, ICQ# 113969174 "If it feels good, you're doing something wrong." -- Coach McTavish