I had a break with this yesterday. I've just tried your suggestions. It still doesn't work but the error message has changed.
>> On the host when the jail is running : >> >> FreeBSD# jls >> JID IP Address Hostname Path >> 1 93.0.168.242 MaPrison /usr/prison >> FreeBSD# ifconfig >> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 >> options=8<VLAN_MTU> >> ether 00:11:09:15:72:6a >> inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255 >> inet 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242 >> media: Ethernet autoselect (100baseTX <full-duplex>) > Where did you get that second IP address from? Did you just > add it manually? Or is that the address that your gateway > (DSL router, whatever) got assigned from your ISP? I added it manually in rc.conf (on the host) : jail_server_rootdir="/usr/prison" jail_server_hostname="MaPrison" jail_server_ip="93.0.168.242" I choosed it because that's my computer's public ip, at least according to this website : http://whatismyipaddress.com/ > I assume that IP address is not really routed to your host, > but that NAT (Network Address Translation) is used on your > router. So you cannot use that address on the host. > (If that's not true, please exlain the structure of your > network in more detail.) My network is very simple. I've got a kind of modem provided by my phone company. It's called a "neufbox" and acts as a gateway. Its address is 192.168.1.1. This "neufbox" is connected to : - the phone network - a phone - the FreeBSD computer through an ethernet wire - two other computers via wifi When I browse address 192.168.1.1 with firefox, I can see a page telling this the neufbox, that internet and the phone are working, that the tv is not connected (that's true) and that it's public ip address is 93.0.168.242. It also gives its MAC address and various other infos. > So, if my assumptions are true, you must use the address > 192.168.1.38 for your jail. OK. In /etc/rc.conf, I changed this line (see above) : jail_server_ip="198.168.1.38" > Make sure that DNS is working > inside the jail ... It should be sufficient to copy > /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf /etc/resolv.conf only contains this single line : nameserver 192.168.1.1 I placed a copy of this file in the jail. After these changes and a complete reboot, I launched the jail and tried a portsnap fetch : FreeBSD# /etc/rc.d/jail onestart server Configuring jails:. Starting jails: MaPrison. FreeBSD# jls JID IP Address Hostname Path 1 192.168.1.38 MaPrison /usr/prison FreeBSD# jexec 1 portsnap fetch Looking up portsnap.FreeBSD.org mirrors... /usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1699: internal_send: 192.168.1.1#53: Invalid argument /usr/src/lib/bind/isc/../../../contrib/bind9/lib/isc/unix/socket.c:1699: internal_send: 192.168.1.1#53: Invalid argument none found. Fetching public key from portsnap.FreeBSD.org... failed. No mirrors remaining, giving up. FreeBSD# Then, firefox (on the host) was no longer able to browse. I tried this on the host : FreeBSD# ping www.freebsd.org ping: cannot resolve www.freebsd.org: Host name lookup failure In other words, it appeared that DNS was no longer working, even on the host. I rebooted again. This time, I didn't launch the jail. ping and Firefox worked perfectly well on the host as they had always did before. > If it still doesn't work: Are you using any packet filter > (ipfw, ipf, pf)? If so, please show the complete list of > rules. No, I don't. You told me it was not necessary. > Otherwise, it might help to run tcpdump(1) on the host, so > you can see the actual packets that are transmitted and > received. Here's what tcpdump says when the jail is NOT running (but Firefox is) : FreeBSD# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 09:08:50.300910 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 263 09:08:50.301378 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 335 09:08:50.301822 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 331 09:08:50.302275 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 311 09:08:50.302933 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 343 09:08:50.303485 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 325 09:08:50.303938 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.304383 IP neufbox.32774 > 239.255.255.250.1900: UDP, length 327 09:08:50.858573 IP FreeBSD.22077 > neufbox.domain: 24445+ PTR? 250.255.255.239.in-addr.arpa. (46) 09:08:50.906882 IP neufbox.domain > FreeBSD.22077: 24445 NXDomain 0/1/0 (103) 09:08:50.917164 IP FreeBSD.59750 > neufbox.domain: 24446+ PTR? 1.1.168.192.in-addr.arpa. (42) 09:08:50.918253 IP neufbox.domain > FreeBSD.59750: 24446* 1/0/0 PTR[|domain] 09:08:51.917971 IP FreeBSD.32837 > neufbox.domain: 24447+ PTR? 38.1.168.192.in-addr.arpa. (43) 09:08:51.918870 IP neufbox.domain > FreeBSD.32837: 24447* 1/0/0 (64) ^C 14 packets captured 14 packets received by filter 0 packets dropped by kernel FreeBSD# Then, I started the jail. Firefox immediatly stopped being able to browse websites. I tried a tcpdump on the host while running portsnap fetch in the jail : FreeBSD# tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes 09:43:50.333169 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:43:50.333621 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:43:50.334064 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:43:50.334499 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:43:50.334966 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:43:50.335402 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:43:50.335944 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:43:50.336560 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.333341 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 263 09:44:20.333807 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 335 09:44:20.334246 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 331 09:44:20.334684 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 311 09:44:20.335165 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 343 09:44:20.335603 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 325 09:44:20.336040 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 09:44:20.336480 IP 192.168.1.1.32774 > 239.255.255.250.1900: UDP, length 327 ^C 16 packets captured 16 packets received by filter 0 packets dropped by kernel FreeBSD# If you compare these two tcpdump, you can see that the word "neufbox" is replaced by 192.168.1.1. It confirms that DNS is no longer running. Not easy... Brice ________________________________ De : Oliver Fromme <o...@lurza.secnetix.de> À : freebsd-questions@FreeBSD.ORG; berrando...@yahoo.fr Envoyé le : Jeu 12 août 2010, 17h 52min 24s Objet : Re: Re : Re : How to connect a jail to the web ? Brice ERRANDONEA <berrando...@yahoo.fr> wrote: > On the host, when the jail is not running : > > %ifconfig > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=8<VLAN_MTU> > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255 > media: Ethernet autoselect (100baseTX <full-duplex>) OK, so 192.168.1.38 is the only (non-localnet) IP address that you have. You should use that one for your jail. > On the host when the jail is running : > > FreeBSD# jls > JID IP Address Hostname Path > 1 93.0.168.242 MaPrison /usr/prison > FreeBSD# ifconfig > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=8<VLAN_MTU> > ether 00:11:09:15:72:6a > inet 192.168.1.38 netmask 0xffffff00 broadcast 192.168.1.255 > inet 93.0.168.242 netmask 0xffffffff broadcast 93.0.168.242 > media: Ethernet autoselect (100baseTX <full-duplex>) Where did you get that second IP address from? Did you just add it manually? Or is that the address that your gateway (DSL router, whatever) got assigned from your ISP? I assume that IP address is not really routed to your host, but that NAT (Network Address Translation) is used on your router. So you cannot use that address on the host. (If that's not true, please exlain the structure of your network in more detail.) So, if my assumptions are true, you must use the address 192.168.1.38 for your jail. Make sure that DNS is working inside the jail ... It should be sufficient to copy /etc/resolv.conf from the host to /usr/prison/etc/resolv.conf If it still doesn't work: Are you using any packet filter (ipfw, ipf, pf)? If so, please show the complete list of rules. Otherwise, it might help to run tcpdump(1) on the host, so you can see the actual packets that are transmitted and received. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Geschäftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mün- chen, HRB 125758, Geschäftsführer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd "C++ is the only current language making COBOL look good." -- Bertrand Meyer _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
