Re: Configuring network without ezjail

2015-12-13 Thread Michael B. Eichorn
On Sun, 2015-12-13 at 05:45 +, marcel wrote:
> 
> On 12/12/2015 02:59, Michael B. Eichorn wrote:
> > On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote:
> > > On Sat, 2015-12-12 at 02:08 +, marcel wrote:
> > > > ... and I think I have enabling gateway, I wrote thins in both
> > > > of
> > > > my
> > > > rc.conf (jail and host):
> > > > 
> > > > gateway_enable="YES"
> > > > 
> > > > Is it correct ?
> > > You only need gateway_enable if you are doing routing, it is not
> > > necessary for a typical jail setup. Most of the time you are just
> > > adding an alias to the host's nic.
> OK so if I want to my jail can access to internet I have to do
> routing,
> right ?

No. In your other email you mentioned the host is behind a router, just
assign the jail a static ip on the same subnet as the host. The router
will treat it very similarly to adding another computer via a switch.

> > > > But I don't think I have DNS problems, my host correctly access
> > > > to
> > > > the
> > > > internet and the resolv.conf of my jail and my host are same...
> > > > 
> > > > On 12/12/2015 01:50, marcel wrote:
> > > > > No I don't get to have an IP address... Yet I have writed
> > > > > this in
> > > > > my
> > > > > host's rc.conf:
> > > > > 
> > > > > jail_enable="YES"
> > > > > jail_list="thename"
> > > > > jail_guantanamo_rootdir="thepath"
> > > > > jail_guantanamo_hostname="thename"
> > > > > jail_guantanamo_ip="192.168.0.12"
> > > > > 
> > > > > and I use the command:
> > > > > 
> > > > > jail thepath thename 192.168.0.12 /bin/csh
> > > > > 
> > > > > to connect to my jail...
> > > > > 
> > > > > On 11/12/2015 23:31, Dirk Engling wrote:
> > > > > > On 12.12.15 01:19, marcel wrote:
> > > > > > 
> > > > > > > I would like to know if it is possible to configure a
> > > > > > > jail's
> > > > > > > network for
> > > > > > > accessing to the World Wide Web but without ezjail ?
> > > > > > > I have created my jail without ezjail (mkdir jail, make
> > > > > > > installworld,
> > > > > > > etc...) and I would like to continue without it if it's
> > > > > > > possible...
> > > > > > Sure, why doesn't it connect to the net? Does it have a
> > > > > > RFC1918
> > > > > > IP? If
> > > > > > so, you need to enable NAT. If not, did you enable
> > > > > > gatewaying?
> > > > > > Maybe you
> > > > > > just have DNS problems, so is your resolv.conf set up
> > > > > > properly?
> > > > > > 
> > > > > > Without knowing what exactly is not working, I can not help
> > > > > > you.
> > > > > > 
> > > > > >   erdgeist
> > > I think you found some old instructions, assuming a 10.x system
> > > here
> > > is
> > > the boilerplate for a typical jail:
> > > 
> > > rc.conf:
> > > 
> > >   jail_enable="YES"
> > > 
> > > jail.conf:
> > > 
> > >   interface = re0;
> > >   mount.devfs;
> > >   exec.start = "/bin/sh /etc/rc";
> > >   exec.stop = "/bin/sh /etc/rc.shutdown";
> > > 
> > >   thenameofthejail {
> > > host.hostname = host.domain.tld;
> > >   path = /the/path/to/the/jail
> > > ip4.addr = 192.168.0.12;
> > >   }
> > > 
> > > and start it up with
> > > 
> > > # jail -c thenameofthejail
> > > 
> > > And another handy tip you can avoid building a jail with make by
> > > extacting the base.txz file found in places like the install
> > > media
> > > into
> > > the jail directory
> OK, so my jail.conf look like your jail.conf and when I type jls my
> jail
> have the IP 192.168.0.12 but when I type ifconfig in my jail I have
> no ip...

Is 192.168.0.12 your host IP? The jail needs a different static IP
address e.g. 182,168.0.13. There are ways around this but usually you
want a different IP. Each jail and the host have a different IP. The
setting ip4.addr in jail.conf will cause jail(8) to create an alias
with the new IP on the NIC specified by interface in jail.conf.
Destroying the jail with `jail -r  ` removes the alias.

> > Oh and before I forget, the trickiest thing for me moving from
> > ezjail
> > to jail was updating. Assuming your jails are complete base systems
> > and
> > that you would like to use binary updates with freebsd-update, and
> > you
> > have completely sparated jails without any funny tricks to save
> > space,
> > here is Ike's simple jail update guide:
> > 
> > edit the jail's freebsd-update.conf and change
> > 
> > Components src world kernel
> > -to-
> > Components world
> > 
> > then run freebsd-update like so:
> > 
> > # freebsd-update -b /usr/jails/jaildir \
> > -f usr/jails/jaildir/etc/freebsd-update.conf \
> > -d /usr/jails/jaildir/var/db/freebsd-update fetch
> > # freebsd-update -b /usr/jails/jaildir \
> > -f /usr/jails/jaildir/etc/freebsd-update.conf \
> > -d /usr/jails/jaildir/var/db/freebsd-update install
> > 
> > Using the -f flag keeps the jail from using the host config since
> > jails
> > cannot update kernels anyway. And -d keeps jails and hosts from
> > trampling each other which is nice if you want to do more than one
> > at a
> > time, or if you use freebsd-upda

Re: OSS in jail

2015-12-13 Thread James Gritton

On 2015-12-12 15:44, Luís Fernando Schultz Xavier da Silveira wrote:


I would like one of my jails to have the ability to play back sound,
but not to record it. As I understand, sound is played back by writing
to /dev/dsp and recorded by reading from it. Hence, placing the 
/dev/dsp

device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is not
a solution since the jail superuser can override permissions on these
devices and even read from them when they lack read permission.

Is there a way to give a device to a jail in write-only mode?
If not, is it possible to create a virtual OSS stack and give that to
the jail?
How would you solve this problem?

Also, is it possible to give the jail a mixer device that can only read
mixer settings but not alter them?


There is no mechanism for adding a device to a jail with partial 
permissions.  Generally, it wouldn't just be reading and writing, but a 
per-device decision on different ioctl calls.  This would require an 
entire jail device framework that doesn't exist.


I suppose it's possible to create a virtual OSS stack - sounds like a 
pretty big project though.  If I had this job to do, that's likely the 
direction I'd go, though instead of a virtual OSS driver, I'd consider 
something on the user level, with a listening UNIX socket inside the 
jail.  I doubt this would work seamlessly without recompiling software 
though (again, the ioctl question).


- Jamie
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: OSS in jail

2015-12-13 Thread Konstantin Belousov
On Sun, Dec 13, 2015 at 08:23:57AM -0700, James Gritton wrote:
> On 2015-12-12 15:44, Lu??s Fernando Schultz Xavier da Silveira wrote:
> > 
> > I would like one of my jails to have the ability to play back sound,
> > but not to record it. As I understand, sound is played back by writing
> > to /dev/dsp and recorded by reading from it. Hence, placing the 
> > /dev/dsp
> > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is not
> > a solution since the jail superuser can override permissions on these
> > devices and even read from them when they lack read permission.
> > 
> > Is there a way to give a device to a jail in write-only mode?
> > If not, is it possible to create a virtual OSS stack and give that to
> > the jail?
> > How would you solve this problem?
> > 
> > Also, is it possible to give the jail a mixer device that can only read
> > mixer settings but not alter them?
> 
> There is no mechanism for adding a device to a jail with partial 
> permissions.  Generally, it wouldn't just be reading and writing, but a 
> per-device decision on different ioctl calls.  This would require an 
> entire jail device framework that doesn't exist.
> 
> I suppose it's possible to create a virtual OSS stack - sounds like a 
> pretty big project though.  If I had this job to do, that's likely the 
> direction I'd go, though instead of a virtual OSS driver, I'd consider 
> something on the user level, with a listening UNIX socket inside the 
> jail.  I doubt this would work seamlessly without recompiling software 
> though (again, the ioctl question).

There is a lot of usermode sound servers, already written, some of them
are even used. I am sure that among the dozens there are several which
would allow to restrict access and provide connector into the jail.

IMO it is much more practical way to achieve the stated goal than try
to restrict /dev/dsp access.
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: OSS in jail

2015-12-13 Thread Luís Fernando Schultz Xavier da Silveira
I see. I does indeed seem a sound server is the appropriate solution.

Thanks.

On Sun, Dec 13, 2015 at 06:05:22PM +0200, Konstantin Belousov wrote:
> On Sun, Dec 13, 2015 at 08:23:57AM -0700, James Gritton wrote:
> > On 2015-12-12 15:44, Lu??s Fernando Schultz Xavier da Silveira wrote:
> > > 
> > > I would like one of my jails to have the ability to play back sound,
> > > but not to record it. As I understand, sound is played back by writing
> > > to /dev/dsp and recorded by reading from it. Hence, placing the 
> > > /dev/dsp
> > > device (and /dev/dsp[0-9]* devices) in the jail via devfs.rules is not
> > > a solution since the jail superuser can override permissions on these
> > > devices and even read from them when they lack read permission.
> > > 
> > > Is there a way to give a device to a jail in write-only mode?
> > > If not, is it possible to create a virtual OSS stack and give that to
> > > the jail?
> > > How would you solve this problem?
> > > 
> > > Also, is it possible to give the jail a mixer device that can only read
> > > mixer settings but not alter them?
> > 
> > There is no mechanism for adding a device to a jail with partial 
> > permissions.  Generally, it wouldn't just be reading and writing, but a 
> > per-device decision on different ioctl calls.  This would require an 
> > entire jail device framework that doesn't exist.
> > 
> > I suppose it's possible to create a virtual OSS stack - sounds like a 
> > pretty big project though.  If I had this job to do, that's likely the 
> > direction I'd go, though instead of a virtual OSS driver, I'd consider 
> > something on the user level, with a listening UNIX socket inside the 
> > jail.  I doubt this would work seamlessly without recompiling software 
> > though (again, the ioctl question).
> 
> There is a lot of usermode sound servers, already written, some of them
> are even used. I am sure that among the dozens there are several which
> would allow to restrict access and provide connector into the jail.
> 
> IMO it is much more practical way to achieve the stated goal than try
> to restrict /dev/dsp access.
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
> 
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: Configuring network without ezjail

2015-12-13 Thread marcel


On 13/12/2015 14:14, Michael B. Eichorn wrote:
> On Sun, 2015-12-13 at 05:45 +, marcel wrote:
>> On 12/12/2015 02:59, Michael B. Eichorn wrote:
>>> On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote:
 On Sat, 2015-12-12 at 02:08 +, marcel wrote:
> ... and I think I have enabling gateway, I wrote thins in both
> of
> my
> rc.conf (jail and host):
>
> gateway_enable="YES"
>
> Is it correct ?
 You only need gateway_enable if you are doing routing, it is not
 necessary for a typical jail setup. Most of the time you are just
 adding an alias to the host's nic.
>> OK so if I want to my jail can access to internet I have to do
>> routing,
>> right ?
> No. In your other email you mentioned the host is behind a router, just
> assign the jail a static ip on the same subnet as the host. The router
> will treat it very similarly to adding another computer via a switch.
I've already done this and it doesn't work, jls show the address I have
configured but when ifconfig shownothing in the jail, and still have no
internet cnnection in the jail...
>
> But I don't think I have DNS problems, my host correctly access
> to
> the
> internet and the resolv.conf of my jail and my host are same...
>
> On 12/12/2015 01:50, marcel wrote:
>> No I don't get to have an IP address... Yet I have writed
>> this in
>> my
>> host's rc.conf:
>>
>> jail_enable="YES"
>> jail_list="thename"
>> jail_guantanamo_rootdir="thepath"
>> jail_guantanamo_hostname="thename"
>> jail_guantanamo_ip="192.168.0.12"
>>
>> and I use the command:
>>
>> jail thepath thename 192.168.0.12 /bin/csh
>>
>> to connect to my jail...
>>
>> On 11/12/2015 23:31, Dirk Engling wrote:
>>> On 12.12.15 01:19, marcel wrote:
>>>
 I would like to know if it is possible to configure a
 jail's
 network for
 accessing to the World Wide Web but without ezjail ?
 I have created my jail without ezjail (mkdir jail, make
 installworld,
 etc...) and I would like to continue without it if it's
 possible...
>>> Sure, why doesn't it connect to the net? Does it have a
>>> RFC1918
>>> IP? If
>>> so, you need to enable NAT. If not, did you enable
>>> gatewaying?
>>> Maybe you
>>> just have DNS problems, so is your resolv.conf set up
>>> properly?
>>>
>>> Without knowing what exactly is not working, I can not help
>>> you.
>>>
>>>   erdgeist
 I think you found some old instructions, assuming a 10.x system
 here
 is
 the boilerplate for a typical jail:

 rc.conf:

   jail_enable="YES"

 jail.conf:

   interface = re0;
   mount.devfs;
   exec.start = "/bin/sh /etc/rc";
   exec.stop = "/bin/sh /etc/rc.shutdown";

   thenameofthejail {
 host.hostname = host.domain.tld;
path = /the/path/to/the/jail
 ip4.addr = 192.168.0.12;
   }

 and start it up with

 # jail -c thenameofthejail

 And another handy tip you can avoid building a jail with make by
 extacting the base.txz file found in places like the install
 media
 into
 the jail directory
>> OK, so my jail.conf look like your jail.conf and when I type jls my
>> jail
>> have the IP 192.168.0.12 but when I type ifconfig in my jail I have
>> no ip...
> Is 192.168.0.12 your host IP? The jail needs a different static IP
> address e.g. 182,168.0.13. There are ways around this but usually you
> want a different IP. Each jail and the host have a different IP. The
> setting ip4.addr in jail.conf will cause jail(8) to create an alias
> with the new IP on the NIC specified by interface in jail.conf.
> Destroying the jail with `jail -r  ` removes the alias.
OK, I did'nt know jail -r for removing the alias, thanks !
>>> Oh and before I forget, the trickiest thing for me moving from
>>> ezjail
>>> to jail was updating. Assuming your jails are complete base systems
>>> and
>>> that you would like to use binary updates with freebsd-update, and
>>> you
>>> have completely sparated jails without any funny tricks to save
>>> space,
>>> here is Ike's simple jail update guide:
>>>
>>> edit the jail's freebsd-update.conf and change
>>>
>>> Components src world kernel
>>> -to-
>>> Components world
>>>
>>> then run freebsd-update like so:
>>>
>>> # freebsd-update -b /usr/jails/jaildir \
>>> -f usr/jails/jaildir/etc/freebsd-update.conf \
>>> -d /usr/jails/jaildir/var/db/freebsd-update fetch
>>> # freebsd-update -b /usr/jails/jaildir \
>>> -f /usr/jails/jaildir/etc/freebsd-update.conf \
>>> -d /usr/jails/jaildir/var/db/freebsd-update install
>>>
>>> Using the -f flag keeps the jail from using the host config since
>>> jails
>>> cannot update kernels anyway. And -d keeps jails and hosts from
>>> trampling each other which is nice if you w

Re: Configuring network without ezjail

2015-12-13 Thread marcel


On 13/12/2015 06:07, James Gritton wrote:
> On 2015-12-12 23:18, marcel wrote:
>> On 12/12/2015 18:10, James Gritton wrote:
>>> On 2015-12-11 18:50, marcel wrote:
 No I don't get to have an IP address... Yet I have writed this in my
 host's rc.conf:

 jail_enable="YES"
 jail_list="thename"
 jail_guantanamo_rootdir="thepath"
 jail_guantanamo_hostname="thename"
 jail_guantanamo_ip="192.168.0.12"

 and I use the command:

 jail thepath thename 192.168.0.12 /bin/csh

 to connect to my jail...
>>>
>>> Is the jail even created?  You show jail_name as "thename", but the
>>> jail config variables are jail_quantanamo_*.  So when you say
>>> "thename" do you really mean quantanamo?  Because if you don't, then
>>> the jail won't get configured at startup.
>>>
>>> The command you're using to connect to the jail is actually a command
>>> that creates a jail.  That's probably not what you want, as that jail
>>> is likely to disappear again after you exit from it.  You should be
>>> using jexec(8), assuming your jail has been properly created in the
>>> first place.
>>>
>>> Now to the IP address: is your entire box behind some gateway, where
>>> it uses a 192.168 address?  If it isn't, you'll need more than to just
>>> declare such an address - you'll need a jail with vnet, which is
>>> rather more complex.  But if it is, then the question becomes: is
>>> 192.168.0.12 the host address, i.e. are you creating a jail that
>>> shares the host address?  If you are it should work, but most jails
>>> aren't done this way.
>>>
>>> Specifying a jail's IP address only tell which of the host's existing
>>> addresses to use.  If that address isn't already set up, it won't be
>>> used - unless you tell it to.  If you're still using the rc.conf-based
>>> jail specification, you can set jail_interface (or
>>> jail_quantanamo_interface) to the name of the network interface where
>>> the host's main IP address lives (e.g. "em0" or somesuch).  Such a
>>> config line is likely all you need.
>>>
>>> - Jamie
>> Yes, the jail is created with the make installworld, make distribution,
>> jail -c , etc method and I launch it with jail -c guantanamo and connect
>> to it with jexec id shell.
>>
>> Yes, sorry I have badly explained so jail_name="thename", thename is
>> guantanamo.
>>
>> My host is behind a router that provide me an internet access yes and
>> yes 192.168.0.12 is my host ip so yes my jail share the host address.
>> jls command show me this address but ifconfig command (in my jail) show
>> me no address...
>>
>> I've read that in my case I've just need of jail_enable="YES" in my
>> rc.conf... I will add with most of jail_guantanamo* variable and test...
>
> If 192.168.0.12 is your host IP, try creating the jail without IP
> address restrictions.  I don't think you can do that with with the old
> rc.conf-based specification, but with a jail.conf file (or from a
> command line), you just add "ip4=inherit" and don't mention an
> ip4.address at all.  That will create a jail that has access to all of
> the host IP addresses.
>
> - Jamie
I was trying what you said but the remote machine where the jail is on
has gone to shutdown (I don't know why...) and I have to do some
kilometers to turn on and I haven't the time for the moment so subject
is closed for the moment... Thanks a lot for your help, I will try again
the next time...
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: Configuring network without ezjail

2015-12-13 Thread marcel


On 13/12/2015 07:50, Sami Halabi wrote:
>
> hi,
> I think you need to configure the ip in the host first kater it'll be
> seen in the jail.
>
> using rf 1918 addreses means you need NAT  in your router to have 
> access the internet.
> rather than that using the term 'routing' is incorrecg unless you have
> multiple hops to get the packets to the router.
>
> Sami
>
The IP on the host works perfectly, internet access too...
But anyway the remote machine on which the jail is on has suddently
shutdown and I can't turn on for the moment so subject is closed...
Thanks for your help !
>
> בתאריך 13 בדצמ׳ 2015 6:45 AM,‏ "marcel"  > כתב:
>
>
>
> On 12/12/2015 02:59, Michael B. Eichorn wrote:
> > On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote:
> >> On Sat, 2015-12-12 at 02:08 +, marcel wrote:
> >>> ... and I think I have enabling gateway, I wrote thins in both of
> >>> my
> >>> rc.conf (jail and host):
> >>>
> >>> gateway_enable="YES"
> >>>
> >>> Is it correct ?
> >> You only need gateway_enable if you are doing routing, it is not
> >> necessary for a typical jail setup. Most of the time you are just
> >> adding an alias to the host's nic.
> OK so if I want to my jail can access to internet I have to do
> routing,
> right ?
> >>> But I don't think I have DNS problems, my host correctly access to
> >>> the
> >>> internet and the resolv.conf of my jail and my host are same...
> >>>
> >>> On 12/12/2015 01:50, marcel wrote:
>  No I don't get to have an IP address... Yet I have writed this in
>  my
>  host's rc.conf:
> 
>  jail_enable="YES"
>  jail_list="thename"
>  jail_guantanamo_rootdir="thepath"
>  jail_guantanamo_hostname="thename"
>  jail_guantanamo_ip="192.168.0.12"
> 
>  and I use the command:
> 
>  jail thepath thename 192.168.0.12 /bin/csh
> 
>  to connect to my jail...
> 
>  On 11/12/2015 23:31, Dirk Engling wrote:
> > On 12.12.15 01:19, marcel wrote:
> >
> >> I would like to know if it is possible to configure a jail's
> >> network for
> >> accessing to the World Wide Web but without ezjail ?
> >> I have created my jail without ezjail (mkdir jail, make
> >> installworld,
> >> etc...) and I would like to continue without it if it's
> >> possible...
> > Sure, why doesn't it connect to the net? Does it have a RFC1918
> > IP? If
> > so, you need to enable NAT. If not, did you enable gatewaying?
> > Maybe you
> > just have DNS problems, so is your resolv.conf set up properly?
> >
> > Without knowing what exactly is not working, I can not help
> > you.
> >
> >   erdgeist
> >> I think you found some old instructions, assuming a 10.x system
> here
> >> is
> >> the boilerplate for a typical jail:
> >>
> >> rc.conf:
> >>
> >>   jail_enable="YES"
> >>
> >> jail.conf:
> >>
> >>   interface = re0;
> >>   mount.devfs;
> >>   exec.start = "/bin/sh /etc/rc";
> >>   exec.stop = "/bin/sh /etc/rc.shutdown";
> >>
> >>   thenameofthejail {
> >> host.hostname = host.domain.tld;
> >>  path = /the/path/to/the/jail
> >> ip4.addr = 192.168.0.12;
> >>   }
> >>
> >> and start it up with
> >>
> >> # jail -c thenameofthejail
> >>
> >> And another handy tip you can avoid building a jail with make by
> >> extacting the base.txz file found in places like the install media
> >> into
> >> the jail directory
> OK, so my jail.conf look like your jail.conf and when I type jls
> my jail
> have the IP 192.168.0.12 but when I type ifconfig in my jail I
> have no ip...
> > Oh and before I forget, the trickiest thing for me moving from
> ezjail
> > to jail was updating. Assuming your jails are complete base
> systems and
> > that you would like to use binary updates with freebsd-update,
> and you
> > have completely sparated jails without any funny tricks to save
> space,
> > here is Ike's simple jail update guide:
> >
> > edit the jail's freebsd-update.conf and change
> >
> > Components src world kernel
> > -to-
> > Components world
> >
> > then run freebsd-update like so:
> >
> > # freebsd-update -b /usr/jails/jaildir \
> >   -f usr/jails/jaildir/etc/freebsd-update.conf \
> >   -d /usr/jails/jaildir/var/db/freebsd-update fetch
> > # freebsd-update -b /usr/jails/jaildir \
> >   -f /usr/jails/jaildir/etc/freebsd-update.conf \
> >   -d /usr/jails/jaildir/var/db/freebsd-update install
> >
> > Using the -f flag keeps the jail from using the host config
> since jail

Re: Configuring network without ezjail

2015-12-13 Thread Michael B. Eichorn
On Sun, 2015-12-13 at 18:54 +, marcel wrote:
> 
> On 13/12/2015 14:14, Michael B. Eichorn wrote:
> > On Sun, 2015-12-13 at 05:45 +, marcel wrote:
> > > On 12/12/2015 02:59, Michael B. Eichorn wrote:
> > > > On Fri, 2015-12-11 at 21:44 -0500, Michael B. Eichorn wrote:
> > > > > On Sat, 2015-12-12 at 02:08 +, marcel wrote:
> > > > > > ... and I think I have enabling gateway, I wrote thins in
> > > > > > both
> > > > > > of
> > > > > > my
> > > > > > rc.conf (jail and host):
> > > > > > 
> > > > > > gateway_enable="YES"
> > > > > > 
> > > > > > Is it correct ?
> > > > > You only need gateway_enable if you are doing routing, it is
> > > > > not
> > > > > necessary for a typical jail setup. Most of the time you are
> > > > > just
> > > > > adding an alias to the host's nic.
> > > OK so if I want to my jail can access to internet I have to do
> > > routing,
> > > right ?
> > No. In your other email you mentioned the host is behind a router,
> > just
> > assign the jail a static ip on the same subnet as the host. The
> > router
> > will treat it very similarly to adding another computer via a
> > switch.
> I've already done this and it doesn't work, jls show the address I
> have
> configured but when ifconfig shownothing in the jail, and still have
> no
> internet cnnection in the jail...

Does ifconfig on the host show the jail's ip added as an alias?

> > 
> > > > > > But I don't think I have DNS problems, my host correctly
> > > > > > access
> > > > > > to
> > > > > > the
> > > > > > internet and the resolv.conf of my jail and my host are
> > > > > > same...
> > > > > > 
> > > > > > On 12/12/2015 01:50, marcel wrote:
> > > > > > > No I don't get to have an IP address... Yet I have writed
> > > > > > > this in
> > > > > > > my
> > > > > > > host's rc.conf:
> > > > > > > 
> > > > > > > jail_enable="YES"
> > > > > > > jail_list="thename"
> > > > > > > jail_guantanamo_rootdir="thepath"
> > > > > > > jail_guantanamo_hostname="thename"
> > > > > > > jail_guantanamo_ip="192.168.0.12"
> > > > > > > 
> > > > > > > and I use the command:
> > > > > > > 
> > > > > > > jail thepath thename 192.168.0.12 /bin/csh
> > > > > > > 
> > > > > > > to connect to my jail...
> > > > > > > 
> > > > > > > On 11/12/2015 23:31, Dirk Engling wrote:
> > > > > > > > On 12.12.15 01:19, marcel wrote:
> > > > > > > > 
> > > > > > > > > I would like to know if it is possible to configure a
> > > > > > > > > jail's
> > > > > > > > > network for
> > > > > > > > > accessing to the World Wide Web but without ezjail ?
> > > > > > > > > I have created my jail without ezjail (mkdir jail,
> > > > > > > > > make
> > > > > > > > > installworld,
> > > > > > > > > etc...) and I would like to continue without it if
> > > > > > > > > it's
> > > > > > > > > possible...
> > > > > > > > Sure, why doesn't it connect to the net? Does it have a
> > > > > > > > RFC1918
> > > > > > > > IP? If
> > > > > > > > so, you need to enable NAT. If not, did you enable
> > > > > > > > gatewaying?
> > > > > > > > Maybe you
> > > > > > > > just have DNS problems, so is your resolv.conf set up
> > > > > > > > properly?
> > > > > > > > 
> > > > > > > > Without knowing what exactly is not working, I can not
> > > > > > > > help
> > > > > > > > you.
> > > > > > > > 
> > > > > > > >   erdgeist
> > > > > I think you found some old instructions, assuming a 10.x
> > > > > system
> > > > > here
> > > > > is
> > > > > the boilerplate for a typical jail:
> > > > > 
> > > > > rc.conf:
> > > > > 
> > > > >   jail_enable="YES"
> > > > > 
> > > > > jail.conf:
> > > > > 
> > > > >   interface = re0;
> > > > >   mount.devfs;
> > > > >   exec.start = "/bin/sh /etc/rc";
> > > > >   exec.stop = "/bin/sh /etc/rc.shutdown";
> > > > > 
> > > > >   thenameofthejail {
> > > > > host.hostname = host.domain.tld;
> > > > >   path = /the/path/to/the/jail
> > > > > ip4.addr = 192.168.0.12;
> > > > >   }
> > > > > 
> > > > > and start it up with
> > > > > 
> > > > > # jail -c thenameofthejail
> > > > > 
> > > > > And another handy tip you can avoid building a jail with make
> > > > > by
> > > > > extacting the base.txz file found in places like the install
> > > > > media
> > > > > into
> > > > > the jail directory
> > > OK, so my jail.conf look like your jail.conf and when I type jls
> > > my
> > > jail
> > > have the IP 192.168.0.12 but when I type ifconfig in my jail I
> > > have
> > > no ip...
> > Is 192.168.0.12 your host IP? The jail needs a different static IP
> > address e.g. 182,168.0.13. There are ways around this but usually
> > you
> > want a different IP. Each jail and the host have a different IP.
> > The
> > setting ip4.addr in jail.conf will cause jail(8) to create an alias
> > with the new IP on the NIC specified by interface in jail.conf.
> > Destroying the jail with `jail -r  ` removes the alias.
> OK, I did'nt know jail -r for removing the alias, thanks !

Not just removing the alias, `jail -c ` starts the jail
 configured in jail.conf, `jail -r ` stops the