Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Dave B via freebsd-jail
On 14/12/16 03:21, Ian Smith wrote:
> On Wed, 14 Dec 2016 10:09:58 +0800, Ernie Luzar wrote:
>
>  > I recommend you check out these ports,
>  > jail-primer gives background on jails across Freebsd releases.
>  > qjail a utility that simplifies jail admin.
>
> Joe Barbish,
>
> please stop using responses to people's issues to advertise your ports.
>
> Ian
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Why the hatred for QJail?  It is very well documented, works, and the
result is stable.  Heck, it was even featured in the BSD Mag' (where I
learnt about it) a couple of years ago, and have been happily using it
since for a personal web server.

Regards.

Dave B.

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: Closing ports in jail with ipfw

2016-12-14 Thread marcel
Le Mon, 05 Dec 2016 08:31:19 +0800,
Ernie Luzar  a écrit :

> marcel wrote:
> > Hi there,
> > 
> > I've created a jail and when I do a nmap on his IP, I can see that
> > port 25 and 22 are open but I don't want. So i've tried to create
> > an IPFW rule by adding 'ipwf -q add 00290 deny all from router to
> > jail' to my host ipfw conf file and applied it but ports jail are
> > still open. How can I close or open the ports of my jail ?
> > 
> > Thanks !  
> 
> You can not run nmap on the host targeting the jails ip. Doing so
> only shows you open ports on the host. You have to run nmap from a
> computer on a different public ip address targeting the public ip
> address assigned to the jail. If jail is using a non-routeable ip
> address, nmap is useless in looking for jail open ports.

Hi ! Sorry for silence, I was not able to answer. Yeah I understand,
maybe netstat -an in jail is more useful ? When I do that I see port 25
and 514 are open but if I haven't looked yet what is this port 514 I
imagine both of these ports are not closable (or it's not advised) 
isnt'it ? 
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Valeri Galtsev

On Tue, December 13, 2016 10:47 pm, Isaac (.ike) Levy wrote:
> Hi Valeri,
>
>> On Dec 13, 2016, at 5:03 PM, Valeri Galtsev 
>> wrote:
>>
>> On Tue, December 13, 2016 2:14 pm, Isaac (.ike) Levy wrote:
>>> Hi All,
>>>
>>> Can I specify multiple IP interfaces and assign IP’s to them using
>>> jail.conf?
>>> I have jails with IPv4/IPv6 addresses on multiple physical interfaces,
>>> as
>>> well as assigning a loopback.
>>
>> Last time I tried it which was about year and a half ago the answer was:
>
> Just to clarify your answer,
>
>> no, this is not possible. Jail can only have one IP address (in addition
>> to loopback addresses).
>
> Do you mean this just for jail.conf configuration/usage?

No, that was earlier, in /etc/rc.conf. Since then I've heard that it can
be done on jail command line, though I never tried as I kind of prefer all
my stuff done "generic" and uniform way, something done on command line
what does not work in central configuration files be it /etc/rc.conf or
/etc/jail.conf feels like hack to me, so I tend to avoid it.

Valeri

>
> If so, from all I’ve read and tried, that makes complete sense, and
> makes me sad as it prevents me from using the slickness of jail.conf(1)
> and jail_set(2) - not yet :)
>
> --
> However, to be very clear for the list archive, jails can most definately
> have many IP addresses, (since between FreeBSD 7 and 8 I believe?),
> including loopback, (which is just an IP address like any other),
>
> For example,
>
> # ifconfig em0 inet alias 10.10.10.10/32
> # ifconfig em1 inet alias 10.10.10.11/32
> # ifconfig lo0 inet alias 127.0.0.11/32
> # ifconfig em0 inet6 alias 2:2:2:2::10 prefixlen 64
> # jail -c path=/some/place host.hostname=myjail
> ip4.addr=“10.10.10.10,10.10.10.11,127.0.0.11" ip6.addr="2:2:2:2::10"
> command=/bin/sh /etc/rc
>
> Best,
> .ike
>
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Valeri Galtsev

On Tue, December 13, 2016 11:43 pm, Allan Jude wrote:
> On 2016-12-13 23:47, Isaac (.ike) Levy wrote:
>> Hi Valeri,
>>
>>> On Dec 13, 2016, at 5:03 PM, Valeri Galtsev 
>>> wrote:
>>>
>>> On Tue, December 13, 2016 2:14 pm, Isaac (.ike) Levy wrote:
 Hi All,

 Can I specify multiple IP interfaces and assign IP’s to them
 using
 jail.conf?
 I have jails with IPv4/IPv6 addresses on multiple physical interfaces,
 as
 well as assigning a loopback.
>>>
>>> Last time I tried it which was about year and a half ago the answer
>>> was:
>>
>> Just to clarify your answer,
>>
>>> no, this is not possible. Jail can only have one IP address (in
>>> addition
>>> to loopback addresses).
>>
>> Do you mean this just for jail.conf configuration/usage?
>>
>> If so, from all I’ve read and tried, that makes complete sense, and
>> makes me sad as it prevents me from using the slickness of jail.conf(1)
>> and jail_set(2) - not yet :)
>>
>> --
>> However, to be very clear for the list archive, jails can most
>> definately have many IP addresses, (since between FreeBSD 7 and 8 I
>> believe?), including loopback, (which is just an IP address like any
>> other),
>>
>> For example,
>>
>> # ifconfig em0 inet alias 10.10.10.10/32
>> # ifconfig em1 inet alias 10.10.10.11/32
>> # ifconfig lo0 inet alias 127.0.0.11/32
>> # ifconfig em0 inet6 alias 2:2:2:2::10 prefixlen 64
>> # jail -c path=/some/place host.hostname=myjail
>> ip4.addr=“10.10.10.10,10.10.10.11,127.0.0.11" ip6.addr="2:2:2:2::10"
>> command=/bin/sh /etc/rc
>>
>> Best,
>> .ike
>>
>>
>> ___
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>>
>
> In ezjail I can just do this:
>

Of course, it is great to learn that some tools can do this or that.
However, this only is helpful to those who are just choosing what to use
for the future. Once your choice is made, you (at least I) kind of avoid
jumping over to doing something using different tools, especially what is
already done some specific way on your production machine.

I guess, what I'm trying to say is: don't be surprised if OP finds your
effort to help him ultimately useless.

Incidentally, I for one set up jails "by the book", not by using some tool
which does it all for me behind the scenes. So, reference to any tools are
kind of set me off (hence this my reply ;-)

Just my $0.02.

Valeri

>
> export
> jail_something_scaleengine_net_ip="vlan43|10.0.0.17,vlan43|2001:470:1::1:6667,lo0|127.0.3.1"
>
> If you include the interface name like that, it will automatically add
> the alias when the jail starts, and remove it when the jail stops
> (simplifying the task of moving the jail to a different host)
>
> If the IP is already bound to the machine, just use the comma separated
> list of IPs.
>
>
> --
> Allan Jude
>
>



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Isaac (.ike) Levy

> On Dec 14, 2016, at 8:31 AM, Valeri Galtsev  wrote:
> 
>>> no, this is not possible. Jail can only have one IP address (in addition
>>> to loopback addresses).
>> 
>> Do you mean this just for jail.conf configuration/usage?
> 
> No, that was earlier, in /etc/rc.conf. Since then I've heard that it can
> be done on jail command line, though I never tried as I kind of prefer all
> my stuff done "generic" and uniform way, something done on command line
> what does not work in central configuration files be it /etc/rc.conf or
> /etc/jail.conf feels like hack to me, so I tend to avoid it.
> 
> Valeri

Thanks for clarifying Valeri- that makes complete sense.

My first impression of jail.conf is simply that it’s not quite complete in all 
the ways I need, yet it is certainly quite simple, UNIX-ish, and clean!  After 
hacking around with it, think that jail.conf is only a few features away from 
being something I’d consider to be an excellent base utility for 
starting/stopping my jailed systems.

Best,
.ike


___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Isaac (.ike) Levy
Hi Alan,

> On Dec 14, 2016, at 12:43 AM, Allan Jude  wrote:
> 
> In ezjail I can just do this:
> 
> 
> export
> jail_something_scaleengine_net_ip="vlan43|10.0.0.17,vlan43|2001:470:1::1:6667,lo0|127.0.3.1"
> 
> If you include the interface name like that, it will automatically add
> the alias when the jail starts, and remove it when the jail stops
> (simplifying the task of moving the jail to a different host)
> 
> If the IP is already bound to the machine, just use the comma separated
> list of IPs.
> 
> 
> -- 
> Allan Jude

While I appreciate the post, and the syntax is certainly cool to see, my 
question is not about ezjail- I would ask questions about ezjail on whatever 
respective list there is for that project.

My question is about the relatively new and slick jail.conf(1) and jail_set(2) 
subsystems in base.

Best,
.ike


___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"


Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Isaac (.ike) Levy

>> In ezjail I can just do this:
>> 
> 
> Of course, it is great to learn that some tools can do this or that.
> However, this only is helpful to those who are just choosing what to use
> for the future. Once your choice is made, you (at least I) kind of avoid
> jumping over to doing something using different tools, especially what is
> already done some specific way on your production machine.
> 
> I guess, what I'm trying to say is: don't be surprised if OP finds your
> effort to help him ultimately useless.
> 
> Incidentally, I for one set up jails "by the book", not by using some tool
> which does it all for me behind the scenes. So, reference to any tools are
> kind of set me off (hence this my reply ;-)
> 
> Just my $0.02.
> 
> Valeri

Sorry to drag this out further, but Valeri is spot on here.

Sorry to indulge and repeat in my own words- after using jail(8) heavily since 
1999, and even helping run one of the earliest jail based ISP’s, I am a bit 
taken back to see such a propensity toward suggesting 3rd party tooling on this 
list- particularly as it does not answer my original question.

Has everyone been using so many 3rd party tools for jailing for so long that 
we’ve forgotten how jail(8) works, to the point that my original question can’t 
even be recognized?  A question not worth answering, but certainly worth 
pondering!  I’m not arguing against the use of nice 3rd party tools, but I do 
want to make it very clear that they are not required for heavy or even light 
jailing.

The strength of jail(8) and jail(2), even before important features like 
multiple IP’s and per-jail securelevels etc, was always that it’s just another 
small piece of the the UNIX ecosystem- jail(8) was strong because the *entire* 
base system made it strong.
For example: before multiple jail IP’s, we’d often simply NAT addresses on the 
jailing host itself, a bit of scripting ifconfig(8) made it simple for our 
environment.  Before base provided per-jail devfs rulesets, (and even before 
devfs), we’d simply make and delete packs of ‘/dev’ tarballs for various jails- 
removing the devices which were inappropriate for our applied need.  I could go 
on forever, but nearly everything one could need in a jailed system can always 
be set up using other base tools- and the UNIX philosophy.

Even today, jail(8) is still trivially scriptable for starting/stopping and 
managing many jails.  For my use, just using the base system is preferable over 
3rd party tooling because I know exactly what I want to do, and with common 
UNIX knowledge I can manage hundreds and thousands of jails across multiple 
hardware hosts, with nothing but the base system.  3rd party tools can be 
wonderful, but over the 17+ years I’ve been using FreeBSD jail(8), many 3rd 
party tools have come and gone, and changed a great deal- but the base UNIX 
system has not fundamentally changed.  I mean, even many jail related scripts I 
wrote in 1999 are still completely functional and relevant.

Best,
.ike


___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Michael Grimm
Isaac (.ike) Levy  wrote:

> Can I specify multiple IP interfaces and assign IP’s to them using jail.conf?

Not sure if I understand your question correctly, but I do define the following 
in my jail.conf for VNET jails:

#
# host dependent global settings
#
$ip6prefixLOCAL  = "fd00:dead:beef:1234";

#
# global jail settings
#
host.hostname= "${name}";
path = "/usr/home/jails/${name}";
mount.fstab  = "/etc/fstab.${name}";
exec.consolelog  = "/var/log/jail_${name}_console.log";
vnet = "new";
vnet.interface   = "epair${jailID}b";
exec.clean;
mount.devfs;
persist;

#
# network settings to apply/destroy during start/stop of every jail
#
exec.prestart= "sleep 2";
exec.prestart   += "/sbin/ifconfig epair${jailID} create up";
exec.prestart   += "/sbin/ifconfig bridge0 addm epair${jailID}a";
exec.start   = "/sbin/sysctl net.inet6.ip6.dad_count=0";
exec.start  += "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start  += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
exec.start  += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
exec.start  += "/sbin/route add default -gateway 10.1.1.254";
exec.start  += "/sbin/route add -inet6 default -gateway 
${ip6prefixLOCAL}::254";
exec.stop= "/sbin/route del default";
exec.stop   += "/sbin/route del -inet6 default";
exec.stop   += "/bin/sh /etc/rc.shutdown";
exec.poststop= "/sbin/ifconfig epair${jailID}a destroy";

#
# individual jail settings
#
dns {
$jailID  = 1;
$ip4_addr= 10.1.1.1;
$ip4_addr_2  = 10.1.1.2;
$ip6_addr= ${ip6prefixLOCAL}::1/64;
$ip6_addr_2  = ${ip6prefixLOCAL}::2/64;
exec.start  += "/sbin/ifconfig epair${jailID}b inet  ${ip4_addr_2} 
alias";
exec.start  += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} 
alias";
exec.start  += "/bin/sh /etc/rc";
}

etc.



Again, not sure if I do understand your issue correctly, but the shown examples 
of exec.start, exec.stop, etc. are quite versatile to use.

I do start/stop my jails by "service jail start/stop".

Hope that helps,
Michael



___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Isaac (.ike) Levy
Wow, that’s rad Michael,

> On Dec 14, 2016, at 3:30 PM, Michael Grimm  wrote:
> 
> Isaac (.ike) Levy  wrote:
> 
>> Can I specify multiple IP interfaces and assign IP’s to them using jail.conf?
> 
> Not sure if I understand your question correctly, but I do define the 
> following in my jail.conf for VNET jails:
> 
> #
> # host dependent global settings
> #
> $ip6prefixLOCAL= "fd00:dead:beef:1234";
> 
> #
> # global jail settings
> #
> host.hostname  = "${name}";
> path   = "/usr/home/jails/${name}";
> mount.fstab= "/etc/fstab.${name}";
> exec.consolelog= "/var/log/jail_${name}_console.log";
> vnet   = "new";
> vnet.interface = "epair${jailID}b";
> exec.clean;
> mount.devfs;
> persist;
> 
> #
> # network settings to apply/destroy during start/stop of every jail
> #
> exec.prestart  = "sleep 2";
> exec.prestart += "/sbin/ifconfig epair${jailID} create up";
> exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a";
> exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0";
> exec.start+= "/sbin/ifconfig lo0 127.0.0.1 up";
> exec.start+= "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
> exec.start+= "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
> exec.start+= "/sbin/route add default -gateway 10.1.1.254";
> exec.start+= "/sbin/route add -inet6 default -gateway 
> ${ip6prefixLOCAL}::254";
> exec.stop  = "/sbin/route del default";
> exec.stop += "/sbin/route del -inet6 default";
> exec.stop += "/bin/sh /etc/rc.shutdown";
> exec.poststop  = "/sbin/ifconfig epair${jailID}a destroy";
> 
> #
> # individual jail settings
> #
> dns {
>   $jailID  = 1;
>   $ip4_addr= 10.1.1.1;
>   $ip4_addr_2  = 10.1.1.2;
>   $ip6_addr= ${ip6prefixLOCAL}::1/64;
>   $ip6_addr_2  = ${ip6prefixLOCAL}::2/64;
>   exec.start  += "/sbin/ifconfig epair${jailID}b inet  ${ip4_addr_2} 
> alias";
>   exec.start  += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} 
> alias";
>   exec.start  += "/bin/sh /etc/rc";
> }
> 
> etc.

I’ll need to study/look up some of that syntax, to fully grok this, but that 
comprehensive example appears to hit the nail on the head several times over 
with the exec.start/exec.stop action.

Two questions though:

- I’m confused how you define the shell style $ variables in your individual 
jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work?  
Is that a variable to be expanded, or some other behavior?

> Again, not sure if I do understand your issue correctly, but the shown 
> examples of exec.start, exec.stop, etc. are quite versatile to use.
> 
> I do start/stop my jails by "service jail start/stop”.

- Obviously you state you’re using service to start/stop jails, but shouldn’t 
this work with ‘jail -c ’, or are these subsystems not interoperable?

Thanks!

Best,
.ike



> 
> Hope that helps,
> Michael
> 
> 
> 
> ___
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Michael Grimm
Isaac (.ike) Levy  wrote

> Wow, that’s rad Michael,
> 
>> On Dec 14, 2016, at 3:30 PM, Michael Grimm  wrote:
>> 
>> Isaac (.ike) Levy  wrote:
>> 
>>> Can I specify multiple IP interfaces and assign IP’s to them using 
>>> jail.conf?
>> 
>> Not sure if I understand your question correctly, but I do define the 
>> following in my jail.conf for VNET jails:
>> 
>> #
>> # host dependent global settings
>> #
>> $ip6prefixLOCAL   = "fd00:dead:beef:1234";
>> 
>> #
>> # global jail settings
>> #
>> host.hostname = "${name}";
>> path  = "/usr/home/jails/${name}";
>> mount.fstab   = "/etc/fstab.${name}";
>> exec.consolelog   = "/var/log/jail_${name}_console.log";
>> vnet  = "new";
>> vnet.interface= "epair${jailID}b";
>> exec.clean;
>> mount.devfs;
>> persist;
>> 
>> #
>> # network settings to apply/destroy during start/stop of every jail
>> #
>> exec.prestart = "sleep 2";
>> exec.prestart+= "/sbin/ifconfig epair${jailID} create up";
>> exec.prestart+= "/sbin/ifconfig bridge0 addm 
>> epair${jailID}a";
>> exec.start= "/sbin/sysctl net.inet6.ip6.dad_count=0";
>> exec.start   += "/sbin/ifconfig lo0 127.0.0.1 up";
>> exec.start   += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
>> exec.start   += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
>> exec.start   += "/sbin/route add default -gateway 10.1.1.254";
>> exec.start   += "/sbin/route add -inet6 default -gateway 
>> ${ip6prefixLOCAL}::254";
>> exec.stop = "/sbin/route del default";
>> exec.stop+= "/sbin/route del -inet6 default";
>> exec.stop+= "/bin/sh /etc/rc.shutdown";
>> exec.poststop = "/sbin/ifconfig epair${jailID}a destroy";
>> 
>> #
>> # individual jail settings
>> #
>> dns {
>>  $jailID  = 1;
>>  $ip4_addr= 10.1.1.1;
>>  $ip4_addr_2  = 10.1.1.2;
>>  $ip6_addr= ${ip6prefixLOCAL}::1/64;
>>  $ip6_addr_2  = ${ip6prefixLOCAL}::2/64;
>>  exec.start  += "/sbin/ifconfig epair${jailID}b inet  ${ip4_addr_2} 
>> alias";
>>  exec.start  += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} 
>> alias";
>>  exec.start  += "/bin/sh /etc/rc";
>> }
>> 
>> etc.
> 
> I’ll need to study/look up some of that syntax, to fully grok this, but that 
> comprehensive example appears to hit the nail on the head several times over 
> with the exec.start/exec.stop action.
> 
> Two questions though:
> 
> - I’m confused how you define the shell style $ variables in your individual 
> jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work?  
> Is that a variable to be expanded, or some other behavior?

This is described in jail.conf(5) under the section "variables". I do have 10 
jails running, and those $ variables/parameters are very helpful, indeed.

>> Again, not sure if I do understand your issue correctly, but the shown 
>> examples of exec.start, exec.stop, etc. are quite versatile to use.
>> 
>> I do start/stop my jails by "service jail start/stop”.
> 
> - Obviously you state you’re using service to start/stop jails, but shouldn’t 
> this work with ‘jail -c ’, or are these subsystems not 
> interoperable?

Hmm. I do have to admit that I never tried 'jail -c ', but I just 
gave it a try, and yes, it works as well :-) 

I do use "service jail start/stop" because that will obey my pre-defined 
starting/stopping order of jails (which I do need to have, e.g. dns before mail 
and such) in /etc/rc.conf

jail_enable="YES"
jail_reverse_stop="YES"
jail_list="dns mail ..."

Regards,
Michael

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Isaac (.ike) Levy
Wow,

> On Dec 14, 2016, at 3:53 PM, Michael Grimm  wrote:
> 
>> Two questions though:
>> 
>> - I’m confused how you define the shell style $ variables in your individual 
>> jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work? 
>>  Is that a variable to be expanded, or some other behavior?
> 
> This is described in jail.conf(5) under the section "variables". I do have 10 
> jails running, and those $ variables/parameters are very helpful, indeed.

I get it, the man page explained it well.

> 
>>> Again, not sure if I do understand your issue correctly, but the shown 
>>> examples of exec.start, exec.stop, etc. are quite versatile to use.
>>> 
>>> I do start/stop my jails by "service jail start/stop”.
>> 
>> - Obviously you state you’re using service to start/stop jails, but 
>> shouldn’t this work with ‘jail -c ’, or are these subsystems not 
>> interoperable?
> 
> Hmm. I do have to admit that I never tried 'jail -c ', but I just 
> gave it a try, and yes, it works as well :-) 
> 
> I do use "service jail start/stop" because that will obey my pre-defined 
> starting/stopping order of jails (which I do need to have, e.g. dns before 
> mail and such) in /etc/rc.conf
> 
>   jail_enable="YES"
>   jail_reverse_stop="YES"
>   jail_list="dns mail …”

Awesome!  For my use, I’m averse to starting jails at host boot- so I’m really 
excited this works.

Thanks so much Michael- this totally answered my question, I’m back on the 
right path to using jail.conf with my setup!

Best,
.ike



___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: multiple interfaces for jail.conf(1) and jail_set(2)

2016-12-14 Thread Michael Grimm
Isaac (.ike) Levy  wrote:

>> I do use "service jail start/stop" because that will obey my pre-defined 
>> starting/stopping order of jails (which I do need to have, e.g. dns before 
>> mail and such) in /etc/rc.conf
>> 
>>  jail_enable="YES"
>>  jail_reverse_stop="YES"
>>  jail_list="dns mail …”
> 
> Awesome!  For my use, I’m averse to starting jails at host boot- so I’m 
> really excited this works.

It works very well (for quite some years now).

> Thanks so much Michael- this totally answered my question, I’m back on the 
> right path to using jail.conf with my setup!

You are welcome, and I am glad having been able to help (as I have been helped 
by others before).

Regards,
Michael

___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: Closing ports in jail with ipfw

2016-12-14 Thread Ernie Luzar

marcel wrote:

Le Mon, 05 Dec 2016 08:31:19 +0800,
Ernie Luzar  a écrit :


marcel wrote:

Hi there,

I've created a jail and when I do a nmap on his IP, I can see that
port 25 and 22 are open but I don't want. So i've tried to create
an IPFW rule by adding 'ipwf -q add 00290 deny all from router to
jail' to my host ipfw conf file and applied it but ports jail are
still open. How can I close or open the ports of my jail ?

Thanks !  

You can not run nmap on the host targeting the jails ip. Doing so
only shows you open ports on the host. You have to run nmap from a
computer on a different public ip address targeting the public ip
address assigned to the jail. If jail is using a non-routeable ip
address, nmap is useless in looking for jail open ports.


Hi ! Sorry for silence, I was not able to answer. Yeah I understand,
maybe netstat -an in jail is more useful ? When I do that I see port 25
and 514 are open but if I haven't looked yet what is this port 514 I
imagine both of these ports are not closable (or it's not advised) 
isnt'it ? 



On the host port 25 is sendmail and port 514 is syslog.

https://www.grc.com/port_514.htm

The syslog server opens port 514 and listens for incoming syslog event 
notifications (carried by UDP protocol packets) generated by remote 
syslog clients. Any number of client devices can be programmed to send 
syslog event messages to whatever servers they choose.


This defaults to off on clean install of Freebsd.
You must have a statement in your /ect/rc.conf file that enables it.


___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"