Re: multiple interfaces for jail.conf(1) and jail_set(2)
On 14/12/16 03:21, Ian Smith wrote: > On Wed, 14 Dec 2016 10:09:58 +0800, Ernie Luzar wrote: > > > I recommend you check out these ports, > > jail-primer gives background on jails across Freebsd releases. > > qjail a utility that simplifies jail admin. > > Joe Barbish, > > please stop using responses to people's issues to advertise your ports. > > Ian > ___ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" Why the hatred for QJail? It is very well documented, works, and the result is stable. Heck, it was even featured in the BSD Mag' (where I learnt about it) a couple of years ago, and have been happily using it since for a personal web server. Regards. Dave B. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Closing ports in jail with ipfw
Le Mon, 05 Dec 2016 08:31:19 +0800, Ernie Luzar a écrit : > marcel wrote: > > Hi there, > > > > I've created a jail and when I do a nmap on his IP, I can see that > > port 25 and 22 are open but I don't want. So i've tried to create > > an IPFW rule by adding 'ipwf -q add 00290 deny all from router to > > jail' to my host ipfw conf file and applied it but ports jail are > > still open. How can I close or open the ports of my jail ? > > > > Thanks ! > > You can not run nmap on the host targeting the jails ip. Doing so > only shows you open ports on the host. You have to run nmap from a > computer on a different public ip address targeting the public ip > address assigned to the jail. If jail is using a non-routeable ip > address, nmap is useless in looking for jail open ports. Hi ! Sorry for silence, I was not able to answer. Yeah I understand, maybe netstat -an in jail is more useful ? When I do that I see port 25 and 514 are open but if I haven't looked yet what is this port 514 I imagine both of these ports are not closable (or it's not advised) isnt'it ? ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
On Tue, December 13, 2016 10:47 pm, Isaac (.ike) Levy wrote: > Hi Valeri, > >> On Dec 13, 2016, at 5:03 PM, Valeri Galtsev >> wrote: >> >> On Tue, December 13, 2016 2:14 pm, Isaac (.ike) Levy wrote: >>> Hi All, >>> >>> Can I specify multiple IP interfaces and assign IPâÂÂs to them using >>> jail.conf? >>> I have jails with IPv4/IPv6 addresses on multiple physical interfaces, >>> as >>> well as assigning a loopback. >> >> Last time I tried it which was about year and a half ago the answer was: > > Just to clarify your answer, > >> no, this is not possible. Jail can only have one IP address (in addition >> to loopback addresses). > > Do you mean this just for jail.conf configuration/usage? No, that was earlier, in /etc/rc.conf. Since then I've heard that it can be done on jail command line, though I never tried as I kind of prefer all my stuff done "generic" and uniform way, something done on command line what does not work in central configuration files be it /etc/rc.conf or /etc/jail.conf feels like hack to me, so I tend to avoid it. Valeri > > If so, from all Iâve read and tried, that makes complete sense, and > makes me sad as it prevents me from using the slickness of jail.conf(1) > and jail_set(2) - not yet :) > > -- > However, to be very clear for the list archive, jails can most definately > have many IP addresses, (since between FreeBSD 7 and 8 I believe?), > including loopback, (which is just an IP address like any other), > > For example, > > # ifconfig em0 inet alias 10.10.10.10/32 > # ifconfig em1 inet alias 10.10.10.11/32 > # ifconfig lo0 inet alias 127.0.0.11/32 > # ifconfig em0 inet6 alias 2:2:2:2::10 prefixlen 64 > # jail -c path=/some/place host.hostname=myjail > ip4.addr=â10.10.10.10,10.10.10.11,127.0.0.11" ip6.addr="2:2:2:2::10" > command=/bin/sh /etc/rc > > Best, > .ike > > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
On Tue, December 13, 2016 11:43 pm, Allan Jude wrote: > On 2016-12-13 23:47, Isaac (.ike) Levy wrote: >> Hi Valeri, >> >>> On Dec 13, 2016, at 5:03 PM, Valeri Galtsev >>> wrote: >>> >>> On Tue, December 13, 2016 2:14 pm, Isaac (.ike) Levy wrote: Hi All, Can I specify multiple IP interfaces and assign IPâÂÂs to them using jail.conf? I have jails with IPv4/IPv6 addresses on multiple physical interfaces, as well as assigning a loopback. >>> >>> Last time I tried it which was about year and a half ago the answer >>> was: >> >> Just to clarify your answer, >> >>> no, this is not possible. Jail can only have one IP address (in >>> addition >>> to loopback addresses). >> >> Do you mean this just for jail.conf configuration/usage? >> >> If so, from all Iâve read and tried, that makes complete sense, and >> makes me sad as it prevents me from using the slickness of jail.conf(1) >> and jail_set(2) - not yet :) >> >> -- >> However, to be very clear for the list archive, jails can most >> definately have many IP addresses, (since between FreeBSD 7 and 8 I >> believe?), including loopback, (which is just an IP address like any >> other), >> >> For example, >> >> # ifconfig em0 inet alias 10.10.10.10/32 >> # ifconfig em1 inet alias 10.10.10.11/32 >> # ifconfig lo0 inet alias 127.0.0.11/32 >> # ifconfig em0 inet6 alias 2:2:2:2::10 prefixlen 64 >> # jail -c path=/some/place host.hostname=myjail >> ip4.addr=â10.10.10.10,10.10.10.11,127.0.0.11" ip6.addr="2:2:2:2::10" >> command=/bin/sh /etc/rc >> >> Best, >> .ike >> >> >> ___ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" >> > > In ezjail I can just do this: > Of course, it is great to learn that some tools can do this or that. However, this only is helpful to those who are just choosing what to use for the future. Once your choice is made, you (at least I) kind of avoid jumping over to doing something using different tools, especially what is already done some specific way on your production machine. I guess, what I'm trying to say is: don't be surprised if OP finds your effort to help him ultimately useless. Incidentally, I for one set up jails "by the book", not by using some tool which does it all for me behind the scenes. So, reference to any tools are kind of set me off (hence this my reply ;-) Just my $0.02. Valeri > > export > jail_something_scaleengine_net_ip="vlan43|10.0.0.17,vlan43|2001:470:1::1:6667,lo0|127.0.3.1" > > If you include the interface name like that, it will automatically add > the alias when the jail starts, and remove it when the jail stops > (simplifying the task of moving the jail to a different host) > > If the IP is already bound to the machine, just use the comma separated > list of IPs. > > > -- > Allan Jude > > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
> On Dec 14, 2016, at 8:31 AM, Valeri Galtsev wrote: > >>> no, this is not possible. Jail can only have one IP address (in addition >>> to loopback addresses). >> >> Do you mean this just for jail.conf configuration/usage? > > No, that was earlier, in /etc/rc.conf. Since then I've heard that it can > be done on jail command line, though I never tried as I kind of prefer all > my stuff done "generic" and uniform way, something done on command line > what does not work in central configuration files be it /etc/rc.conf or > /etc/jail.conf feels like hack to me, so I tend to avoid it. > > Valeri Thanks for clarifying Valeri- that makes complete sense. My first impression of jail.conf is simply that it’s not quite complete in all the ways I need, yet it is certainly quite simple, UNIX-ish, and clean! After hacking around with it, think that jail.conf is only a few features away from being something I’d consider to be an excellent base utility for starting/stopping my jailed systems. Best, .ike ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Hi Alan, > On Dec 14, 2016, at 12:43 AM, Allan Jude wrote: > > In ezjail I can just do this: > > > export > jail_something_scaleengine_net_ip="vlan43|10.0.0.17,vlan43|2001:470:1::1:6667,lo0|127.0.3.1" > > If you include the interface name like that, it will automatically add > the alias when the jail starts, and remove it when the jail stops > (simplifying the task of moving the jail to a different host) > > If the IP is already bound to the machine, just use the comma separated > list of IPs. > > > -- > Allan Jude While I appreciate the post, and the syntax is certainly cool to see, my question is not about ezjail- I would ask questions about ezjail on whatever respective list there is for that project. My question is about the relatively new and slick jail.conf(1) and jail_set(2) subsystems in base. Best, .ike ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
>> In ezjail I can just do this: >> > > Of course, it is great to learn that some tools can do this or that. > However, this only is helpful to those who are just choosing what to use > for the future. Once your choice is made, you (at least I) kind of avoid > jumping over to doing something using different tools, especially what is > already done some specific way on your production machine. > > I guess, what I'm trying to say is: don't be surprised if OP finds your > effort to help him ultimately useless. > > Incidentally, I for one set up jails "by the book", not by using some tool > which does it all for me behind the scenes. So, reference to any tools are > kind of set me off (hence this my reply ;-) > > Just my $0.02. > > Valeri Sorry to drag this out further, but Valeri is spot on here. Sorry to indulge and repeat in my own words- after using jail(8) heavily since 1999, and even helping run one of the earliest jail based ISP’s, I am a bit taken back to see such a propensity toward suggesting 3rd party tooling on this list- particularly as it does not answer my original question. Has everyone been using so many 3rd party tools for jailing for so long that we’ve forgotten how jail(8) works, to the point that my original question can’t even be recognized? A question not worth answering, but certainly worth pondering! I’m not arguing against the use of nice 3rd party tools, but I do want to make it very clear that they are not required for heavy or even light jailing. The strength of jail(8) and jail(2), even before important features like multiple IP’s and per-jail securelevels etc, was always that it’s just another small piece of the the UNIX ecosystem- jail(8) was strong because the *entire* base system made it strong. For example: before multiple jail IP’s, we’d often simply NAT addresses on the jailing host itself, a bit of scripting ifconfig(8) made it simple for our environment. Before base provided per-jail devfs rulesets, (and even before devfs), we’d simply make and delete packs of ‘/dev’ tarballs for various jails- removing the devices which were inappropriate for our applied need. I could go on forever, but nearly everything one could need in a jailed system can always be set up using other base tools- and the UNIX philosophy. Even today, jail(8) is still trivially scriptable for starting/stopping and managing many jails. For my use, just using the base system is preferable over 3rd party tooling because I know exactly what I want to do, and with common UNIX knowledge I can manage hundreds and thousands of jails across multiple hardware hosts, with nothing but the base system. 3rd party tools can be wonderful, but over the 17+ years I’ve been using FreeBSD jail(8), many 3rd party tools have come and gone, and changed a great deal- but the base UNIX system has not fundamentally changed. I mean, even many jail related scripts I wrote in 1999 are still completely functional and relevant. Best, .ike ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Isaac (.ike) Levy wrote: > Can I specify multiple IP interfaces and assign IP’s to them using jail.conf? Not sure if I understand your question correctly, but I do define the following in my jail.conf for VNET jails: # # host dependent global settings # $ip6prefixLOCAL = "fd00:dead:beef:1234"; # # global jail settings # host.hostname= "${name}"; path = "/usr/home/jails/${name}"; mount.fstab = "/etc/fstab.${name}"; exec.consolelog = "/var/log/jail_${name}_console.log"; vnet = "new"; vnet.interface = "epair${jailID}b"; exec.clean; mount.devfs; persist; # # network settings to apply/destroy during start/stop of every jail # exec.prestart= "sleep 2"; exec.prestart += "/sbin/ifconfig epair${jailID} create up"; exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a"; exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0"; exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}"; exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}"; exec.start += "/sbin/route add default -gateway 10.1.1.254"; exec.start += "/sbin/route add -inet6 default -gateway ${ip6prefixLOCAL}::254"; exec.stop= "/sbin/route del default"; exec.stop += "/sbin/route del -inet6 default"; exec.stop += "/bin/sh /etc/rc.shutdown"; exec.poststop= "/sbin/ifconfig epair${jailID}a destroy"; # # individual jail settings # dns { $jailID = 1; $ip4_addr= 10.1.1.1; $ip4_addr_2 = 10.1.1.2; $ip6_addr= ${ip6prefixLOCAL}::1/64; $ip6_addr_2 = ${ip6prefixLOCAL}::2/64; exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr_2} alias"; exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} alias"; exec.start += "/bin/sh /etc/rc"; } etc. Again, not sure if I do understand your issue correctly, but the shown examples of exec.start, exec.stop, etc. are quite versatile to use. I do start/stop my jails by "service jail start/stop". Hope that helps, Michael ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Wow, that’s rad Michael, > On Dec 14, 2016, at 3:30 PM, Michael Grimm wrote: > > Isaac (.ike) Levy wrote: > >> Can I specify multiple IP interfaces and assign IP’s to them using jail.conf? > > Not sure if I understand your question correctly, but I do define the > following in my jail.conf for VNET jails: > > # > # host dependent global settings > # > $ip6prefixLOCAL= "fd00:dead:beef:1234"; > > # > # global jail settings > # > host.hostname = "${name}"; > path = "/usr/home/jails/${name}"; > mount.fstab= "/etc/fstab.${name}"; > exec.consolelog= "/var/log/jail_${name}_console.log"; > vnet = "new"; > vnet.interface = "epair${jailID}b"; > exec.clean; > mount.devfs; > persist; > > # > # network settings to apply/destroy during start/stop of every jail > # > exec.prestart = "sleep 2"; > exec.prestart += "/sbin/ifconfig epair${jailID} create up"; > exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a"; > exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0"; > exec.start+= "/sbin/ifconfig lo0 127.0.0.1 up"; > exec.start+= "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}"; > exec.start+= "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}"; > exec.start+= "/sbin/route add default -gateway 10.1.1.254"; > exec.start+= "/sbin/route add -inet6 default -gateway > ${ip6prefixLOCAL}::254"; > exec.stop = "/sbin/route del default"; > exec.stop += "/sbin/route del -inet6 default"; > exec.stop += "/bin/sh /etc/rc.shutdown"; > exec.poststop = "/sbin/ifconfig epair${jailID}a destroy"; > > # > # individual jail settings > # > dns { > $jailID = 1; > $ip4_addr= 10.1.1.1; > $ip4_addr_2 = 10.1.1.2; > $ip6_addr= ${ip6prefixLOCAL}::1/64; > $ip6_addr_2 = ${ip6prefixLOCAL}::2/64; > exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr_2} > alias"; > exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} > alias"; > exec.start += "/bin/sh /etc/rc"; > } > > etc. I’ll need to study/look up some of that syntax, to fully grok this, but that comprehensive example appears to hit the nail on the head several times over with the exec.start/exec.stop action. Two questions though: - I’m confused how you define the shell style $ variables in your individual jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work? Is that a variable to be expanded, or some other behavior? > Again, not sure if I do understand your issue correctly, but the shown > examples of exec.start, exec.stop, etc. are quite versatile to use. > > I do start/stop my jails by "service jail start/stop”. - Obviously you state you’re using service to start/stop jails, but shouldn’t this work with ‘jail -c ’, or are these subsystems not interoperable? Thanks! Best, .ike > > Hope that helps, > Michael > > > > ___ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Isaac (.ike) Levy wrote > Wow, that’s rad Michael, > >> On Dec 14, 2016, at 3:30 PM, Michael Grimm wrote: >> >> Isaac (.ike) Levy wrote: >> >>> Can I specify multiple IP interfaces and assign IP’s to them using >>> jail.conf? >> >> Not sure if I understand your question correctly, but I do define the >> following in my jail.conf for VNET jails: >> >> # >> # host dependent global settings >> # >> $ip6prefixLOCAL = "fd00:dead:beef:1234"; >> >> # >> # global jail settings >> # >> host.hostname = "${name}"; >> path = "/usr/home/jails/${name}"; >> mount.fstab = "/etc/fstab.${name}"; >> exec.consolelog = "/var/log/jail_${name}_console.log"; >> vnet = "new"; >> vnet.interface= "epair${jailID}b"; >> exec.clean; >> mount.devfs; >> persist; >> >> # >> # network settings to apply/destroy during start/stop of every jail >> # >> exec.prestart = "sleep 2"; >> exec.prestart+= "/sbin/ifconfig epair${jailID} create up"; >> exec.prestart+= "/sbin/ifconfig bridge0 addm >> epair${jailID}a"; >> exec.start= "/sbin/sysctl net.inet6.ip6.dad_count=0"; >> exec.start += "/sbin/ifconfig lo0 127.0.0.1 up"; >> exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}"; >> exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}"; >> exec.start += "/sbin/route add default -gateway 10.1.1.254"; >> exec.start += "/sbin/route add -inet6 default -gateway >> ${ip6prefixLOCAL}::254"; >> exec.stop = "/sbin/route del default"; >> exec.stop+= "/sbin/route del -inet6 default"; >> exec.stop+= "/bin/sh /etc/rc.shutdown"; >> exec.poststop = "/sbin/ifconfig epair${jailID}a destroy"; >> >> # >> # individual jail settings >> # >> dns { >> $jailID = 1; >> $ip4_addr= 10.1.1.1; >> $ip4_addr_2 = 10.1.1.2; >> $ip6_addr= ${ip6prefixLOCAL}::1/64; >> $ip6_addr_2 = ${ip6prefixLOCAL}::2/64; >> exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr_2} >> alias"; >> exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr_2} >> alias"; >> exec.start += "/bin/sh /etc/rc"; >> } >> >> etc. > > I’ll need to study/look up some of that syntax, to fully grok this, but that > comprehensive example appears to hit the nail on the head several times over > with the exec.start/exec.stop action. > > Two questions though: > > - I’m confused how you define the shell style $ variables in your individual > jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work? > Is that a variable to be expanded, or some other behavior? This is described in jail.conf(5) under the section "variables". I do have 10 jails running, and those $ variables/parameters are very helpful, indeed. >> Again, not sure if I do understand your issue correctly, but the shown >> examples of exec.start, exec.stop, etc. are quite versatile to use. >> >> I do start/stop my jails by "service jail start/stop”. > > - Obviously you state you’re using service to start/stop jails, but shouldn’t > this work with ‘jail -c ’, or are these subsystems not > interoperable? Hmm. I do have to admit that I never tried 'jail -c ', but I just gave it a try, and yes, it works as well :-) I do use "service jail start/stop" because that will obey my pre-defined starting/stopping order of jails (which I do need to have, e.g. dns before mail and such) in /etc/rc.conf jail_enable="YES" jail_reverse_stop="YES" jail_list="dns mail ..." Regards, Michael ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Wow, > On Dec 14, 2016, at 3:53 PM, Michael Grimm wrote: > >> Two questions though: >> >> - I’m confused how you define the shell style $ variables in your individual >> jail settings above, e.g. ‘$ip4_addr_2 = 10.1.1.2;’, why/how does that work? >> Is that a variable to be expanded, or some other behavior? > > This is described in jail.conf(5) under the section "variables". I do have 10 > jails running, and those $ variables/parameters are very helpful, indeed. I get it, the man page explained it well. > >>> Again, not sure if I do understand your issue correctly, but the shown >>> examples of exec.start, exec.stop, etc. are quite versatile to use. >>> >>> I do start/stop my jails by "service jail start/stop”. >> >> - Obviously you state you’re using service to start/stop jails, but >> shouldn’t this work with ‘jail -c ’, or are these subsystems not >> interoperable? > > Hmm. I do have to admit that I never tried 'jail -c ', but I just > gave it a try, and yes, it works as well :-) > > I do use "service jail start/stop" because that will obey my pre-defined > starting/stopping order of jails (which I do need to have, e.g. dns before > mail and such) in /etc/rc.conf > > jail_enable="YES" > jail_reverse_stop="YES" > jail_list="dns mail …” Awesome! For my use, I’m averse to starting jails at host boot- so I’m really excited this works. Thanks so much Michael- this totally answered my question, I’m back on the right path to using jail.conf with my setup! Best, .ike ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Isaac (.ike) Levy wrote: >> I do use "service jail start/stop" because that will obey my pre-defined >> starting/stopping order of jails (which I do need to have, e.g. dns before >> mail and such) in /etc/rc.conf >> >> jail_enable="YES" >> jail_reverse_stop="YES" >> jail_list="dns mail …” > > Awesome! For my use, I’m averse to starting jails at host boot- so I’m > really excited this works. It works very well (for quite some years now). > Thanks so much Michael- this totally answered my question, I’m back on the > right path to using jail.conf with my setup! You are welcome, and I am glad having been able to help (as I have been helped by others before). Regards, Michael ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Closing ports in jail with ipfw
marcel wrote: Le Mon, 05 Dec 2016 08:31:19 +0800, Ernie Luzar a écrit : marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see that port 25 and 22 are open but I don't want. So i've tried to create an IPFW rule by adding 'ipwf -q add 00290 deny all from router to jail' to my host ipfw conf file and applied it but ports jail are still open. How can I close or open the ports of my jail ? Thanks ! You can not run nmap on the host targeting the jails ip. Doing so only shows you open ports on the host. You have to run nmap from a computer on a different public ip address targeting the public ip address assigned to the jail. If jail is using a non-routeable ip address, nmap is useless in looking for jail open ports. Hi ! Sorry for silence, I was not able to answer. Yeah I understand, maybe netstat -an in jail is more useful ? When I do that I see port 25 and 514 are open but if I haven't looked yet what is this port 514 I imagine both of these ports are not closable (or it's not advised) isnt'it ? On the host port 25 is sendmail and port 514 is syslog. https://www.grc.com/port_514.htm The syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Any number of client devices can be programmed to send syslog event messages to whatever servers they choose. This defaults to off on clean install of Freebsd. You must have a statement in your /ect/rc.conf file that enables it. ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"