Re: multiple interfaces for jail.conf(1) and jail_set(2)
[cc'd to freebsd-jail@FreeBSD.org where that thread originated]
Valeri Galtsev wrote:
> On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote:
>> #
>> # network settings to apply/destroy during start/stop of every jail
>> #
>> exec.prestart = "sleep 2";
>> exec.prestart+= "/sbin/ifconfig epair${jailID} create up";
>> exec.prestart+= "/sbin/ifconfig bridge0 addm
>> epair${jailID}a";
>> exec.start= "/sbin/sysctl net.inet6.ip6.dad_count=0";
>> exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
>> exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
>> exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
>> exec.start += "/sbin/route add default -gateway 10.1.1.254";
>> exec.start += "/sbin/route add -inet6 default -gateway
>> ${ip6prefixLOCAL}::254";
>> exec.stop = "/sbin/route del default";
>> exec.stop+= "/sbin/route del -inet6 default";
>> exec.stop+= "/bin/sh /etc/rc.shutdown";
>> exec.poststop = "/sbin/ifconfig epair${jailID}a destroy";
>>
>> #
>> # individual jail settings
>> #
>> dns {
>> $jailID = 1;
>> $ip4_addr= 10.1.1.1;
>> $ip4_addr_2 = 10.1.1.2;
[…]
> Michael, is it possible to have two addresses belonging to two different
> networks (through two different network interfaces)?
>
> Say, on host system:
>
> ifconfig_igb0="inet 172.20.9.22 ...
> ifconfig_igb1="inet 10.1.1.17 ...
>
>
> and in some jail
>
> $ip4_addr= 172.20.9.22;
> $ip4_addr_2 = 10.1.1.17;
>
> - will that work? This is what didn't work for me in the past when
> configured jails old style in /etc/rc.conf
I can't answer that because I have never tried it before.
Those exec. will give you a very fine-grained control over which commands
are run at the host environment (exec.prestart, exec.poststop, exec.poststart)
or within the jail's environment (exec.start, exec.stop, exec.prestop) in which
order. Have a look at jail(8) for details (and presumably more exec.).
Therefore I am quite confident that whatever could be done with jails might be
"coded" into jail.conf.
Regards,
Michael
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Closing ports in jail with ipfw
Le Thu, 15 Dec 2016 09:33:33 +0800, Ernie Luzar a écrit : > marcel wrote: > > Le Mon, 05 Dec 2016 08:31:19 +0800, > > Ernie Luzar a écrit : > > > >> marcel wrote: > >>> Hi there, > >>> > >>> I've created a jail and when I do a nmap on his IP, I can see that > >>> port 25 and 22 are open but I don't want. So i've tried to create > >>> an IPFW rule by adding 'ipwf -q add 00290 deny all from router to > >>> jail' to my host ipfw conf file and applied it but ports jail are > >>> still open. How can I close or open the ports of my jail ? > >>> > >>> Thanks ! > >> You can not run nmap on the host targeting the jails ip. Doing so > >> only shows you open ports on the host. You have to run nmap from a > >> computer on a different public ip address targeting the public ip > >> address assigned to the jail. If jail is using a non-routeable ip > >> address, nmap is useless in looking for jail open ports. > > > > Hi ! Sorry for silence, I was not able to answer. Yeah I understand, > > maybe netstat -an in jail is more useful ? When I do that I see > > port 25 and 514 are open but if I haven't looked yet what is this > > port 514 I imagine both of these ports are not closable (or it's > > not advised) isnt'it ? > > > > On the host port 25 is sendmail and port 514 is syslog. > > https://www.grc.com/port_514.htm > > The syslog server opens port 514 and listens for incoming syslog > event notifications (carried by UDP protocol packets) generated by > remote syslog clients. Any number of client devices can be programmed > to send syslog event messages to whatever servers they choose. > > This defaults to off on clean install of Freebsd. > You must have a statement in your /ect/rc.conf file that enables it. > > Okay thanks for clarifications for port 514. When you say "This defaults to off on clean install of Freebsd" you meant that this is the default on the default install but we can put it off on a clean modified freebsd install ? ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
Michael Grimm wrote on 2016/12/15 19:36:
[cc'd to freebsd-jail@FreeBSD.org where that thread originated]
Valeri Galtsev wrote:
On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote:
#
# network settings to apply/destroy during start/stop of every jail
#
exec.prestart= "sleep 2";
exec.prestart += "/sbin/ifconfig epair${jailID} create up";
exec.prestart += "/sbin/ifconfig bridge0 addm epair${jailID}a";
exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0";
exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
exec.start += "/sbin/route add default -gateway 10.1.1.254";
exec.start += "/sbin/route add -inet6 default -gateway
${ip6prefixLOCAL}::254";
exec.stop= "/sbin/route del default";
exec.stop += "/sbin/route del -inet6 default";
exec.stop += "/bin/sh /etc/rc.shutdown";
exec.poststop= "/sbin/ifconfig epair${jailID}a destroy";
#
# individual jail settings
#
dns {
$jailID = 1;
$ip4_addr= 10.1.1.1;
$ip4_addr_2 = 10.1.1.2;
[…]
Michael, is it possible to have two addresses belonging to two different
networks (through two different network interfaces)?
Say, on host system:
ifconfig_igb0="inet 172.20.9.22 ...
ifconfig_igb1="inet 10.1.1.17 ...
and in some jail
$ip4_addr= 172.20.9.22;
$ip4_addr_2 = 10.1.1.17;
- will that work? This is what didn't work for me in the past when
configured jails old style in /etc/rc.conf
I can't answer that because I have never tried it before.
More IP addresses on more interfaces works for me for many years even in
old rc.conf style jails.
Converted to new jail.conf is something like this
costa {
host.hostname = "costa.example.com";
ip4.addr = 94.104.135.21;
ip4.addr += 192.168.222.57;
}
As you can see, IPs are from different networks.
We are not using auto add / remove IP on interfaces. We don't want to
have something else to manage IP addresses. All IPs are defined in
rc.conf on their proper interfaces.
In this case, first jail's IP is in bge1 and the second is on nfe0 (LAN
interface)
I already made jail using VPN assigned IP on tun0 OpenVPN interface.
In another words - jail doesn't care about interfaces. If there is an IP
in the system (on whatever interface) then you can assign it to jail and
you can assign as many IPs as you want (up to some really high limit).
Miroslav Lachman
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: multiple interfaces for jail.conf(1) and jail_set(2)
On Thu, December 15, 2016 2:09 pm, Miroslav Lachman wrote:
> Michael Grimm wrote on 2016/12/15 19:36:
>> [cc'd to freebsd-jail@FreeBSD.org where that thread originated]
>>
>> Valeri Galtsev wrote:
>>
>>> On Wed, December 14, 2016 2:30 pm, Michael Grimm wrote:
>>
#
# network settings to apply/destroy during start/stop of every jail
#
exec.prestart = "sleep 2";
exec.prestart += "/sbin/ifconfig epair${jailID} create up";
exec.prestart += "/sbin/ifconfig bridge0 addm
epair${jailID}a";
exec.start = "/sbin/sysctl net.inet6.ip6.dad_count=0";
exec.start += "/sbin/ifconfig lo0 127.0.0.1 up";
exec.start += "/sbin/ifconfig epair${jailID}b inet ${ip4_addr}";
exec.start += "/sbin/ifconfig epair${jailID}b inet6 ${ip6_addr}";
exec.start += "/sbin/route add default -gateway 10.1.1.254";
exec.start += "/sbin/route add -inet6 default -gateway
${ip6prefixLOCAL}::254";
exec.stop = "/sbin/route del default";
exec.stop += "/sbin/route del -inet6 default";
exec.stop += "/bin/sh /etc/rc.shutdown";
exec.poststop = "/sbin/ifconfig epair${jailID}a destroy";
#
# individual jail settings
#
dns {
$jailID = 1;
$ip4_addr= 10.1.1.1;
$ip4_addr_2 = 10.1.1.2;
>>
>> [â¦]
>>
>>> Michael, is it possible to have two addresses belonging to two
>>> different
>>> networks (through two different network interfaces)?
>>>
>>> Say, on host system:
>>>
>>> ifconfig_igb0="inet 172.20.9.22 ...
>>> ifconfig_igb1="inet 10.1.1.17 ...
>>>
>>>
>>> and in some jail
>>>
>>> $ip4_addr= 172.20.9.22;
>>> $ip4_addr_2 = 10.1.1.17;
>>>
>>> - will that work? This is what didn't work for me in the past when
>>> configured jails old style in /etc/rc.conf
>>
>> I can't answer that because I have never tried it before.
>
>
>
> More IP addresses on more interfaces works for me for many years even in
> old rc.conf style jails.
>
> Converted to new jail.conf is something like this
>
> costa {
> host.hostname = "costa.example.com";
> ip4.addr = 94.104.135.21;
> ip4.addr += 192.168.222.57;
> }
Thanks, Miroslav. I do not recollect "ip4.addr += ..." that must have been
my problem (though I asked on mail lists and wasn't directed towards that,
got the answer "not possible", - I must have been unlucky then).
Valeri
>
> As you can see, IPs are from different networks.
> We are not using auto add / remove IP on interfaces. We don't want to
> have something else to manage IP addresses. All IPs are defined in
> rc.conf on their proper interfaces.
> In this case, first jail's IP is in bge1 and the second is on nfe0 (LAN
> interface)
>
> I already made jail using VPN assigned IP on tun0 OpenVPN interface.
>
> In another words - jail doesn't care about interfaces. If there is an IP
> in the system (on whatever interface) then you can assign it to jail and
> you can assign as many IPs as you want (up to some really high limit).
>
> Miroslav Lachman
> ___
> freebsd-questi...@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscr...@freebsd.org"
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
___
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
Re: Closing ports in jail with ipfw
marcel wrote: Le Thu, 15 Dec 2016 09:33:33 +0800, Ernie Luzar a écrit : marcel wrote: Le Mon, 05 Dec 2016 08:31:19 +0800, Ernie Luzar a écrit : marcel wrote: Hi there, I've created a jail and when I do a nmap on his IP, I can see that port 25 and 22 are open but I don't want. So i've tried to create an IPFW rule by adding 'ipwf -q add 00290 deny all from router to jail' to my host ipfw conf file and applied it but ports jail are still open. How can I close or open the ports of my jail ? Thanks ! You can not run nmap on the host targeting the jails ip. Doing so only shows you open ports on the host. You have to run nmap from a computer on a different public ip address targeting the public ip address assigned to the jail. If jail is using a non-routeable ip address, nmap is useless in looking for jail open ports. Hi ! Sorry for silence, I was not able to answer. Yeah I understand, maybe netstat -an in jail is more useful ? When I do that I see port 25 and 514 are open but if I haven't looked yet what is this port 514 I imagine both of these ports are not closable (or it's not advised) isnt'it ? On the host port 25 is sendmail and port 514 is syslog. https://www.grc.com/port_514.htm The syslog server opens port 514 and listens for incoming syslog event notifications (carried by UDP protocol packets) generated by remote syslog clients. Any number of client devices can be programmed to send syslog event messages to whatever servers they choose. This defaults to off on clean install of Freebsd. You must have a statement in your /ect/rc.conf file that enables it. Okay thanks for clarifications for port 514. When you say "This defaults to off on clean install of Freebsd" you meant that this is the default on the default install but we can put it off on a clean modified freebsd install ? yes In rc.conf syslogd_flags="-ss" ___ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
