jails no internet from inside jail

sixpiece

sixpiece

no internet from inside my jail... would like to assign jail an ipv6 address

I added this line to sysctl.conf
Code: 
security.jail.allow_raw_sockets=1

I have some sysctl forwarding IPv6

jail.conf is as follows:
Code: 
hydroshop {
    host.hostname = "hydroponique.shop";           # Hostname
    #ip6.addr = "2001:redacted";                   # IP
 address of the jail
    interface = vtnet0;
    ip6.addr = "2001:redacted";
    path = "/jails/hydroshop";                    # Path to the jail
    //devfs_ruleset = "www_ruleset";             # devfs ruleset
    mount.devfs;                               # Mount devfs inside the jail
    exec.start = "sh /etc/rc";            # Start command
    exec.stop = "sh /etc/rc.shutdown";    # Stop command
rc.conf
Code: 
root@videotron:/etc # vi rc.conf
hostname="videotron.eu"
sshd_enable="YES"
ntpd_enable="YES"
static_routes="linklocal"
ifconfig_vtnet0="DHCP"
ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-aF"
apache24_enable="YES"
ftpd_enable="YES"
mysql_enable="YES"
jail_enable="YES" # Set to NO to disable starting of any jails
inetd_enable="YES"

#Mail Server Enabling
#pf_enable="YES"
#pf_rules="/usr/local/etc/pf.conf"
#pflog_enable="YES"
#pflog_logfile="/var/log/pflog"

#obspamd_enable="YES"
#obspamd_flags="-v"
#obspamlogd_enable="YES"

#dovecot_enable="YES"

sendmail_enable="YES"

#adding Linux support jan 3 2021
linux_enable="YES"
tomcat9_enable="YES"

firewall_enable="YES"
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="em1"
natd_flags="-dynamic -m"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

php_fpm_enable="YES"

motsognir_enable="YES"

#adding syslogd
syslogd_enable="YES"
syslogd_flags="-s -v -v"

webmin_enable="YES"

cloned_interfaces="lo1"

ifconfig_vtnet0_ipv6="inet6 accept_rtadv"
ipv6_activate_all_interfaces="YES"
rtsold_enable="YES"
rtsold_flags="-aF"

#ifconfig_vtnet0_alias0="inet6 2001:19f0:6801:ee3::2/64"
ifconfig_vtnet0_alias0="inet6 2001:19f0:6801:ee3:100::1 prefixlen 64"
Code: 
root@videotron:/etc # ifconfig
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether redacted
        inet6 fe80::5400:2ff:redacted%vtnet0 prefixlen 64 scopeid 0x1
        inet6 2001:19f0:6801:redacted prefixlen 64 autoconf
        inet6 2001:19f0:6801:redacted prefixlen 64
        inet redacted netmask 0xfffffe00 broadcast 108.redacted
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 2001:19f0:redacted::1 prefixlen 64
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
        inet6 2001:19f0:6801:redacted::1 prefixlen 64
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
jls
Code: 
root@videotron:/etc # jls
   JID  IP Address      Hostname                      Path
     5                  hydroponique.shop             /jails/hydroshop
from inside jail if config
Code: 
vtnet0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether 56:0redacted
        inet6 2001:19f0:6801:redacted prefixlen 64
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
from inside jail ping6 google.com
Code: 
# ping6 google.com
ping6: Name does not resolve
 
Last edited:
sixpiece said:
I added this line to sysctl.conf
Click to expand...
Remove that sysctl(8), it's deprecated in favor of per jail settings. See jail(8):
Code: 
             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.

sixpiece said:
Code: 
ping6: Name does not resolve
Click to expand...
Did you configure /etc/resolv.conf correctly in the jail?
 
You don't have working DNS inside the jail, check /etc/resolv.conf; sample one:
Code: 
nameserver 1.1.1.1
nameserver 8.8.8.8
How about ping 1.1.1.1?
 
I changed resolv.conf ipv4 addresses you gave me

# ping 1.1.1.1
ping: ssend socket: Protocol not supported

also ping6
# ping6 1.1.1.1
ping6: Name does not resolve
 
Jail is configured for IPv6 only, it doesn't have IPv4. Pinging an IPv4 address isn't going to work, the jail doesn't have IPv4. So resolving via an IPv4 DNS server address isn't going to work either for the same obvious reason.

Either add an IPv4 address to the jail so you can actually have IPv4 connectivity there, or use an IPv6 DNS server address for resolving.
 
sixpiece said:
is it possible to execute pkg update with only ipv6?
Click to expand...
Yes, as far as I know the official repositories are accessible on IPv6 too.

sixpiece said:
No address record
Click to expand...
Resolving issue. Still haven't figured out how to configure resolv.conf(5) for IPv6?

Useful hint:
The Google Public DNS IP addresses (IPv4) are as follows:

8.8.8.8
8.8.4.4

The Google Public DNS IPv6 addresses are as follows:

2001:4860:4860::8888
2001:4860:4860::8844
Click to expand...
developers.google.com

Get Started | Public DNS | Google Developers

developers.google.com developers.google.com
 
root@videotron:~ # pkg -j hydroshop install mysql
Updating FreeBSD repository catalogue...
pkg: http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/meta.txz: No address record
repository FreeBSD has no meta file, using default settings
pkg: http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/packagesite.pkg: No address record
pkg: http://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/packagesite.txz: No address record
Unable to update repository FreeBSD
Error updating repositories!
root@videotron:~ #
 
yes it is the host.

My question also would be is it possible for IPV4 requests to the jail be made through the host and the host delivers to the jail based on for example URL request. For example, if a item is sent to a company it might have a unique address but the person who receives it while being a part of that address is distinguished by
 
You must log in or register to reply here.
Back
Top