Ping from inside ezjail failed

Hi there,

as the thread description says, ping from inside ezjail to any server in the internet won't work.
Code:
ping: socket: Operation not permitted

I set # sysctl security.jail.allow_raw_sockets=1 but it also doesn't work.

My rc.conf

Code:
# -- sysinstall generated deltas -- # Sun Apr 11 23:18:56 2010
# Created: Sun Apr 11 23:18:56 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

hostname="localhost.localdomain"
ifconfig_em0="DHCP" #Yes, its DHCP but the assigned IP-Adress wouln't change, so its OK.
ifconfig_em0_alias0="192.168.0.1/32"
ifconfig_em0_alias1="192.168.0.2/32"
ifconfig_em0_alias2="192.168.0.3/32"
keymap="german.iso"
sshd_enable="YES"
syslogd_flags="-s -s"

ezjail_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pf_flags=""
gateway_enable="YES"


My pf.conf
Code:
###INTERFACES
if = "{ lo0,em0 }"

###SETTINGS
set block-policy drop

###OFFENE TCP/UDP-PORTS
tcp_pass = "{ 22 53 80 }"
udp_pass = "{ 22 53 80 }"
icmp_types = "echoreq"

###NORMALISATION
scrub in all

#Jail www
rdr on $if proto tcp from any to any port 10022 -> 192.168.0.1 port 22
rdr on $if proto udp from any to any port 10022 -> 192.168.0.1 port 22
binat on em0 proto tcp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.1 to any -> 10.0.2.15

#Jail sql
rdr on $if proto tcp from any to any port 10023 -> 192.168.0.2 port 22
rdr on $if proto udp from any to any port 10023 -> 192.168.0.2 port 22
binat on em0 proto tcp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.2 to any -> 10.0.2.15

antispoof for $if

###TABLES
table <intranet> { 192.168.0.0/24 }
table <bruteforce> persist

###RULES
set skip on lo0
block all
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $if proto tcp to any port $tcp_pass keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state


#PING
pass in on $if inet proto icmp all icmp-type $icmp_types keep state

#TRACEROUTE
pass in on $if inet proto udp from any to any port 40000 >< 40100 keep state


Regards
 
You need add some lines in your rc.conf like these
Code:
jail_list="www"
jail_www_rootdir="/usr/jail/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.2"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"
 
Hi,

I added

Code:
jail_list="www"
jail_www_rootdir="/jails/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.1"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"


to my rc.conf and I get the following error messages after # ezjail-admin restart:

Code:
Starting jails: /etc/rc.d/jail: WARNING: defs_set_ruleset: you must specifiy a ruleset number
devfs rule: ioctl DEVFSIO_SAPPLY: No such process

I tried to replace

Code:
jail_www_devfs_ruleset="www_ruleset"
with
Code:
jail_www_devfs_ruleset="devfsrules_www"

and could remove aforesaid warnings/errors.

But ping still doesn't work.

Regards
 
To ping out of a jail you need to allow raw sockets inside the jail first.
Set:
# sysctl security.jail.allow_raw_sockets=1
 
lme@ said:
To ping out of a jail you need to allow raw sockets inside the jail first.
Set:
# sysctl security.jail.allow_raw_sockets=1

Hello @lme,

First of all thank you for your answer.

Unfortunately I'm not able to set # sysctl security.jail.allow_raw_sockets=1 inside the ezjail:

Code:
www# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0
sysctl: security.jail.allow_raw_sockets: Operation not permitted

Regards
 
Last edited by a moderator:
I don't know why...I set # sysctl security.jail.allow_raw_sockets to zero again and then to 1 and used # /usr/local/etc/rc.d/ezjail.sh to restart jails and now it works. I don't get it.

Well anyway thank you for your help and @riku too.

(And soon I can edit my posts and don't need to reply that fast ;-) )
 
Last edited by a moderator:
SirDice said:
You need to set that sysctl before the jails are started.

Hm yah, that might be a good explanation :e. I didn't set security.jail.allow_raw_sockets in /etc/sysctl.conf, but I set ezjail in /etc/rc.conf to start them on boot. With the chances in /etc/sysctl.conf this problem should be solved now.
Thank you too.
 
Set in your ezjail config...

You want this inside your /usr/local/etc/ezjail/example_monkeybrains_net configuration file
Code:
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1"

The recommended jail -m jid=8 allow.raw_sockets=1 can alter a running jail, but you need to set it in your jail configuration file to make it permanent. And, yes, you need to set up your /etc/sysctl.conf with the security.jail.allow_raw_sockets=1 line as well.
 
Multiple parameters...

Here is the format for multiple parameters (separate with a space):
Code:
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1 allow.sysvipc=1"

And here is the output after restarting your jail:
Code:
# /usr/local/etc/rc.d/ezjail restart 
# jexec 6 sysctl security.jail | egrep '(allow_raw|sysvipc_allowed)'
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1

PS: I know this thread was closed two years ago, but the advice didn't work for me... changes in the jail system? Not sure, but adding these parameters helps! Find out more about jail configuration by grepping jail out of /etc/defaults/rc.conf!
 
I had a problem, after moving a few jails from FreeBSD 9.1 to 9.2.

Inside jail
Code:
ping: socket: Operation not permitted

Sysctl on host
Code:
security.jail.allow_raw_sockets: 1
Restart jail and ping still not permitted

Added
Code:
export jail_shell_parameters="allow.raw_sockets=1"
Into my jail configuration. After that ping is allowed.

PS. Same problem with chflags, I had to add:
Code:
export jail_shell_parameters="allow.raw_sockets=1 allow.chflags=1"
to allow chflags inside jail.
 
Back
Top