jails can't access internet from within jails

avonix · Jul 15, 2022

/etc/jails.conf:

Code:

firefox {
path = "/root/jails/firefox";
ip4.addr = "10.0.0.201";
host.hostname = "firefox";
interface = "wlan0";
mount.devfs;
allow.raw_sockets;
exec.clean;
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
}

/root/jails/firefox/etc/resolv.conf:

Code:

nameserver 1.1.1.1

I didn't changed anything else. What do I do to get it working?

Lamia · Jul 16, 2022

avonix said:
/etc/resolv.conf:

I didn't changed anything else. What do I do to get it working?

You want to set /etc/resolv.conf for the host too?
How about inserting this line - security.jail.allow_raw_sockets=1 # (default 0) - in /etc/sysctl.conf?

Reference:

sysctl.conf question

Hello, I am in the process of tuning my /etc/sysctl.conf and /boot/loader.conf file and would like some clarification if possible. My setup consists of FreeBSD 10 with 3 jails. On my FreeBSD host I have the following in /etc/sysctl.conf: security.jail.allow_raw_sockets=1 # (default 0)...

forums.freebsd.org

Ping from inside ezjail failed

Hi there, as the thread description says, ping from inside ezjail to any server in the internet won't work. ping: socket: Operation not permitted I set # sysctl security.jail.allow_raw_sockets=1 but it also doesn't work. My rc.conf # -- sysinstall generated deltas -- # Sun Apr 11 23:18:56...

forums.freebsd.org

avonix · Jul 16, 2022

Lamia said:
How about inserting this line - security.jail.allow_raw_sockets=1 # (default 0) - in /etc/sysctl.conf?

tried, doesn't work.

Lamia said:
You want to set /etc/resolv.conf for the host too?

it already exists on my host.

Alain De Vos · Jul 16, 2022

In /etc/jail.conf i have:

Code:

path = "/jails/$name";
host.hostname = "$name";
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
persist;
ip4 = inherit;
ip6 = inherit;
mount.devfs;
mount.fdescfs;
enforce_statfs=1;
allow.socket_af;
allow.raw_sockets;

avonix · Jul 16, 2022

Alain De Vos said:
ip4 = inherit;

well, it works with this setting but how do I get it work without giving "unrestricted access to all system addresses"? Why doesn't the default working?

ip4 Control the availability of IPv4 addresses. Possible values are
"inherit" to allow unrestricted access to all system addresses,
"new" to restrict addresses via ip4.addr, and "disable" to stop
the jail from using IPv4 entirely. Setting the ip4.addr parame-
ter implies a value of "new".

avonix · Jul 17, 2022

It worked after I changed the line to

ip4.addr = "wlan0|10.0.0.201"