Can't ping from jails

andrewm659

Active Member

Reaction score: 4
Messages: 168

So I got jails working w/ ezjail on FreeBSD 10.1 but I can't ping from it. I used this kernel parameter to allow networking:

# sysctl security.jail.allow_raw_sockets=1

Not sure if I need this to allow ping to happen...

# sysctl net.inet.ip.forwarding=1

root@asm-monitoring01:~ # cat /etc/sysctl.conf
Code:
# $FreeBSD: releng/10.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

What is the output of sysctl security.jail.param.allow.raw_sockets in the jail? What exactly does the ping say?
 
OP
andrewm659

andrewm659

Active Member

Reaction score: 4
Messages: 168

root@asm-monitoring01:~ # cat /etc/sysctl.conf
Code:
# $FreeBSD: releng/10.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
 
OP
andrewm659

andrewm659

Active Member

Reaction score: 4
Messages: 168

root@asm-monitoring01:~ # sysctl security.jail.param.allow.raw_sockets
Code:
security.jail.param.allow.raw_sockets: 0
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

Ah. Sorry, it is actually sysctl security.jail.allow_raw_sockets to view it inside the jail. I believe you just need to add the parameter sysctl(8) I was mentioning. You can do a quick find/replace edit with a command like the following. Just set this for any jails that need to be allowed access to raw sockets.
sed -i '' -e 's/parameters=""/parameters="allow.raw_sockets=1"/g' /usr/local/etc/ezjail/<put_your_jailname_here>
 
OP
andrewm659

andrewm659

Active Member

Reaction score: 4
Messages: 168

Wait, why am I putting it in /usr/local/etc/jails and not /etc/sysctl.conf? I guess I'm a little confused on that.
 

wblock@

Beastie Himself
Developer

Reaction score: 3,752
Messages: 13,851

ezjail has a configuration file for each jail, kept in /usr/local/etc/ezjail/jailname.
 

junovitch@

Daemon
Developer

Reaction score: 632
Messages: 1,773

Wait, why am I putting it in /usr/local/etc/jails and not /etc/sysctl.conf? I guess I'm a little confused on that.

I want to say setting it globally in /etc/sysctl.conf worked for me in the past. However, I only used this setting for testing and never permanently. Setting it via the sysctl security.jail.param.allow.raw_sockets parameter that is placed in /usr/local/etc/ezjail/jailname is what works on my machine now. I'll speculate that this may be a jail.conf(5) conversion oddity but it is just speculation without getting a range of versions to check.
 

gessel

Active Member

Reaction score: 30
Messages: 131

Remember to restart your jail so the change takes effect
# service ezjail restart jailname
 
Top