How to connect to a specific port within a jail

[mamalos]

Hi all,

I have a jailed setup running www/tomcat7. The jail's interface is lo2 with an IPv4 address 192.168.13.3.

# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      jsvc       23050 42 tcp4   192.168.13.3:8080     *:*
www      jsvc       23050 43 tcp4   192.168.13.3:8083     *:*
www      jsvc       23050 44 tcp4   192.168.13.3:443      *:*
www      jsvc       23050 45 tcp4   192.168.13.3:8443     *:*
www      jsvc       23050 46 tcp4   192.168.13.3:8009     *:*
mysql    mysqld     22393 13 tcp4   192.168.13.3:3306     *:*
root     sendmail   4099  4  tcp4   192.168.13.3:25       *:*

when I try to telnet my local IP (from within the jail) on any of its listening ports, I get:

# !telnet
telnet 192.168.13.3 3306
Trying 192.168.13.3...
telnet: connect to address 192.168.13.3: Operation not permitted
telnet: Unable to connect to remote host

The same holds if I try to connect to localhost. My /etc/hosts reads:

# cat /etc/hosts
127.0.0.1		localhost localhost.my.domain
192.168.13.3		myip myip.mydomain

If I connect to mysql server using mysql(1) command (using no host arguments) everything works as expected (probably via a socket). The problem is that the application I try to run on tomcat uses a custom configuration that reads a connection url, and no matter what value I give it refuses to connect. If I give an external url, it connects normally, so I assume that it encounters the same problems as the above telnet(1) command (tomcat logs state that it is unable to connect to the db server, and mysql logs confirm that no connection is initiated).

Any advises on what to do? And any explanations as to why the network configuration of the jails functions this way?

Thanx all in advance!

PS. I edited /etc/hosts so that 192.l68.13.3 also accounts for localhost, with no luck.

 

[SirDice]

Firewall that's blocking any outgoing connections from the jail?

 

[mamalos]

...of course you're right again SirDice...

What is embarrassing is that I had checked pflog and it didn't return anything; after reading my config again, there was no log option present....

Thanx again!

 

[SirDice]

Sometimes the solution is staring you right in the face but you need someone else to point it out to you

 

[mamalos]

And I had to put the following rules to /etc/pf.conf:

pass out quick on $tomcat_if from $tomcat_jail_ip to any keep state
pass in quick on $tomcat_if from $tomcat_jail_ip to any keep state

why did I need both in and out? And why did all my connections to outside my jail pass without this pass out rules? Doesn't the traffic pass through lo2 when it refers to an outside host?

 

[mamalos]

Sometimes the solution is staring you right in the face but you need someone else to point it out to you

and you're very right in that...

 

[gkontos]

And I had to put the following rules to /etc/pf.conf:

pass out quick on $tomcat_if from $tomcat_jail_ip to any keep state
pass in quick on $tomcat_if from $tomcat_jail_ip to any keep state

why did I need both in and out? And why did all my connections to outside my jail pass without this pass out rules? Doesn't the traffic pass through lo2 when it refers to an outside host?

It really depends on the options of your pf.conf regarding the lo interface.

You could combine the above into:

pass quick on $tomcat_if from $tomcat_jail_ip to any

keep state is always implied so you don't have to specify it.