I'm using jails to isolate Apache virtual hosts, which works great. The only problem is that internet access from the jails does not work well. For example:
However, the strange thing is that sometimes it manages to connect after some 5-10 seconds. Connection to server's public IP address works without problems.
If I try to run this through truss, I get this:
Jail's /etc/rc.conf:
Host's /etc/rc.conf:
/etc/pf.conf:
/etc/resolv.conf (same for jail and host):
sysctl -a | grep jail
Any suggestions would be appreciated.
jail# telnet freebsd.org 80
...spends about 10 seconds to resolve the name...
Trying 69.147.83.40...
...spends about a minute here...
telnet: connect to address 69.147.83.40: Operation timed out
However, the strange thing is that sometimes it manages to connect after some 5-10 seconds. Connection to server's public IP address works without problems.
If I try to run this through truss, I get this:
....
__sysctl(0x7fffffffe7c0,0x4,0x80152e0f0,0x7fffffffe868,0x0,0x0) = 0 (0x0)
socket(PF_INET6,SOCK_DGRAM,17) ERR#43 'Protocol not supported'
socket(PF_INET,SOCK_DGRAM,17) = 3 (0x3)
connect(3,{ AF_INET 69.147.83.40:1 },16) = 0 (0x0)
getsockname(3,{ AF_INET 10.0.0.5:63056 },0x7fffffffe868) = 0 (0x0)
close(3) = 0 (0x0)
fstat(1,{ mode=crw--w---- ,inode=101,size=0,blksize=4096 }) = 0 (0x0)
ioctl(1,TIOCGETA,0xffffdf40) = 0 (0x0)
Trying 69.147.83.40...
write(1,"Trying 69.147.83.40...\n",23) = 23 (0x17)
socket(PF_INET,SOCK_STREAM,6) = 3 (0x3)
getuid(0x2,0x1,0x6,0x80139baac,0xffffffff80ac3f40,0x7fffffffe8a8) = 0 (0x0)
setuid(0x0,0x1,0x6,0x8013263bc,0xffffffff80ac4040,0x7fffffffe8a8) = 0 (0x0)
setsockopt(0x3,0x0,0x3,0x5199e0,0x4,0x7fffffffe8a8) = 0 (0x0)
>> stucks here >> connect(3,{ AF_INET 69.147.83.40:80 },16) ERR#60 'Operation timed out'
telnet: write(2,"telnet: ",8) = 8 (0x8)
connect to address 69.147.83.40write(2,"connect to address 69.147.83.40",31) = 31 (0x1f)
: write(2,": ",2) = 2 (0x2)
Jail's /etc/rc.conf:
hostname="support.livecart.com"
network_interfaces=""
Host's /etc/rc.conf:
defaultrouter="67.220.195.137"
hostname="localhost.localdomain"
ifconfig_fxp0="inet 67.220.195.138 netmask 255.255.255.248"
ifconfig_fxp0_alias0="inet 67.220.195.139 netmask 255.255.255.255"
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.0.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.0.0.5 netmask 255.255.255.255"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
# Jails
jail_set_hostname_allow="YES"
jail_enable="YES"
jail_devfs_enable="YES"
jail_procfs_enable="YES"
jail_sysvipc_allow="YES"
jail_socket_unixiproute_only="YES"
ezjail_enable="YES"
/etc/pf.conf:
nat on fxp0 from lo1:network to any -> (fxp0)
/etc/resolv.conf (same for jail and host):
nameserver 206.251.73.9
nameserver 4.2.2.1
sysctl -a | grep jail
security.jail.jailed: 0
security.jail.mount_allowed: 0
security.jail.chflags_allowed: 0
security.jail.allow_raw_sockets: 1
security.jail.enforce_statfs: 2
security.jail.sysvipc_allowed: 1
security.jail.socket_unixiproute_only: 1
security.jail.set_hostname_allowed: 1
Any suggestions would be appreciated.