jail internet access

Slade · Jul 24, 2010

I feel kinda stupid for asking about this since I have read a ton of forum posts/websites, but after spending most of the day on this I simply can't get network access to work with jails. Ping (by IP not hostname to eliminate it being a DNS issue), whois, dig, fetch don't work (I was trying to build some ports in the jail).

I created the following jail with ezjail:

Code:

DR  1  10.0.0.1  CHEROKEE  /usr/jails/CHEROKEE

I have set:

Code:

security.jail.allow_raw_sockets: 1

/etc/rc.conf

Code:

ifconfig_re0="DHCP"
ifconfig_xn0="DHCP"
ifconfig_re0_alias0="inet 10.0.0.1 netmask 255.255.255.255"
inetd_enable="YES"
sshd_enable="YES"
ipv6_enable="YES"

# Jails
ezjail_enable="YES"

# Enable port forwarding and packet filtering
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"

/etc/pf.conf

Code:

# Interface declarations
ext_if="re0"
all_if="{re0, lo0}"

# Internal network subnet
int_net="10.0.0.0/32"

# Name and IP of webserver
CHEROKEE="10.0.0.1"

# Rule 1:
# redirect any packets requesting port 80 and 443 received on the loopback(lo0)
# device and the external card (re0) to jailed webserver
rdr on $all_if proto tcp from any to re0 port 80 -> $CHEROKEE port 80
rdr on $all_if proto tcp from any to re0 port 443 -> $CHEROKEE port 443

# Rule 2:
# allow jail to access the internet
nat on $ext_if from $CHEROKEE to any -> re0

ifconfig

Code:

re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether e2:76:63:88:2d:28
        inet6 fe80::e076:63ff:fe88:2d28%re0 prefixlen 64 scopeid 0x1
        inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.1
        inet 166.84.136.40 netmask 0xfffffe00 broadcast 166.84.137.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3

vivek · Jul 24, 2010

DHCP for server? Set static IP. Disable firewall and test it. If it worked, try setting firewall.

fbsd1 · Aug 18, 2010

ezjail does not auto populate your jails with the host files required for internet access. Try qjail

http://www.daemonforums.org/showthread.php?t=4964

jail internet access

Slade

vivek

fbsd1