Jails: Host should ignore IPs of Jails

T

Thorny

Developer
Hello,

I have some problems with my jail configuration. I have multiple IPs, where every IP is dedicated to a jail, except the one for the host. My /etc/rc.conf would look like this:
Code: 
############
# networks #
############

  ########
  # IPv4 #
  ########

  ifconfig_re0="DHCP media 100baseTX mediaopt full-duplex"
  ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.224"
  ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.248"

#########
# jails #
#########

jail_enable="YES"
jail_list="example"      # Space separated list of names of jails

jail_sysvipc_allow="YES" # needed to allow postgresql

jail_example_rootdir="/usr/local/jail/example"
jail_example_hostname="example.de"
jail_example_ip="176.xxx.xxx.xx2"
jail_example_exec="/bin/sh /etc/rc"
jail_example_devfs_enable="YES"
jail_example_mount_enable="NO"

Now I have a webserver installed in the jail, which listens to 176.xxx.xxx.xx2. I also have a webserver in the host, listening to 176.xxx.xxx.xx1. The problem: the webserver of the host-system anwsers all requests! This is not limited to the webserver, it is the same for all applications, which are the same in host and jail. The host accepts all requests for the jails and anwsers it, even if it is to the wrong IP.

Is there a possibility to stop this behavior? How can I configure the host to just accept requests at its own IP?

Thank you for every hint!

Greetings from Germany,
Torsten
 
Instruct the host httpd process to listen only to specific IPs. Use multiple
Code: 
Listen 1.2.3.4:80
for all intended IP addresses instead of
Code: 
Listen 80
in jail's /usr/local/etc/apache22/httpd.conf.
 
First: I use nginx ;) Second: I have already done this - it doesn't work. Not sure if it's a bug in nginx. Third: this problem exists for all applications: nginx, postfix, svnserve etc. It will check, if the listen-address solution works for the other applications.
 
The first thing that I notice is that you are assigning a wrong netmask to your aliased interfaces:

Code: 
ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.[B]255[/B]"
ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.[B]255[/B]"

After fixing this, you have to make sure that all your daemons in the host are binding only to re0. Use:

[CMD=""]# sockstat -46[/CMD]

Regards,
 
I think the first alias address should have the proper netmask if the first alias address is not in same network as the main address of the interface. All the following addresses should have netmask 255.255.255.255 as long as they are in the same subnet as the first address.

Code: 
ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.224"
ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.255"
 
kpa said:
I think the first alias address should have the proper netmask if the first alias address is not in same network as the main address of the interface. All the following addresses should have netmask 255.255.255.255 as long as they are in the same subnet as the first address.
Click to expand...

Right-o. And it's documented as such in ifconfig(8).

@Thorny: normally you put all your end-user services inside jails. The host system (in general) should be running an ssh daemon, an NTP daemon, and little or nothing else, IMO.
 
Thorny said:
Code: 
ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.248"

jail_example_ip="176.xxx.xxx.xx2"
Click to expand...

You can remove the ifconfig_re0_alias1, jail_example_ip will create the alias automatically when the jail starts. You may need to add a specific interface:
Code: 
jail_example_interface="re0"

Normally services will 'grab' all available addresses and listen on all of them. When dealing with jails this will lead to unexpected side effects, as you already noticed. You will need to configure all of them, inside the jails and on the host, to use a specific IP address.
 
gkontos said:
The first thing that I notice is that you are assigning a wrong netmask to your aliased interfaces:
Click to expand...

I must learn more about networks. The configuration I posted was an example; the live configuration uses the correct netmask. :)
 
anomie said:
@Thorny: normally you put all your end-user services inside jails. The host system (in general) should be running an ssh daemon, an NTP daemon, and little or nothing else, IMO.
Click to expand...

You're right. Normally I do so. But in this case I just have a very limited number of IPv4-addresses (4 - what a coincidence ;) ) and this very specific scenario. I try to make the best out of it. :(
 
SirDice said:
Normally services will 'grab' all available addresses and listen on all of them. When dealing with jails this will lead to unexpected side effects, as you already noticed. You will need to configure all of them, inside the jails and on the host, to use a specific IP address.
Click to expand...

My aim is, that every jail has exact one IP-address. The jails should be completly seperated.
 
At the very least I'm two steps further. nginx now listen to the correct IP-address and ignores all others. In my first try I forgot to set this configuration to one VHost, so it handles all requests of the jails with this VHost. -.-

The svnserve configuration was very easy. My last step is to configure postfix.
 
Thorny said:
My last step is to configure postfix.
Click to expand...

Postfix default configuration uses in main.cf

Code: 
inet_interfaces = all

Change (or set) this parameter according to your needs
Code: 
inet_interfaces = 127.0.0.1, 192.168.1.2
 
You must log in or register to reply here.
Back
Top