Need help with jail setup

funkfisk

funkfisk

Hi!

I've recently begun trying to setup a jail for my webserver, and i can't get it to function correctly.

The host is running a jail on a specific IP. It is also used as a firewall for my LAN and the setup looks like this:

Internet <--fxp0--> FreeBSD server (host) <--rl0--> LAN

I have got it running so that's its able to connect from my LAN; it works without any problems (when i type 192.168.1.5:8080 in the browser it accesses the jail). But I can't get it to connect from the internet. I have configured the firewall/NATd to forward the packets to my jail server address, and since I have other forwarding in place that works it can't be a firewall problem. I investigated (at least on what I am capable of ;) ) the problem and it seems that packets reach the firewall and gets through, but, the jail doesn't respond to
the inital handshake, but I'm not sure what is causing that.

I would be glad to get some help with this since I been trying days after days with different configurations.
regards
fisk

My configuration

Host (rl0 = lan, fxp0 = internet):

host: 83.xx.xx.xx
jail: 192.168.1.5

rc.conf (snippet)

Code: 
ifconfig_rl0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_fxp0="DHCP"
ifconfig_fxp0_alias0="inet 192.168.1.5 netmark 0xffffffff"

gateway_enable="YES"

natd_enable="YES"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

# Jails
jail_enable="YES"   # Set to NO to disable starting of any jails
jail_list="www"     # Space separated list of names of jails

jail_interface="fxp0"
jail_www_rootdir="/usr/jail/www"     # jail's root directory
jail_www_hostname="www.local"  # jail's hostname
jail_www_ip="192.168.1.5"          # jail's IP address
jail_www_devfs_enable="YES"          # mount devfs in the jail
jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail

natd.conf

Code: 
#log
#verbose

dynamic     yes
use_sockets yes
same_ports  yes

# Redirections 
redirect_port tcp 192.168.1.5:8080 8080
#redirect_address tcp 192.168.1.5 83.xx.xx.xx




jail:

rc.conf

Code: 
network_interfaces=""
rpcbind_enable="NO"
hostname="www.local"
clear_tmp_enable="YES"
securelevel_enable="YES"
kern_securelevel="3"
apache22_enable="YES"

httpd.conf (snippet)

Code: 
#Listen 192.168.1.5:8080
Listen 8080
Also, hosts and resolv.conf are updated with correct information.
 
Remove the natd on the host. You don't need it. You also don't need the ifconfig_fxp0_alias, the jail_www_ip already takes care of that.

Change the httpd.conf on the jail to Listen on it's IP address.
 
Why won't I need the NATd? The machine is also a gateway between my LAN and the internet (which I didn't mention.. oops). The other changes didn't do much difference :\
 
I think he's saying you do not need natd for the jail itself to work (which is true).

Why is your jail IP bound to an fxp0 alias, rather than a rl0 alias?
 
anomie said:
Why is your jail IP bound to an fxp0 alias, rather than a rl0 alias?
Click to expand...

Because fxp0 is facing the Internet. What's good of letting it be on the LAN card?
 
Attaching the jail to fxp0 is fine. Just use an address in the same range. Forward your external port 8080 to that address and you're done.
 
funkfisk said:
Because fxp0 is facing the Internet. What's good of letting it be on the LAN card?
Click to expand...

192.168/16 is private IP space. Putting it on fxp0 with a 0xffffffff (/32) netmask does not make sense. You only use such a netmask for an alias if they're on the same subnet. If they're not on the same subnet, you need to use a proper netmask (or bind it to rl0 like I said).

If you have a second internet-routable IP address, then SirDice's solution is nice and clean. If you don't, then I guess NAT will be your approach after all.
 
anomie said:
If you have a second internet-routable IP address, then SirDice's solution is nice and clean. If you don't, then I guess NAT will be your approach after all.
Click to expand...

I've been trying to use redirect_address on the NATd from my internet-adress to 192.168.1.5 on the fxp0 side, and that didn't work. So, by using the NATd to redirect to rl0 (LAN) side of the gateway, should do the trick?

I'm quite new to networking but i'm trying to learn as time goes and I'm not totally sure about the task of subnetmasks, but since this seems to be the issue I should research a bit more.
 
funkfisk said:
I'm quite new to networking but i'm trying to learn as time goes and I'm not totally sure about the task of subnetmasks, but since this seems to be the issue I should research a bit more.
Click to expand...
Yes, you really need to have at least a basic understanding of TCP/IP and how it works ;)

Probably not the easiest to understand but there's an actual RFC for it: RFC-1180.
 
Also, please check my netmask comment again. If you add an IP alias to an interface with an IP on the same subnet, your netmask is OK as is. If you add an IP alias to an interface with an IP on a different subnet, you must use a real netmask.

Assuming you do not have another internet-routable IP, I still think the most logical method is to keep your existing jail IP/netmask, but put it on the rl0 interface. YMMV.
 
Another option is to clone lo0 and attach the jail to that (lo1).
 
Seems like I got it to work after putting it on rl0 with the internal network address. Thank you both for giving me more insight into the wonderful world of internets :) :beergrin
 
You must log in or register to reply here.
Back
Top