Solved No internet connection from jail.

[Snurg]

I have no internet connection from the jail.
DNS lookup to the host's unbound cache (address in resolv.conf) works, drilling is possible.

However, in the jail I cannot make any external internet connection at all.

I made sure that no firewall is running neither on the host or in the jail. I even have set security.jail.allow.raw_sockets=1 in the hosts' sysctl.conf.

In spite of all this I get a complaint even at the simplest ping:

# ping 127.0.0.1
ping: ssend socket: Operation not permitted
#

Any idea?

Edit:
ifconfig from the jail:

# ifconfig
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
   ether 00:15:17:6f:b3:c3
   inet 192.168.178.102 netmask 0xffffffff broadcast 192.168.178.102
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   groups: lo
#

ifconfig from the host:
# ifconfig

em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
   ether 00:15:17:6f:b3:c3
   inet 192.168.178.29 netmask 0xffffff00 broadcast 192.168.178.255
   inet 192.168.178.102 netmask 0xffffffff broadcast 192.168.178.102
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 127.0.0.1 netmask 0xff000000
   groups: lo
#

host rc.conf:

clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="noname"
ifconfig_em1="inet 192.168.178.29 netmask 255.255.255.0"
defaultrouter="192.168.178.1"
moused_enable="YES"
# ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
local_unbound_enable="YES"
jail_enable="YES"

host jail.conf:

www80 {
  path = "/usr/home/j/www80";
  mount.devfs;
  host.hostname = "www";
  host.domainname = "example.com";
  ip4.addr = "192.168.178.102";
  interface = "em1";
  exec.start = "/bin/sh /etc/rc";
  exec.stop = "/bin/sh /etc/rc.shutdown";
}

host sysctl.conf:

#security.bsd.see_other_uids=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
security.bsd.stack_guard_page=1
security.jail.allow_raw_sockets=1

 

[stig]

Hi Snurg,

Did you also add the DNS to the Jails resolv.conf?

The entry about ezjail in the handbook has a section with steps one need to make in a jail so it works, maybe that will help you.

Regards Stig

 

[leebrown66]

For ping to work, try adding allow.raw.sockets to your jail.conf and restarting the jail.
per jail(8):

allow.*
Some restrictions of the jail environment may be set on a per-
jail basis. With the exception of allow.set_hostname, these
boolean parameters are off by default.

Otherwise, if ping is not needed and assuming /etc/resolv.conf is correct on the jail, try to telnet somewhere, it's probably working fine, ie this is from my bacula jail:

# ping www.google.com
ping: socket: Operation not permitted
# telnet www.google.com 80
Trying 216.58.194.164...
Connected to www.google.com.
Escape character is '^]'.
GET /
HTTP/1.0 200 OK
Date: Tue, 30 Aug 2016 20:38:39 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1

 

[wblock@]

More on raw network sockets: https://www.freebsd.org/doc/en_US.I...-ezjail.html#jails-ezjail-raw-network-sockets.

 

[Snurg]

Thank you stig, leebrown66 and wblock@!

Did you also add the DNS to the Jails resolv.conf?

Yes, I had the hosts' IP in there. Changed this to 8.8.8.8 and bingo! It turned out that in unbound.conf in the server: section a directive access-control: 192.168.178.0/24 was missing. This explained why unbound didn't reply to the jail's query.

... try adding allow.raw.sockets to your jail.conf ...

Cool! That did the trick!
Didn't know that one must allow raw sockets not only in sysctl.conf, but in jail.conf also. That's good, so raw sockets can be reserved for jails that actually need them.

More on raw network sockets: https://www.freebsd.org/doc/en_US.I...-ezjail.html#jails-ezjail-raw-network-sockets.

Thank you, I read this page before but it didn't help me much..
I want to learn about working with the config files themselves.
ezjail may make things simpler. I started with it.
But then I learned that it works the old, probably soon-deprecated way (jail definitions in rc.conf instead of modern jail.conf) and that the jail instructions in the handbook are for FreeBSD until 9.x.
So I started over and read through the web and the man pages.
Very much stuff at once! So I didn't read carefully enough the details Stig and Lee pointed me at.

Thanks again stig, leebrown66 and wblock@

P.S.: How can I mark this thread as "Solved"?

 

[cpm@]

P.S.: How can I mark this thread as "Solved"?

See Thread 45558.