Ping from inside ezjail failed

Werner

New Member


Messages: 12

Hi there,

as the thread description says, ping from inside ezjail to any server in the internet won't work.
Code:
ping: socket: Operation not permitted

I set # sysctl security.jail.allow_raw_sockets=1 but it also doesn't work.

My rc.conf

Code:
# -- sysinstall generated deltas -- # Sun Apr 11 23:18:56 2010
# Created: Sun Apr 11 23:18:56 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

hostname="localhost.localdomain"
ifconfig_em0="DHCP" #Yes, its DHCP but the assigned IP-Adress wouln't change, so its OK.
ifconfig_em0_alias0="192.168.0.1/32"
ifconfig_em0_alias1="192.168.0.2/32"
ifconfig_em0_alias2="192.168.0.3/32"
keymap="german.iso"
sshd_enable="YES"
syslogd_flags="-s -s"

ezjail_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pf_flags=""
gateway_enable="YES"


My pf.conf
Code:
###INTERFACES
if = "{ lo0,em0 }"

###SETTINGS
set block-policy drop

###OFFENE TCP/UDP-PORTS
tcp_pass = "{ 22 53 80 }"
udp_pass = "{ 22 53 80 }"
icmp_types = "echoreq"

###NORMALISATION
scrub in all

#Jail www
rdr on $if proto tcp from any to any port 10022 -> 192.168.0.1 port 22
rdr on $if proto udp from any to any port 10022 -> 192.168.0.1 port 22
binat on em0 proto tcp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.1 to any -> 10.0.2.15

#Jail sql
rdr on $if proto tcp from any to any port 10023 -> 192.168.0.2 port 22
rdr on $if proto udp from any to any port 10023 -> 192.168.0.2 port 22
binat on em0 proto tcp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.2 to any -> 10.0.2.15

antispoof for $if

###TABLES
table <intranet> { 192.168.0.0/24 }
table <bruteforce> persist

###RULES
set skip on lo0
block all
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $if proto tcp to any port $tcp_pass keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state


#PING
pass in on $if inet proto icmp all icmp-type $icmp_types keep state

#TRACEROUTE
pass in on $if inet proto udp from any to any port 40000 >< 40100 keep state


Regards
 

riku

New Member

Reaction score: 1
Messages: 14

You need add some lines in your rc.conf like these
Code:
jail_list="www"
jail_www_rootdir="/usr/jail/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.2"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"
 
OP
W

Werner

New Member


Messages: 12

Hi,

I added

Code:
jail_list="www"
jail_www_rootdir="/jails/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.1"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"


to my rc.conf and I get the following error messages after # ezjail-admin restart:

Code:
Starting jails: /etc/rc.d/jail: WARNING: defs_set_ruleset: you must specifiy a ruleset number
devfs rule: ioctl DEVFSIO_SAPPLY: No such process

I tried to replace

Code:
jail_www_devfs_ruleset="www_ruleset"
with
Code:
jail_www_devfs_ruleset="devfsrules_www"

and could remove aforesaid warnings/errors.

But ping still doesn't work.

Regards
 

lme@

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 308
Messages: 776

To ping out of a jail you need to allow raw sockets inside the jail first.
Set:
# sysctl security.jail.allow_raw_sockets=1
 
OP
W

Werner

New Member


Messages: 12

lme@ said:
To ping out of a jail you need to allow raw sockets inside the jail first.
Set:
# sysctl security.jail.allow_raw_sockets=1

Hello @lme,

First of all thank you for your answer.

Unfortunately I'm not able to set # sysctl security.jail.allow_raw_sockets=1 inside the ezjail:

Code:
www# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0
sysctl: security.jail.allow_raw_sockets: Operation not permitted

Regards
 
Last edited by a moderator:
OP
W

Werner

New Member


Messages: 12

I don't know why...I set # sysctl security.jail.allow_raw_sockets to zero again and then to 1 and used # /usr/local/etc/rc.d/ezjail.sh to restart jails and now it works. I don't get it.

Well anyway thank you for your help and @riku too.

(And soon I can edit my posts and don't need to reply that fast ;-) )
 
Last edited by a moderator:

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,040
Messages: 39,664

You need to set that sysctl before the jails are started.
 
OP
W

Werner

New Member


Messages: 12

SirDice said:
You need to set that sysctl before the jails are started.

Hm yah, that might be a good explanation :e. I didn't set security.jail.allow_raw_sockets in /etc/sysctl.conf, but I set ezjail in /etc/rc.conf to start them on boot. With the chances in /etc/sysctl.conf this problem should be solved now.
Thank you too.
 

Rudy

Member

Reaction score: 7
Messages: 50

Set in your ezjail config...

You want this inside your /usr/local/etc/ezjail/example_monkeybrains_net configuration file
Code:
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1"

The recommended jail -m jid=8 allow.raw_sockets=1 can alter a running jail, but you need to set it in your jail configuration file to make it permanent. And, yes, you need to set up your /etc/sysctl.conf with the security.jail.allow_raw_sockets=1 line as well.
 

Rudy

Member

Reaction score: 7
Messages: 50

Multiple parameters...

Here is the format for multiple parameters (separate with a space):
Code:
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1 allow.sysvipc=1"

And here is the output after restarting your jail:
Code:
# /usr/local/etc/rc.d/ezjail restart 
# jexec 6 sysctl security.jail | egrep '(allow_raw|sysvipc_allowed)'
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1

PS: I know this thread was closed two years ago, but the advice didn't work for me... changes in the jail system? Not sure, but adding these parameters helps! Find out more about jail configuration by grepping jail out of /etc/defaults/rc.conf!
 

mad0

New Member

Reaction score: 3
Messages: 13

I had a problem, after moving a few jails from FreeBSD 9.1 to 9.2.

Inside jail
Code:
ping: socket: Operation not permitted

Sysctl on host
Code:
security.jail.allow_raw_sockets: 1
Restart jail and ping still not permitted

Added
Code:
export jail_shell_parameters="allow.raw_sockets=1"
Into my jail configuration. After that ping is allowed.

PS. Same problem with chflags, I had to add:
Code:
export jail_shell_parameters="allow.raw_sockets=1 allow.chflags=1"
to allow chflags inside jail.
 
Top