Solved [SOLVED] cannot access my jails

fred974

fred974

Hello everyone,

I have a webjail and a database jail setup on FreeBSD 10 ZFS...
I can start the jails with no problem but I am unable to access them..

Webjail:
When i use lynx localhost within the jail, I can see the page, so I know the server is up and running.
Outide the jail. If i do http://hostnameor http://ipaddress, nothing happen
The problem is the same if I disable PF

databasejail
How can I perform the following operation as the zabbixserver is on the host and mysqlon the jail?
cat schema/mysql.sql data/data.sql data/images_mysql.sql | mysql -u zabbix -p zabbix

Could anyone point me toward the right direction please
 
Re: cannot access my jails

Jails don't have a localhost so I think you may have configured something incorrectly. How did you set up the jails? Did you make sure all your daemons are bound to specific IP addresses?
 
Re: cannot access my jails

SirDice said:
Jails don't have a localhost so I think you may have configured something incorrectly. How did you set up the jails? Did you make sure all your daemons are bound to specific IP addresses?
Click to expand...
Hi @SirDice,

The jails was created following this post https://forums.freebsd.org/viewtopic.php?f=39&t=30063&p=247488#p247488
How do I bound the daemons to specific IP? Is that done on the host on Jail? Have could you provide an example?
I have set the following in sshd_config for the jail if that what you mean
Code: 
ListenAddress 192.168.0.115


Thank you
 
Last edited by a moderator:
Re: cannot access my jails

fred974 said:
I have set the following in sshd_config for the jail if that what you mean
Code: 
ListenAddress 192.168.0.115
Click to expand...
Yes, that's exactly what I meant. By default most daemons will listen on all IP addresses, including those of the host and other jails.

What IP addresses are used on the host and on what interface did you bind the jails to?
 
Re: cannot access my jails

You should have an /etc/jails.conf which will have the name of a jail and its IP address.

Something like
Code: 
myjail {
	path = /jails/myjail;
	mount.devfs;
	devfs_ruleset = 4;
	host.hostname = myjail.example.com;
	ip4.addr = 192.168.1.51;
	exec.start = "/bin/sh /etc/rc";
	exec.stop = "/bin/sh /etc/rc.shutdown";
}

(In your case, the address would be 192.168.0.115, but you get the idea.) Do you have such a file?
 
Re: cannot access my jails

@SirDice
This is what I have in/etc/rc.conf
Code: 
### external network configuration ###
hostname="FreeBSD.mydomain.com"
ifconfig_bge0="inet 192.168.0.145 netmask 255.255.255.0"
defaultrouter="192.168.0.1"

### internal network configuration Jail interface aliases ###
gateway_enable="YES"
cloned_interfaces="lo1"
ifconfig_lo1="inet 192.168.0.254 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 192.168.0.115 netmask 255.255.255.0" # webjail
ifconfig_lo1_alias1="inet 192.168.0.120 netmask 255.255.255.0" # sqljail
ifconfig_lo1_alias2="inet 192.168.0.125 netmask 255.255.255.0" # mailjail

I have set the following in sshd_config for the host
Code: 
ListenAddress 192.168.0.145

@scottro, I haven't got a/etc/jails.conf file... Do we need that file for ezjail? I'll set this now and let you know
 
Last edited by a moderator:
Re: cannot access my jails

Your lo1 and bge0 interfaces have the same IP address. That's never going to work. If you want to use the same IP range for your jails just bind them to bge0.
 
Re: cannot access my jails

SirDice said:
Your lo1 and bge0 interfaces have the same IP address. That's never going to work. If you want to use the same IP range for your jails just bind them to bge0.
Click to expand...

More precisely said the two addresses are not exactly the same but are in the same subnet, 192.168.0.0/24. Routing is not possible between two overlapping subnets in general so that's why traffic is not passing between the lo1 and bge0 interfaces.
 
Re: cannot access my jails

kpa said:
More precisely said the two addresses are not exactly the same but are in the same subnet, 192.168.0.0/24.
Click to expand...
I must be going blind, I honestly thought they were the same. You're absolutely correct.

Routing is not possible between two overlapping subnets in general so that's why traffic is not passing between the lo1 and bge0 interfaces.
Click to expand...
That's exactly the reason why it's not working.
 
Re: cannot access my jails

Ok so if i understood correctly I should do one the following:

Code: 
# Jail interface aliases
ifconfig_bge0_alias0=”inet 192.168.1.115 netmask 255.255.255.0″ # webjai
ifconfig_bge0_alias1=”inet 192.168.1.120  netmask 255.255.255.0″ # sqljail
ifconfig_bge0_alias2=”inet 192.168.1.125 netmask 255.255.255.0″ #mailjail
OR
Code: 
cloned_interfaces="lo1"
ifconfig_lo1="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_lo1_alias0="inet 10.1.1.2 netmask 255.255.255.255" # webjail
ifconfig_lo1_alias0="inet 10.1.1.3 netmask 255.255.255.255" #sqljail
ifconfig_lo1_alias0="inet 10.1.1.4 netmask 255.255.255.255" #mailjail
Is my understanding correct?
Which of the 2 versions is better?
Do I need to rebuild the jail from scratch again to make the changes?
 
Re: cannot access my jails

Your bge0 has an address in the 192.168.0.0/24 range, add jail addresses from that same subnet if you're going to bind your jails to bge0.
 
Re: cannot access my jails

Do you mean changing
Code: 
ifconfig_bge0_alias0=”inet 192.168.1.115 netmask 255.255.255.0″ # webjail
for
Code: 
ifconfig_bge0_alias0=”inet 192.168.0.115 netmask 255.255.255.0″ # webjail
etc...

What is the big deal with all the tutorials using cloned interface?
 
Re: cannot access my jails

Yes, that's correct.

Using cloned interfaces can be helpful if you only have one (external) IP address. But you're on a LAN so it shouldn't be a problem simply adding the addresses. Using cloned interfaces is still possible but will make the configuration unnecessarily complex.
 
Re: cannot access my jails

SirDice said:
Yes, that's correct.

Using cloned interfaces can be helpful if you only have one (external) IP address. But you're on a LAN so it shouldn't be a problem simply adding the addresses. Using cloned interfaces is still possible but will make the configuration unnecessarily complex.
Click to expand...

Cool thank you very much, I'll make the changes and let you know.. I take it I no longer need
Code: 
 gateway_enable="YES"
Will updating the IP address in /etc/jails.conf be enough or do I need to delete the jail and start again?
 
Re: cannot access my jails

fred974 said:
I take it I no longer need
Code: 
 gateway_enable="YES"
Click to expand...
Yes, it's not needed any more because you're not routing traffic between interfaces.

Will updating the IP address in /etc/jails.conf be enough or do I need to delete the jail and start again?
Click to expand...
You can change the IP address, you don't need to re-create the jail. In the same way you can change the IP address on the host without having to re-install the OS.
 
Re: cannot access my jails

Thank you all for your support, since I changed the network configuration, I can access the website externally:)
 
You must log in or register to reply here.
Back
Top