Solved [solved] loopback in jail aliased on lo0

My jail is on an alias of lo0 (like 127.0.0.8/32). But due to residing on lo0, the jail does not show a loopback. This is a problem because I want to lock down jail in/out bound packets by port but the jail-enabled processes need loopback to function (?). What are the alternate solutions to this problem? Maybe I could (from most preferable to least),
  • a. Create a virtual loopback in the jail (have no idea how or even if possible).
    b. Specify static ports for services that need loopback, then allow those ports in pf.conf.
    c. Use cloned interface instead of alias for each jail (lo1, lo2, etc).
Any other ideas?
 
Re: loopback in jail aliased on lo0

Jails never have a lo0, even if you bind the jail to a physical network adapter. For local IPC I would use a file socket instead of a network socket.
 
Well, this is strange...
I had the jail on lo0 and replacing IP:port with socket worked. Today I moved the jail to cloned lo2, with same IP and everything. The jail is hosting nginx as a reverse proxy. The nginx jail is refusing connections if listening on socket, but accepts connections if listening on IP. pf.conf not the issue as it has "pass on jail". nginx is configured as:
Code:
 listen unix:/var/run/nginx.sock:8080;

/etc/jail.conf for this jail is:
Code:
http {
        name = http;
        path = /data/ezjail/http;
        interface = lo2;
        ip4.addr = 127.0.0.4/32;
        devfs_ruleset = 11;
        mount.devfs;
        mount.fstab = "/etc/fstab.http";  }

/etc/devfs.rules contains:
Code:
[devfsrules_jail=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
 
Back
Top