headers
Herbert J. Skuhra | 11 Jul 2012 23:59
Picon
Gravatar

Jails on FreeBSD 9.0

Hi,

although I've followed the instructions in jail(8) and jail.conf(5) I
cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334). 

The symptons:

* ssh'ing to jail works, but it takes about 20 seconds until password
  prompt appears
* netstat -r in the jail takes about 150 seconds to finish
* connections to the internet time out; with tcpdump I see that
  packets leave and enter the public interface on the host, but never
  reach the jail

I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
interface is fxp0 with both an IPv4 and an IPv6 address assigned.
Of course, nat is enable via pf on the public interface.

I have no issues setting up this jail on FreeBSD 8.3-STABLE.

Thanks,
Herbert
Permalink | Reply |
headers
Mark Felder | 12 Jul 2012 00:14
Favicon

Re: Jails on FreeBSD 9.0

You don't have anything in /etc/resolv.conf, do you? :-)
Permalink | Reply |
headers
Herbert J. Skuhra | 12 Jul 2012 00:50
Picon
Gravatar

Re: Jails on FreeBSD 9.0

On Wed, 11 Jul 2012 17:14:37 -0500 Mark Felder wrote:

> You don't have anything in /etc/resolv.conf, do you? :-)

I have two nameservers listed.

But even when I do 'dig  <at> 8.8.8.8 www.google.com' from the jail I get:

connection timed out; no servers could be reached.

But tcpdump shows the reply from the nameserver.

Thanks.

--

-- 
Herbert
Permalink | Reply |
headers
Herbert J. Skuhra | 12 Jul 2012 10:55
Picon
Gravatar

Re: Jails on FreeBSD 9.0

On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra
<h.skuhra@...> wrote:
> Hi,
>
> although I've followed the instructions in jail(8) and jail.conf(5) I
> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>
> The symptons:
>
> * ssh'ing to jail works, but it takes about 20 seconds until password
>   prompt appears
> * netstat -r in the jail takes about 150 seconds to finish
> * connections to the internet time out; with tcpdump I see that
>   packets leave and enter the public interface on the host, but never
>   reach the jail
>
> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
> interface is fxp0 with both an IPv4 and an IPv6 address assigned.
> Of course, nat is enable via pf on the public interface.

After switching to ipfw/natd networking in the jail works.
Could this be a bug?

--

-- 
Herbert
Permalink | Reply |
headers
joris dedieu | 12 Jul 2012 11:56
Picon
Gravatar

Re: Jails on FreeBSD 9.0

2012/7/12 Herbert J. Skuhra <h.skuhra@...>:
> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra
<h.skuhra@...> wrote:
>> Hi,
>>
>> although I've followed the instructions in jail(8) and jail.conf(5) I
>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>>
>> The symptons:
>>
>> * ssh'ing to jail works, but it takes about 20 seconds until password
>>   prompt appears

Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?

>> * netstat -r in the jail takes about 150 seconds to finish

Does netstat -rn does the same ?

>> * connections to the internet time out; with tcpdump I see that
>>   packets leave and enter the public interface on the host, but never
>>   reach the jail
>>
>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
>> interface is fxp0 with both an IPv4 and an IPv6 address assigned.
>> Of course, nat is enable via pf on the public interface.

Can you post your PF configuration ?
>
> After switching to ipfw/natd networking in the jail works.
(Continue reading)

Permalink | Reply |
headers
Herbert J. Skuhra | 12 Jul 2012 21:04
Picon
Gravatar

Re: Jails on FreeBSD 9.0

On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu
<joris.dedieu@...> wrote:
> 2012/7/12 Herbert J. Skuhra <h.skuhra@...>:
>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra
<h.skuhra@...> wrote:
>>> Hi,
>>>
>>> although I've followed the instructions in jail(8) and jail.conf(5) I
>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>>>
>>> The symptons:
>>>
>>> * ssh'ing to jail works, but it takes about 20 seconds until password
>>>   prompt appears
>
> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?

No, I can login instantly.

>>> * netstat -r in the jail takes about 150 seconds to finish
>
> Does netstat -rn does the same ?

No, the output appears immediately.

>>> * connections to the internet time out; with tcpdump I see that
>>>   packets leave and enter the public interface on the host, but never
>>>   reach the jail
>>>
>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
(Continue reading)

Permalink | Reply |
headers
Kalle Møller | 17 Jul 2012 09:59
Picon

Re: Jails on FreeBSD 9.0

On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra <h.skuhra <at> gmail.com> wrote:
> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu <joris.dedieu <at> gmail.com> wrote:
>> 2012/7/12 Herbert J. Skuhra <h.skuhra <at> gmail.com>:
>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra <h.skuhra <at> gmail.com> wrote:
>>>> Hi,
>>>>
>>>> although I've followed the instructions in jail(8) and jail.conf(5) I
>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>>>>
>>>> The symptons:
>>>>
>>>> * ssh'ing to jail works, but it takes about 20 seconds until password
>>>>   prompt appears
>>
>> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?
>
> No, I can login instantly.
>
>>>> * netstat -r in the jail takes about 150 seconds to finish
>>
>> Does netstat -rn does the same ?
>
> No, the output appears immediately.
>
>>>> * connections to the internet time out; with tcpdump I see that
>>>>   packets leave and enter the public interface on the host, but never
>>>>   reach the jail
>>>>
>>>> I use lo1 interface and ip address 192.168.1.1/24 for the jail. Public
>>>> interface is fxp0 with both an IPv4 and an IPv6 address assigned.
(Continue reading)

Permalink | Reply |
headers
Herbert J. Skuhra | 17 Jul 2012 11:46
Picon
Gravatar

Re: Jails on FreeBSD 9.0

On Tue, Jul 17, 2012 at 9:59 AM, Kalle Møller
<freebsd-questions <at> k-moeller.dk> wrote:
> On Thu, Jul 12, 2012 at 9:04 PM, Herbert J. Skuhra <h.skuhra <at> gmail.com> wrote:
>> On Thu, Jul 12, 2012 at 11:56 AM, joris dedieu <joris.dedieu <at> gmail.com> wrote:
>>> 2012/7/12 Herbert J. Skuhra <h.skuhra <at> gmail.com>:
>>>> On Wed, Jul 11, 2012 at 11:59 PM, Herbert J. Skuhra <h.skuhra <at> gmail.com> wrote:
>>>>> Hi,
>>>>>
>>>>> although I've followed the instructions in jail(8) and jail.conf(5) I
>>>>> cannot manage to setup jails on FreeBSD 9.0 STABLE (r238334).
>>>>>
>>>>> The symptons:
>>>>>
>>>>> * ssh'ing to jail works, but it takes about 20 seconds until password
>>>>>   prompt appears
>>>
>>> Does it still the same with UseDNS=no in /etc/ssh/sshd_config ?
>>
>> No, I can login instantly.
>>
>>>>> * netstat -r in the jail takes about 150 seconds to finish
>>>
>>> Does netstat -rn does the same ?
>>
>> No, the output appears immediately.
>>
>>>>> * connections to the internet time out; with tcpdump I see that
>>>>>   packets leave and enter the public interface on the host, but never
>>>>>   reach the jail
>>>>>
(Continue reading)

Permalink | Reply |
headers
Herbert J. Skuhra | 17 Jul 2012 16:47
Picon
Gravatar

Re: Jails on FreeBSD 9.0

On Tue, Jul 17, 2012 at 11:46 AM, Herbert J. Skuhra <h.skuhra <at> gmail.com> wrote:

> With pf:
>
> I see the packets going out/coming in on fxp0 but somehow the jail
> does not "see" them.

Running 'nc 173.194.35.177 80"

'pfctl -ss' shows:

all tcp xx.xxx.xx.xxx:54724 (192.168.1.1:30177) -> 173.194.35.177:80
    ESTABLISHED:SYN_SENT

tcpdump on pflog0 shows :

16:32:28.489495 rule 11..16777216/0(match): pass out on fxp0:
xx.xxx.xx.xxx.54724 > 173.194.35.177.80: Flags [S], seq 3219071188,
win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 13114581 ecr
0], length 0
16:32:28.499804 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073042 ecr
13114581,nop,wscale 6], length 0
16:32:28.893420 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
3219071189, win 14180, options [mss 1430,sackOK,TS val 1463073436 ecr
13114581,nop,wscale 6], length 0
16:32:29.494073 rule 0..16777216/0(match): nat in on fxp0:
173.194.35.177.80 > 192.168.1.1.30177: Flags [S.], seq 3667423105, ack
(Continue reading)

Permalink | Reply |
headers
Herbert J. Skuhra | 21 Jul 2012 11:24
Picon
Gravatar

Re: Jails on FreeBSD 9.0

Hi,

ok, this is obviously a pf problem and the reason why the network in
the jail doesn't work.

ifconfig lo1 create
ifconfig lo1 10.0.0.10 netmask 0xffffff00
nc -s 10.0.0.10 xx.xx.xx.xx 25

With pf: connections fails; server receives SYN-ACK, but nc continues
sending SYNs until nc gives up

With ipfw: connection OK

On my Soekris box at home (9.1-PRERELEASE i386) both ipfw and pf works.

Thanks.

--

-- 
Herbert
_______________________________________________
freebsd-questions <at> freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe <at> freebsd.org"
Permalink | Reply |

Gmane