DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 17th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default Jails, ezjail, apache, very newbie question.

Im not really looking to become and expert at running a web server or anything but I pretty much play around with freebsd as a hobby. Ive been using freebsd for that last three years and have some basic knowledge and can keep my system up and fix minor problems etc. Ive been wanting to learn more about jails lately and want to set up a web server to play around with and give myself something to do in my off time. Setting up the jail appears easy enough but the one part of it that I dont fully understand is the networking and how the port forwarding to the jail works etc. Is there anywhere that I can turn to look for this information to help me understand the networking concepts and more importantly how they work with jails? Ive seen several writeups that give some information on how to get the network side of things working properly but i dont understand it fully. I see this

Code:
ifconfig_fxp0_alias0="inet 10.10.10.100/32"
but dont understand what the /32 is at the end of the ip. In some writes ups it shows a /24.

Code:
prefixlen len
	     (Inet6 only.)  Specify that len bits are reserved for subdividing
	     networks into sub-networks.  The len must be integer, and for
	     syntactical reason it must be between 0 to 128.  It is almost
	     always 64 under the current IPv6 assignment rule.	If the parameter
 is omitted, 64 is used.

	     The prefix can also be specified using the slash notation after
	     the address.  See the address option above for more information.
I guess that I dont quite understand what this is telling me.
If anyone is willing to put me in the right direction to help understand this and the basics of jails and setting them up I would appreciate it.

Last edited by neurosis; 17th August 2008 at 07:39 PM.
Reply With Quote
  #2   (View Single Post)  
Old 17th August 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Default

The /32 is called CIDR notation.

http://en.wikipedia.org/wiki/Classle...Domain_Routing

/32 means that 32 bits of the IP address never change. And since an IPV4 address is only 32 bits, then that means it's a single IP address.

For example, on my internal network, I have it set up as 10.0.0.0/8, which means the only thing in the IP that ever stays the same is the first octet (the "10."). So I have over 16 million IP's available on my internal network.

As far as "port forwarding" to the jail, you'll have to do that at your switch/router level. Since the jail has its' own IP address, you can forward all requests on port 80 from your router to the IP of the jail (assuming, of course, that the jail's IP sits on the same subnet as your router). If the rest of your "internal" network is, for example, 192.168.1.0/24, then this solution won't work (since 10.10.10.100/32 is not in the same subnet).

Hopefully I didn't confuse you further
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #3   (View Single Post)  
Old 18th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Absolutely not! You didnt confuse me further. This was good information. I guess this leads to another question though. Does my jail require its own network card? I guess I dont understand how you can run two ip's on a single network card unless the host system is sending the information to the jail.
Reply With Quote
  #4   (View Single Post)  
Old 18th August 2008
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

There is absolutely nothing preventing a network interface from having multiple IP addresses, whatever gave you that idea?

Read ifconfig(8), search for "alias", look at the EXAMPLES section for more info.
Also rc.conf(5), "network_interfaces".
Reply With Quote
  #5   (View Single Post)  
Old 18th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Im already starting to understand allot better. Im glad that I decided to play around with this. I just dont want to start to set up the jail until I understand what I am doing. Thanks!

Quote:
Originally Posted by BSDfan666 View Post
There is absolutely nothing preventing a network interface from having multiple IP addresses, whatever gave you that idea?

Read ifconfig(8), search for "alias", look at the EXAMPLES section for more info.
Also rc.conf(5), "network_interfaces".
Reply With Quote
  #6   (View Single Post)  
Old 18th August 2008
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

I have a couple of (somewhat dated) pages on jails and ezjail

(The pages aren't always up, as I tend to play with the computer running it but)

http://www.scottro.net/qnd/qnd-jail.html

Is the one for jails in general, and in the first paragraph there's a link to the ezjail one. I do recommend ezjail, it does what its name implies and makes it easier, though I think it's still quite necessary to have a reasonable understanding of jails first.
Reply With Quote
  #7   (View Single Post)  
Old 18th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

One more question about the networking side of things. Obviously I have a very limited knowledge of networking too which im hoping to learn something in this arena as well. My BSD box is set up for DHCP right now but at the router by mac address its set up to hold a specific ip for this computer so that its IP never changes. Can I leave this set for DHCP but when I set up the jail just assign the alias as an address that is higher than what is normally used by my home network? Right now my bsd box is 192.168.1.10. If I assign the alias to 192.168.1.100 then there is no chance that any of my computer on my home network will try to aquire that address?? Is this a dumb way to go about this?

scottro,
Actually, your guide is what ive been hoping to use to get the jails set up.

Last edited by neurosis; 18th August 2008 at 03:38 PM.
Reply With Quote
  #8   (View Single Post)  
Old 18th August 2008
Eam404 Eam404 is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Default

hey now! QnD guides -- ezjail saved me back in the day
Reply With Quote
  #9   (View Single Post)  
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

This may help you: http://wael.nasreddine.com/2008/03/19/jail-servers.html
Reply With Quote
Old 18th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Ok... this has me a bit off. Is it a must to update source to use jails? Ive installed FreeBsd 7.0-Release a bit back but not too long ago. It now looks like the newest source reflects REVISION="7.0"
BRANCH="RELEASE-p3"
.

I am trying to decide whether I should update the entire system or can I get away with removing the source and replacing it with what is on the cd? FreeBSD 7.0-RELEASE is what my machine is currently running. I am afraid of breaking my machine. I did try to run ezjail-admin update -i but it errors on me i think because I have updated my /src directory but it doesnt match the version that I am currently running?? I get as an error


Code:
 --------------------------------------------------------------
>>> Installing everything
--------------------------------------------------------------
cd /usr/src; make -f Makefile.inc1 install
===> share/info (install)
install -o root -g wheel -m 444  dir-tmpl /usr/jails/fulljail/usr/share/info/dir
install:No such file or directory
*** Error code 1

Stop in /usr/src/share/info.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.
make installworld failed.
Reply With Quote
Old 18th August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

update first, http://www.daemonforums.org/showthread.php?t=1726

Follow the updating part of that thread.
Reply With Quote
Old 19th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Well, thanks for everyones help. System is updated "first time ive done that", jail is created and working although I would still like to understand it better. The networking side of it appears to be working fine which is good. I definitely need to change the ssh port ive noticed. The jail was up for one hour and already 4 attempts to login. I started denyhosts in the jail but will change the ssh port soon. I originally set up an account inside of the jail for admin purposes but later deleted it figuring that I could just admin it from the computer itself. Im not sure what the best way to go about administrating the jail is yet.
Reply With Quote
Old 19th August 2008
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 445
Default

Quote:
Originally Posted by neurosis
I definitely need to change the ssh port ive noticed. The jail was up for one hour and already 4 attempts to login. I started denyhosts in the jail but will change the ssh port soon.
In most cases it's unnecessary to change the port sshd listens on. If I could suggest some alternatives: http://daemonforums.org/showthread.php?t=74

Additionally, do some searching on the forums - there are brute force mitigation techniques using PF that may come in handy.

Quote:
Originally Posted by neurosis
I originally set up an account inside of the jail for admin purposes but later deleted it figuring that I could just admin it from the computer itself. Im not sure what the best way to go about administrating the jail is yet.
How about:
# jexec 1 /bin/csh

(where '1' refers to the appropiate jail ID, returned by jls(8).)

That will drop you into a root shell within the jail.
__________________
Kill your t.v.
Reply With Quote
Old 19th August 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Thanks... thats helpfull.

I got apache22 installed and up but still need to spend a little time on the config. When i installed apache it didnt seem to put some things where expected IE when I tried to connect to my computer to view the apache page i rather got an error stating that I was not authorized to access root dir/ . That confused me a little. the data directory appeared to be missing completely although everything else seemed to be there which I thought was a bit strange.



(found the answer to the question already. I searched all over the internet for writeups and go figure.. i found what i needed on apache's web site.)

Last edited by neurosis; 19th August 2008 at 08:43 PM.
Reply With Quote
Old 23rd August 2008
windependence's Avatar
windependence windependence is offline
Real Name: Tim
Shell Scout
 
Join Date: May 2008
Location: Phoenix, Arizona
Posts: 116
Default

Quote:
Originally Posted by neurosis View Post
Well, thanks for everyones help. System is updated "first time ive done that", jail is created and working although I would still like to understand it better. The networking side of it appears to be working fine which is good. I definitely need to change the ssh port ive noticed. The jail was up for one hour and already 4 attempts to login. I started denyhosts in the jail but will change the ssh port soon. I originally set up an account inside of the jail for admin purposes but later deleted it figuring that I could just admin it from the computer itself. Im not sure what the best way to go about administrating the jail is yet.
Hehe, this is funny. I get THOUSANDS of attempts per day on the machine I serve my sites from, but of course they don't get in. That's the key here.

-Tim
__________________
www.windependence.org
Get your Windependence today!
Reply With Quote
Old 23rd August 2008
hunteronline hunteronline is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 52
Default

Take a look at mod_security, it's an apache module.
http://www.freebsd.org/cgi/ports.cgi...rity&stype=all

Open source web apps are prime targets.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Newbie kernel question sbonar Programming 11 17th August 2009 11:40 PM
Apache Port Question / MYSQL casteld73 FreeBSD Ports and Packages 2 2nd November 2008 05:12 PM
ezjail /usr/home users and groups question neurosis FreeBSD Security 7 8th September 2008 08:40 PM
Apache 1.3 question jedispy FreeBSD General 0 13th June 2008 01:58 AM
Newbie question about ajunta install Johnny2Bad Programming 3 8th June 2008 05:57 PM


All times are GMT. The time now is 05:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick