DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd May 2008
krreagan krreagan is offline
New User
 
Join Date: May 2008
Location: Colorado, USA
Posts: 5
Thanked 0 Times in 0 Posts
Default Network not working in my jail.

I just installed/created a jail using the FBSD Handbook as a guide. Everything worked well except that my network doesn't work at all in the jail?

Code:
# ping mother
ping: socket: Operation not permitted
jls shows the correct IP associated with the jail

Here is my host rc.conf
Code:
#
# Jails...
#
jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="father"
jail_father_hostname="father.mydomain.org"
jail_father_ip="192.168.2.101"
jail_father_interface="re0"
jail_father_rootdir="/data/jails/father"
jail_father_devfs_enable="YES"
Code:
# jls
   JID  IP Address      Hostname                      Path
     3  192.168.2.101   father.mydomain.org            /data/jails/father

I tried to set the IP in the jail during startup (rc.conf) but no go.

I'm probably missing something really stupid!

TIA
Krreagan
Reply With Quote
  #2   (View Single Post)  
Old 3rd May 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,066
Thanked 198 Times in 156 Posts
Default

What's in your jail's /dev (ls -l /dev)?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 3rd May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

I thought that due to (potential) security issues ping was not allowed to work through a jail. At any rate, I have 3 jails up and running and ping doesn't work in any of them (however, regular network traffic passes both ways). Try to ping the IP of your jail from either the jail host or another machine. If it answers, then networking is working in the jail. I can't remember where I read it but I'm nearly certain I read that ping will not work inside a jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #4   (View Single Post)  
Old 3rd May 2008
krreagan krreagan is offline
New User
 
Join Date: May 2008
Location: Colorado, USA
Posts: 5
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by cajunman4life View Post
I thought that due to (potential) security issues ping was not allowed to work through a jail. At any rate, I have 3 jails up and running and ping doesn't work in any of them (however, regular network traffic passes both ways). Try to ping the IP of your jail from either the jail host or another machine. If it answers, then networking is working in the jail. I can't remember where I read it but I'm nearly certain I read that ping will not work inside a jail.
This seems to be my issue. I cannot ping from inside my jail but I can do a fetch vis a port install from inside.
Ofcourse the fist thing I did in my jail was to attempt a ping... Now 3hrs later I find that its disabled! errrrrrrrr! They should add a note in the Handbook to this affect.


Thanks
Krreagan
Reply With Quote
  #5   (View Single Post)  
Old 3rd May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

This is just a guess, but if you really need ping functionality from within your jail, then you can set the following variable:

security.jail.allow_raw_sockets

using sysctl to 1 (should default to 0). Bear in mind though that this could introduce potential security issues (from my understanding it's something like someone being able to monitor traffic over the physical NIC (even if that traffic originates from outside the jail)). Your call if it's that important or not.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #6   (View Single Post)  
Old 3rd May 2008
krreagan krreagan is offline
New User
 
Join Date: May 2008
Location: Colorado, USA
Posts: 5
Thanked 0 Times in 0 Posts
Default

I'm having problems with all the items I was going to put into my jail (hobby).

NTP - needs access to set the HW clock (not allowed in jails)
DHCP - needs access to BPF (again not allowed in jails)
DNS (named) - already in chroot environment.

PS. the security.jail.allow_raw_sockets did allow me to run ping. Although not necessary any more that I determined that my jail network was working just fine.

I guess I'll have to put one of my other domains under a jail...

Thanks for the help.
Krreagan
Reply With Quote
  #7   (View Single Post)  
Old 3rd May 2008
cajunman4life cajunman4life is offline
Real Name: Aaron Graves
Package Pilot
 
Join Date: May 2008
Location: Coolidge, Arizona
Posts: 203
Thanked 16 Times in 14 Posts
Default

If you run ntp on your jail host machine, it won't be necessary in the jail.
__________________
I just saved a bunch of money on my car insurance by fleeing the scene of the accident!
Reply With Quote
  #8   (View Single Post)  
Old 5th May 2008
bloodlust bloodlust is offline
New User
 
Join Date: May 2008
Posts: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by krreagan View Post
I'm having problems with all the items I was going to put into my jail (hobby).
what kind of problems?
Reply With Quote
Reply

Tags
jail, ping

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless Network Config working -- almost JMJ_coder General software and network 4 20th November 2008 05:10 PM
Set time in Jail tanked FreeBSD General 5 22nd August 2008 01:51 PM
Getting around Jail IP Adresses starbuck FreeBSD Security 8 9th August 2008 01:15 AM
Internet access within jail Weaseal FreeBSD General 5 26th June 2008 02:45 PM
Serving 2 domains through firewall using a Jail? krreagan General software and network 1 4th May 2008 09:38 PM


All times are GMT. The time now is 09:30 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick