Re: problems with jail
- From: "Jim Stapleton" <stapleton.41@xxxxxxxxx>
- Date: Sat, 24 Feb 2007 13:05:49 +0000
OK, I managed to get it so something else wasn't grabbing *.*, dunno
what made that happen. What you said made me think "Hey, there was
something in the man pages about starting services", I figured I ought
test that out. So I did:
Pre-Jail process/netstat:
root@elrond 07:52:14 (0) /usr/ports > ps -A | grep syslog
2952 ?? Ss 0:00.08 /usr/sbin/syslogd -b 192.168.1.84
root@elrond 07:52:17 (0) /usr/ports > ps -A | grep send
5489 p2 S+ 0:00.00 grep send
root@elrond 07:52:25 (0) /usr/ports > ps -A | grep name
root@elrond 07:52:29 (0) /usr/ports > ps -A | grep inet
root@elrond 07:52:31 (0) /usr/ports > ps -A | grep ssh
2474 ?? Is 0:00.01 /usr/sbin/sshd
5498 p2 R+ 0:00.00 grep ssh
sjss@elrond 07:51:08 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.84.53971 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.84.syslog *.*
starting jail
root@elrond 07:52:50 (0) /usr/ports > jail /jail/
legolas@xxxxxxxxxxxxx 192.168.1.85 /bin/sh /etc/rc
Loading configuration files.
legolas@xxxxxxxxxxxxx
Setting hostname: legolas@xxxxxxxxxxxxxx
Creating and/or trimming log files:.
ln: /dev/log: Operation not permitted
Starting syslogd.
ELF ldconfig path: /lib /usr/lib /usr/lib/compat
a.out ldconfig path: /usr/lib/aout /usr/lib/compat/aout
Clearing /tmp (X related).
Starting local daemons:.
Updating motd.
Starting sshd.
Starting cron.
Local package initialization:.
Sat Feb 24 07:54:40 UTC 2007
Jailed port/binding list:
sjss@elrond 07:54:05 (0) ~ > netstat -f inet -a; netstat -f inet6 -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.85.smtp *.* LISTEN
tcp4 0 0 192.168.1.85.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.58735 nz-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.57400 oam-d17a.blue.ao.aol ESTABLISHED
tcp4 0 0 192.168.1.84.56522 205.188.7.124.aol ESTABLISHED
tcp4 0 0 192.168.1.84.50267 py-in-f83.google.http ESTABLISHED
tcp4 0 0 192.168.1.84.ssh *.* LISTEN
tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http ESTABLISHED
udp4 0 0 192.168.1.85.syslog *.*
udp4 0 0 192.168.1.84.syslog *.*
Issue not confused, but it did give me some "try this" tests.
Unfortunately I still cant connect to anything outside of the jail,
not even to the host.
SSHing into jail does not work, into host does.
root@elrond 07:54:40 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh
%ssh -x 192.168.1.84
^C
And as a last test I should have thought of before:
root@elrond 07:59:13 (0) /usr/ports > sysctl security.jail.allow_raw_sockets
security.jail.allow_raw_sockets: 1
root@elrond 07:59:26 (0) /usr/ports > jail /jail/ legolas 92.168.1.85 /bin/csh
%ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
^C
--- 127.0.0.1 ping statistics ---
7 packets transmitted, 0 packets received, 100% packet loss
%ifconfig
nve0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:13:d4:2e:2f:62
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
oh, and for testing purposes, I unhid everything in /jail/dev
root@elrond 08:04:20 (0) /usr/ports > devfs rule -s 666 show
100 path acd* hide
200 path ad10* hide
300 path audio* hide
400 path dsp* hide
500 path apm* hide
600 path dev* hide
700 path geom* hide
800 path kmem* hide
900 path mem* hide
1000 path nfs* hide
1100 path pci* hide
1200 path nvidia* hide
1300 path snd* hide
1400 path sysmouse* hide
1500 path ukbd0* hide
1600 path usb* hide
1700 path ums* hide
1800 path net* mode 755
1900 path ata* hide
2000 path atkbd* hide
2100 path kbd* hide
2200 path fd* hide
2300 path fid* hide
2400 path net* mode 777
2500 path show
2600 path * unhide
Still no luck. Thanks everyone for all the help, hopefully this is
enough information to indicate the problem.
-Jim Stapleton
sockstat (referenced at the end of the netstat man page) will show you_______________________________________________
process names/ports.
To get any given service to work inside the jail, that IP:Port must
not be bound anywhere else, but it must be bound within the jail.
That is, you need an sshd listening on the host machine port 22, and
a separate sshd listening on the jail port 22. The same applies for
every service you want to run in both machines.
This can get confusing, too. It's generally best to always explicitly
limit services by IP on the host, even if you have no intention of
running the same service in a jail. This will prevent
confusion--imagine that you are wanting to run a webserver on the
host, but not the jail (for some weird reason). If apache is
listening on all IPs that the host has, it will be listening on the
jail IP, using the host filesystem.
Hope that didn't confuse the issue or anything.
On Sat, Feb 24, 2007 at 03:43:58AM +0000, Jim Stapleton wrote:
> addendum, I fixed syslogd by adding this to my rc.conf:
> syslogd_flags="-b 192.168.1.84"
>
> However, looking through netstat's man page, I couldn't find the name
> of the flag (if it exists) that will show the process name. Does that
> require a different tool?
>
> Thank you,
> -Jim Stapleton
>
>
>
> On 2/24/07, Jim Stapleton <stapleton.41@xxxxxxxxx> wrote:
> >OK, I have a fairly sizeable list, but it looks like most stuff is
> >bound to 192.168.1.84 except two things, one is closed, and the other
> >is syslog (guess I have to look at it's man page). It also looks like
> >there is something else there. I guess I'll be looking at the netstat
> >man page to figure out how to get the name of the daemon touch it:
> >
> > > netstat -f inet -a; netstat -f inet6 -a
> >Active Internet connections (including servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> >tcp4 0 0 192.168.1.84.57256 ar-in-f18.google.http
> >ESTABLISHED
> >tcp4 0 0 192.168.1.84.62237 caim-m05b.blue.a.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.58627 oam-d17a.blue.ao.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.64265 205.188.7.124.aol
> >TIME_WAIT
> >tcp4 0 0 192.168.1.84.ssh *.* LISTEN
> >tcp4 0 0 *.* *.* CLOSED
> >tcp4 0 0 192.168.1.84.61774 ar-in-f19.google.http
> >ESTABLISHED
> >tcp4 0 0 192.168.1.84.53732 ar-in-f83.google.http
> >ESTABLISHED
> >udp4 0 0 *.syslog *.*
> >Active Internet connections (including servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address (state)
> >udp6 0 0 *.syslog *.*
> >
> >
> >
> >On 2/24/07, Harald Schmalzbauer <h.schmalzbauer@xxxxxxxxxx> wrote:
> >> Am Samstag, 24. Februar 2007 04:21 schrieb Jim Stapleton:
> >> > I did the ssh after you did the previous mail, but it didn't fix the
> >> > problem.
> >> >
> >> > I'm not having problems senmail or named, they were simply mentioned
> >> > in the man page. I never had named running, and I didn't realize
> >> > sendmail was running. The latter was my problem with sendmail. That
> >> > problem as I said is fixed. Beyond that I don't even know which
> >> > process on my system are daemons at this point, except usbd and devd,
> >> > neither of which (to my knowledge) should be listening to any sockets.
> >> > Actually there are a couple of kernel processes (pagedaemon, vmdaemon,
> >> > and bufdaemon), but I don't know where to find documentation on them,
> >> > X, and KDM. I can't find anything on limiting sockets of these to a
> >> > specific IP only.
> >>
> >> To see what daemons are listening you can use 'netstat -f inet -a'. Then
> >you
> >> see if you have to limit some other daemons (use -f inet6 for IPv6 if
> >> configured).
> >>
> >> Please post the output of the command above to see why you get ssh
> >connections
> >> to your jail IP answered by the host's ssh daemon.
> >>
> >> -Harry
> >>
> >> --
> >> OmniSEC - UNIX und Windows Netzwerke - Sicher
> >> Harald Schmalzbauer
> >> Flintsbacher Str. 3
> >> 80686 München
> >> +49 (0) 89 18947781
> >> +49 (0) 160 93860101
> >>
> >
> _______________________________________________
> freebsd-questions@xxxxxxxxxxx mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- Follow-Ups:
- Re: problems with jail
- From: Philipp Wuensche
- Re: problems with jail
- References:
- Re: problems with jail
- From: Jim Stapleton
- Re: problems with jail
- From: Jim Stapleton
- Re: problems with jail
- From: Harald Schmalzbauer
- Re: problems with jail
- From: Jim Stapleton
- Re: problems with jail
- From: Jim Stapleton
- Re: problems with jail
- Prev by Date: remote printing with ssh/telnet
- Next by Date: Re: Day Light Savings time changes on March 11
- Previous by thread: Re: problems with jail
- Next by thread: Re: problems with jail
- Index(es):
Relevant Pages
|
|
