# Ping from inside ezjail failed



## Werner (Apr 14, 2010)

Hi there,

as the thread description says, ping from inside ezjail to any server in the internet won't work.

```
ping: socket: Operation not permitted
```

I set `# sysctl security.jail.allow_raw_sockets=1` but it also doesn't work.

My rc.conf


```
# -- sysinstall generated deltas -- # Sun Apr 11 23:18:56 2010
# Created: Sun Apr 11 23:18:56 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

hostname="localhost.localdomain"
ifconfig_em0="DHCP" #Yes, its DHCP but the assigned IP-Adress wouln't change, so its OK.
ifconfig_em0_alias0="192.168.0.1/32"
ifconfig_em0_alias1="192.168.0.2/32"
ifconfig_em0_alias2="192.168.0.3/32"
keymap="german.iso"
sshd_enable="YES"
syslogd_flags="-s -s"

ezjail_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_logfile="/var/log/pflog"
pf_flags=""
gateway_enable="YES"
```


My pf.conf

```
###INTERFACES
if = "{ lo0,em0 }"

###SETTINGS
set block-policy drop

###OFFENE TCP/UDP-PORTS
tcp_pass = "{ 22 53 80 }"
udp_pass = "{ 22 53 80 }"
icmp_types = "echoreq"

###NORMALISATION
scrub in all

#Jail www
rdr on $if proto tcp from any to any port 10022 -> 192.168.0.1 port 22
rdr on $if proto udp from any to any port 10022 -> 192.168.0.1 port 22
binat on em0 proto tcp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.1 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.1 to any -> 10.0.2.15

#Jail sql
rdr on $if proto tcp from any to any port 10023 -> 192.168.0.2 port 22
rdr on $if proto udp from any to any port 10023 -> 192.168.0.2 port 22
binat on em0 proto tcp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto udp from 192.168.0.2 to any -> 10.0.2.15
binat on em0 proto icmp from 192.168.0.2 to any -> 10.0.2.15

antispoof for $if

###TABLES
table <intranet> { 192.168.0.0/24 }
table <bruteforce> persist

###RULES
set skip on lo0
block all
block quick from <bruteforce>
pass in quick from <intranet> to any keep state
pass in on $if proto tcp to any port $tcp_pass keep state
pass in on $if proto udp to any port $udp_pass keep state
pass out quick all keep state


#PING
pass in on $if inet proto icmp all icmp-type $icmp_types keep state

#TRACEROUTE
pass in on $if inet proto udp from any to any port 40000 >< 40100 keep state
```


Regards


----------



## riku (Apr 14, 2010)

You need add some lines in your rc.conf like these

```
jail_list="www"
jail_www_rootdir="/usr/jail/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.2"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"
```


----------



## Werner (Apr 14, 2010)

Hi,

I added


```
jail_list="www"
jail_www_rootdir="/jails/www"
jail_www_hostname="www"
jail_www_ip="192.168.0.1"
jail_www_devfs_enable="YES"
jail_www_devfs_ruleset="www_ruleset"
```


to my rc.conf and I get the following error messages after `# ezjail-admin restart`:


```
Starting jails: /etc/rc.d/jail: WARNING: defs_set_ruleset: you must specifiy a ruleset number
devfs rule: ioctl DEVFSIO_SAPPLY: No such process
```

I tried to replace


```
jail_www_devfs_ruleset="www_ruleset"
```
with

```
jail_www_devfs_ruleset="devfsrules_www"
```

and could remove aforesaid warnings/errors.

But ping still doesn't work.

Regards


----------



## lme@ (Apr 16, 2010)

To ping out of a jail you need to allow raw sockets inside the jail first.
Set:
`# sysctl security.jail.allow_raw_sockets=1`


----------



## Werner (Apr 16, 2010)

lme@ said:
			
		

> To ping out of a jail you need to allow raw sockets inside the jail first.
> Set:
> `# sysctl security.jail.allow_raw_sockets=1`



Hello @lme,

First of all thank you for your answer.

Unfortunately I'm not able to set `# sysctl security.jail.allow_raw_sockets=1` inside the ezjail:


```
www# sysctl security.jail.allow_raw_sockets=1
security.jail.allow_raw_sockets: 0
sysctl: security.jail.allow_raw_sockets: Operation not permitted
```

Regards


----------



## Werner (Apr 16, 2010)

I don't know why...I set `# sysctl security.jail.allow_raw_sockets` to zero again and then to 1 and used `# /usr/local/etc/rc.d/ezjail.sh` to restart jails and now it works. I don't get it. 

Well anyway thank you for your help and @riku too.

(And soon I can edit my posts and don't need to reply that fast ;-) )


----------



## SirDice (Apr 16, 2010)

You need to set that sysctl _before_ the jails are started.


----------



## Werner (Apr 16, 2010)

SirDice said:
			
		

> You need to set that sysctl _before_ the jails are started.



Hm yah, that might be a good explanation :e. I didn't set security.jail.allow_raw_sockets in /etc/sysctl.conf, but I set ezjail in /etc/rc.conf to start them on boot. With the chances in /etc/sysctl.conf this problem should be solved now.
Thank you too.


----------



## Rudy (Jan 6, 2013)

*Set in your ezjail config...*

You want this inside your  /usr/local/etc/ezjail/example_monkeybrains_net configuration file

```
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1"
```

The recommended *jail -m jid=8 allow.raw_sockets=1* can alter a running jail, but you need to set it in your jail configuration file to make it permanent.  And, yes, you need to set up your /etc/sysctl.conf with the *security.jail.allow_raw_sockets=1* line as well.


----------



## Rudy (Jan 6, 2013)

*Multiple parameters...*

Here is the format for multiple parameters (separate with a space):

```
export jail_example_monkeybrains_net_parameters="allow.raw_sockets=1 allow.sysvipc=1"
```

And here is the output after restarting your jail:

```
# /usr/local/etc/rc.d/ezjail restart 
# jexec 6 sysctl security.jail | egrep '(allow_raw|sysvipc_allowed)'
security.jail.allow_raw_sockets: 1
security.jail.sysvipc_allowed: 1
```

PS: I know this thread was closed two years ago, but the advice didn't work for me... changes in the jail system?  Not sure, but adding these parameters helps!  Find out more about jail configuration by grepping *jail* out of /etc/defaults/rc.conf!


----------



## mad0 (Nov 8, 2013)

I had a problem, after moving a few jails from FreeBSD 9.1 to 9.2.

Inside jail

```
ping: socket: Operation not permitted
```

Sysctl on host

```
security.jail.allow_raw_sockets: 1
```
Restart jail and ping still not permitted

Added

```
export jail_shell_parameters="allow.raw_sockets=1"
```
Into my jail configuration. After that ping is allowed.

PS. Same problem with chflags, I had to add:

```
export jail_shell_parameters="allow.raw_sockets=1 allow.chflags=1"
```
to allow chflags inside jail.


----------

