# Cannot git clone within jail?



## landaire (Jan 18, 2016)

I'm new to FreeBSD, jails, and a lot of this networking stuff. I followed this guide (https://www.kirkg.us/posts/how-to-configure-a-freebsd-jail-on-a-digital-ocean-droplet/) on creating a web server within a jail, which works fantastically. The problem comes when I try to do a `git clone` I get a timeout on port 443 error:


```
Failed to connect to github.com port 443: Operation timed out
```

Here's my pf.conf:

```
landaire% cat /etc/pf.conf
# Define the interfaces
ext_if = "vtnet0"
int_if = "lo1"
jail_net = $int_if:network

domain_net = "172.16.1.1"
domain_net_tcp_ports = "{ 80, 443 }"
www_domain_net = "172.16.1.2"

# Define the NAT for jails
nat on $ext_if from $jail_net to any -> ($ext_if)

# Redirect traffic on port 80 and 443 to the webserver jail
rdr pass on $ext_if inet proto tcp to port $domain_net_tcp_ports -> $domain_net
```

Where domain_net is the nginx server. Output of `ifconfig`:


```
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 04:01:86:bd:1c:01
    inet6 fe80::601:86ff:febd:1c01%vtnet0 prefixlen 64 scopeid 0x1
    inet [public ip] netmask 0xfffff000 broadcast 107.170.223.255
    inet6 2604:a880:1:20::7b:4001 prefixlen 64
    inet 10.12.0.6 netmask 0xffff0000 broadcast 10.12.255.255
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    media: Ethernet 10Gbase-T <full-duplex>
    status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    ether 04:01:86:bd:1c:02
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
    media: Ethernet 10Gbase-T <full-duplex>
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 172.16.1.1 netmask 0xffffff00
    inet 172.16.1.2 netmask 0xffffffff
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

I've asked in IRC a few times and have gotten help, but cannot resolve this issue.

Edit: I've kind of narrowed this down to general network weirdness. You can see my conversation with freebsdhelp (which is a fantastic account) here, but things are boiling down to:

- 
	
	



```
gethostbyname failure
```
 (per the output of `openssl s_client -connect www.google.com:80`)
- Connection timeouts as seen in this Tweet


----------



## SirDice (Jan 20, 2016)

You may need to install security/ca_root_nss to provide the CA SSL certificates. But it's strange it's giving a time-out though, I would have expected some SSL error about not being able to verify the server's certificate.


----------



## landaire (Jan 20, 2016)

SirDice said:


> You may need to install security/ca_root_nss to provide the CA SSL certificates. But it's strange it's giving a time-out though, I would have expected some SSL error about not being able to verify the server's certificate.



My mistake, I should have mentioned it does the same thing over plaintext HTTP as well and this is not unique to HTTPS connections. SSH connections seem to work fine (testing via `ssh -T git@github.com`) when DNS _actually _decides that it wants to work. I'm doing more testing with SSH right now to verify this though.

edit: Here's an example of SSH working, then not working immediately after:


----------

