# Services inside jails can't be accessed



## rush77 (Aug 1, 2014)

Hello,

I have a FreeBSD 9.2-RELEASE-p3 system with two jails, one is a little webserver and another one is a minecraft server.
It was working flawlessly until I ran a `portupgrade`. Now the jails can't access the outside network and the services inside jails can't be accessed.
I can't find what it's wrong.

Here is the rc.conf of the base system:


```
ifconfig_sk0="inet 192.168.1.7 netmask 255.255.255.0"
ifconfig_sk0_alias0="inet 192.168.1.10 netmask 255.255.255.0"
ifconfig_sk0_alias1="inet 192.168.1.12 netmask 255.255.255.0"
defaultrouter="192.168.1.1"

jail_enable="YES"
jail_list="www mncrft"
jail_set_hostname_allow="NO"

jail_www_hostname="www.example.org"
jail_www_ip="192.168.1.12"
jail_www_rootdir="/usr/home/j/www"
jail_www_devfs_enable="YES"

jail_mncrft_hostname="mncrft.mooo.com"
jail_mncrft_ip="192.168.1.10"
jail_mncrft_rootdir="/usr/home/j/mncrft"
jail_mncrft_devfs_enable="YES"
```

And here the rc.conf from one of the jails, the other one is nearly identical:

```
keymap="spanish.iso.acc.kbd"
ifconfig_sk0="inet 192.168.1.10 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
```

Thank you very much.


----------



## SirDice (Aug 1, 2014)

You can remove the ifconfig_* and defaultrouter settings from the jail's rc.conf. Those are set on the host with jail.conf and cannot be changed or set in a jail. The ifconfig_*_alias* on the host could be removed too. They won't do any harm but a properly configured jail.conf will add/remove the IP addresses dynamically when the jails start/stop. 

None of this explains why your services are not working though. Ports have very little to do with basic TCP/IP routing. Are you sure your jail.conf is configured correctly? Can you post it?

Edit: Never mind, I see you're still using the old fashioned way of configuring jails. I suggest using jail.conf(5) instead. Those variables have been deprecated for while and your last update may have disabled them completely.


----------



## rush77 (Aug 1, 2014)

Thanks for the answer @SirDice.

I don't have a jail.conf. I assume it must be inside /etc.


----------



## SirDice (Aug 1, 2014)

rush77 said:
			
		

> I don't have a jail.conf. I assume it must be inside /etc.


Correct.


----------



## rush77 (Aug 1, 2014)

SirDice said:
			
		

> rush77 said:
> 
> 
> 
> ...



Then I guess I must have a jail.conf?


----------



## kpa (Aug 2, 2014)

rush77 said:
			
		

> SirDice said:
> 
> 
> 
> ...



Not necessarily but using a jail.conf(5) makes jail configuration a bit easier. The alternative to it is the older way of configuring jails which is using the jail_* variables in rc.conf(5) as you're now doing.


----------



## rush77 (Aug 2, 2014)

Then what's wrong with my system? It was working ok until I've had to reboot it...


----------



## rush77 (Aug 2, 2014)

Ok, now I have jail.conf like that. What's strange is that minecraft is working but not the web server.


```
mncrft {
        host.hostname=mncrft.mooo.com;
        ip4.addr=192.168.1.10;
        interface=sk0;
        path=/usr/home/j/mncrft;
        mount.devfs;
        exec.start="/bin/sh /etc/rc";
        exec.stop="/bin/sh /etc/rc.shutdown";
}
www {
        host.hostname=www.example.org;
        ip4.addr=192.168.1.12;
        interface=sk0;
        path=/usr/home/j/www;
        mount.devfs;
        exec.start="/bin/sh /etc/rc";
        exec.stop="/bin/sh /etc/rc.shutdown";
}
```


----------



## rush77 (Aug 3, 2014)

Well, I tried it again and now it works. It looks like it takes some time for the system to settle...

Thanks for the help!


----------



## rush77 (Aug 3, 2014)

The webserver is not working again , although the minecraft jail is working.

I've noticed that if I do an `nslookup [url=http://www.google.com]www.google.com[/url]` from the minecraft jail it works, but from the www jail it doesen't work.
Checking the apache access log it shows that the web page petition is actually reaching apache. Now I'm not sure if it's apache that it's not doing it's work or it's that the jail don't send the packages outside...


----------



## SirDice (Aug 3, 2014)

I don't see anything wrong with your jail.conf, it should work. When you say the jail doesn't work, does it actually start? Or does the jail start but there's something not working inside the jail?


----------



## rush77 (Aug 3, 2014)

SirDice said:
			
		

> I don't see anything wrong with your jail.conf, it should work. When you say the jail doesn't work, does it actually start? Or does the jail start but there's something not working inside the jail?



The jail start, but apache24 inside jail, can't be accessed, or sometimes is working and sometimes not, I don't understand why.
The thing I noticed is that the www jail can't lookup DNS names nor ping (even if I allow raw sockets for this jail) The other jail (mncrft) can ping and lookup DNS names...


----------



## SirDice (Aug 3, 2014)

Run a tcpdump(1) on the host, on the sk0 interface. You should at least see some traffic coming in. You should also see traffic going out the jail. I usually test with a simple `nc -v 8.8.8.8 12345` for example. It won't connect but you should see the SYN packets leaving the host.


----------



## rush77 (Aug 3, 2014)

Running a `tcpdump` in the host and `nc` in the jail i get this from the dump:


```
17:02:32.985448 IP 192.168.1.12.14404 > google-public-dns-a.google.com.12345: Flags [S], seq 1182867012, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 11615652 ecr 0], length 0
17:02:35.985465 IP 192.168.1.12.14404 > google-public-dns-a.google.com.12345: Flags [S], seq 1182867012, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 11618652 ecr 0], length 0
17:02:39.185454 IP 192.168.1.12.14404 > google-public-dns-a.google.com.12345: Flags [S], seq 1182867012, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 11621852 ecr 0], length 0
```

But don't know what does this mean...


----------



## SirDice (Aug 4, 2014)

rush77 said:
			
		

> But don't know what does this mean...


It means that network packets are traveling from your jail to the host and out the interface. So your connection issues are probably caused somewhere upstream, like your router.


----------



## rush77 (Aug 4, 2014)

SirDice said:
			
		

> rush77 said:
> 
> 
> 
> ...



Finally solved!. My access point decided to ignore the DCHP's address pool and give the web server's addres to my phone.
Sorry for taking your time with such stupid problem.  :r


----------

