# Can't ping from jails



## andrewm659 (Jul 25, 2015)

So I got jails working w/ ezjail on FreeBSD 10.1 but I can't ping from it.  I used this kernel parameter to allow networking:

`# sysctl security.jail.allow_raw_sockets=1`

Not sure if I need this to allow ping to happen...

`# sysctl net.inet.ip.forwarding=1`

`root@asm-monitoring01:~ # cat /etc/sysctl.conf`

```
# $FreeBSD: releng/10.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
```


----------



## junovitch@ (Jul 25, 2015)

What is the output of `sysctl security.jail.param.allow.raw_sockets` in the jail?  What exactly does the ping say?


----------



## andrewm659 (Jul 25, 2015)

`root@asm-monitoring01:~ # cat /etc/sysctl.conf`

```
# $FreeBSD: releng/10.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
security.jail.allow_raw_sockets=1
```


----------



## junovitch@ (Jul 25, 2015)

andrewm659 said:


> `root@asm-monitoring01:~ # cat /etc/sysctl.conf`
> ...



Yes but what is the output of `sysctl security.jail.param.allow.raw_sockets` run inside the jail?  What does it see as being valid for its namespace?


----------



## andrewm659 (Jul 25, 2015)

`root@asm-monitoring01:~ # sysctl security.jail.param.allow.raw_sockets`

```
security.jail.param.allow.raw_sockets: 0
```


----------



## junovitch@ (Jul 25, 2015)

Ah. Sorry, it is actually `sysctl security.jail.allow_raw_sockets` to view it inside the jail.  I believe you just need to add the parameter sysctl(8) I was mentioning.  You can do a quick find/replace edit with a command like the following.  Just set this for any jails that need to be allowed access to raw sockets.
`sed -i '' -e 's/parameters=""/parameters="allow.raw_sockets=1"/g' /usr/local/etc/ezjail/<put_your_jailname_here>`


----------



## andrewm659 (Jul 25, 2015)

Can I do it for all of them?


----------



## junovitch@ (Jul 25, 2015)

andrewm659 said:


> can I do it for all of them?


Of course.  Just do `sed -i '' -e 's/parameters=""/parameters="allow.raw_sockets=1"/g' /usr/local/etc/ezjail/*`


----------



## andrewm659 (Jul 25, 2015)

Wait, why am I putting it in /usr/local/etc/jails and not /etc/sysctl.conf?  I guess I'm a little confused on that.


----------



## wblock@ (Jul 25, 2015)

ezjail has a configuration file for each jail, kept in /usr/local/etc/ezjail/_jailname_.


----------



## junovitch@ (Jul 26, 2015)

andrewm659 said:


> Wait, why am I putting it in /usr/local/etc/jails and not /etc/sysctl.conf?  I guess I'm a little confused on that.



I want to say setting it globally in /etc/sysctl.conf worked for me in the past.  However, I only used this setting for testing and never permanently.  Setting it via the `sysctl security.jail.param.allow.raw_sockets` parameter that is placed in /usr/local/etc/ezjail/jailname is what works on my machine now.  I'll speculate that this may be a jail.conf(5) conversion oddity but it is just speculation without getting a range of versions to check.


----------



## gessel (Dec 14, 2015)

Remember to restart your jail so the change takes effect
`# service ezjail restart jailname`


----------

