# Need help with jail setup



## funkfisk (May 26, 2010)

Hi!

I've recently begun trying to setup a jail for my webserver, and i can't get it to function correctly.

The host is running a jail on a specific IP. It is also used as a firewall for my LAN and the setup looks like this:

Internet <--fxp0--> FreeBSD server (host) <--rl0--> LAN

I have got it running so that's its able to connect from my LAN; it works without any problems (when i type 192.168.1.5:8080 in the browser it accesses the jail). But I can't get it to connect from the internet. I have configured the firewall/NATd to forward the packets to my jail server address, and since I have other forwarding in place that works it can't be a firewall problem. I investigated (at least on what I am capable of  ) the problem and it seems that packets reach the firewall and gets through, but, the jail doesn't respond to
the inital handshake, but I'm not sure what is causing that.

I would be glad to get some help with this since I been trying days after days with different configurations. 
regards
fisk

My configuration

Host (rl0 = lan, fxp0 = internet):

host: 83.xx.xx.xx
jail: 192.168.1.5

rc.conf (snippet)


```
ifconfig_rl0="inet 192.168.0.1  netmask 255.255.255.0"
ifconfig_fxp0="DHCP"
ifconfig_fxp0_alias0="inet 192.168.1.5 netmark 0xffffffff"

gateway_enable="YES"

natd_enable="YES"
natd_interface="fxp0"
natd_flags="-f /etc/natd.conf"

firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

# Jails
jail_enable="YES"   # Set to NO to disable starting of any jails
jail_list="www"     # Space separated list of names of jails

jail_interface="fxp0"
jail_www_rootdir="/usr/jail/www"     # jail's root directory
jail_www_hostname="www.local"  # jail's hostname
jail_www_ip="192.168.1.5"          # jail's IP address
jail_www_devfs_enable="YES"          # mount devfs in the jail
jail_www_devfs_ruleset="www_ruleset" # devfs ruleset to apply to jail
```

natd.conf


```
#log
#verbose

dynamic     yes
use_sockets yes
same_ports  yes

# Redirections 
redirect_port tcp 192.168.1.5:8080 8080
#redirect_address tcp 192.168.1.5 83.xx.xx.xx
```




jail:

rc.conf


```
network_interfaces=""
rpcbind_enable="NO"
hostname="www.local"
clear_tmp_enable="YES"
securelevel_enable="YES"
kern_securelevel="3"
apache22_enable="YES"
```

httpd.conf (snippet)


```
#Listen 192.168.1.5:8080
Listen 8080
```
Also, hosts and resolv.conf are updated with correct information.


----------



## SirDice (May 26, 2010)

Remove the natd on the host. You don't need it. You also don't need the ifconfig_fxp0_alias, the jail_www_ip already takes care of that.

Change the httpd.conf on the jail to Listen on it's IP address.


----------



## funkfisk (May 26, 2010)

Why won't I need the NATd? The machine is also a gateway between my LAN and the internet (which I didn't mention.. oops). The other changes didn't do much difference :\


----------



## anomie (May 26, 2010)

I think he's saying you do not need natd for the _jail_ itself to work (which is true). 

Why is your jail IP bound to an fxp0 alias, rather than a rl0 alias?


----------



## funkfisk (May 26, 2010)

anomie said:
			
		

> Why is your jail IP bound to an fxp0 alias, rather than a rl0 alias?



Because fxp0 is facing the Internet. What's good of letting it be on the LAN card?


----------



## SirDice (May 26, 2010)

Attaching the jail to fxp0 is fine. Just use an address in the same range. Forward your external port 8080 to that address and you're done.


----------



## anomie (May 26, 2010)

funkfisk said:
			
		

> Because fxp0 is facing the Internet. What's good of letting it be on the LAN card?



192.168/16 is private IP space. Putting it on fxp0 with a 0xffffffff (/32) netmask does not make sense. You only use such a netmask for an alias if they're on the same subnet. If they're not on the same subnet, you need to use a proper netmask (or bind it to rl0 like I said). 

_If_ you have a second internet-routable IP address, then SirDice's solution is nice and clean. If you don't, then I guess NAT will be your approach after all.


----------



## funkfisk (May 28, 2010)

anomie said:
			
		

> _If_ you have a second internet-routable IP address, then SirDice's solution is nice and clean. If you don't, then I guess NAT will be your approach after all.



I've been trying to use redirect_address on the NATd from my internet-adress to 192.168.1.5 on the fxp0 side, and that didn't work. So, by using the NATd to redirect to rl0 (LAN) side of the gateway, should do the trick? 

I'm quite new to networking but i'm trying to learn as time goes and I'm not totally sure about the task of subnetmasks, but since this seems to be the issue I should research a bit more.


----------



## SirDice (May 28, 2010)

funkfisk said:
			
		

> I'm quite new to networking but i'm trying to learn as time goes and I'm not totally sure about the task of subnetmasks, but since this seems to be the issue I should research a bit more.


Yes, you really need to have at least a basic understanding of TCP/IP and how it works 

Probably not the easiest to understand but there's an actual RFC for it: RFC-1180.


----------



## anomie (May 28, 2010)

Also, please check my netmask comment again. If you add an IP alias to an interface with an IP on the same subnet, your netmask is OK as is. If you add an IP alias to an interface with an IP on a _different_ subnet, you must use a real netmask. 

Assuming you do not have another internet-routable IP, I still think the most logical method is to keep your existing jail IP/netmask, but put it on the rl0 interface. YMMV.


----------



## SirDice (May 28, 2010)

Another option is to clone lo0 and attach the jail to that (lo1).


----------



## funkfisk (May 28, 2010)

Seems like I got it to work after putting it on rl0 with the internal network address. Thank you both for giving me more insight into the wonderful world of internets  :beergrin


----------

