# No network with jail (ezjail)



## soylentgreen (Oct 16, 2009)

I have a 'working' jail system, but I am trying to get another going.  The only service I need on the new jail system is SSHD and rsync.  I believe I used the exact same procedure to get the new jail running that I did the jail on the 'old' system, but I cannot get any network.  The host system is able to get out to the network, and I am able to SSH into it.  I modified the /etc/ssh/sshd_config to only listen on the host IP (10.1.10.49) and I have an alias set in my /etc/rc.conf as per below:

```
ifconfig_re0="inet 10.1.10.49  netmask 255.255.255.0"
defaultrouter="10.1.10.1"
sshd_enable="YES"
hostname="jailer.domain.local"
# -- sysinstall generated deltas -- # Fri Oct 16 07:27:23 2009
moused_enable="YES"
webmin_enable=YES
ezjail_enable=YES
ifconfig_re0_alias0="inet 10.1.10.50/32"
syslogd_flags="-ss"
ifconfig_re0_alias1="inet 10.1.10.51/32"
```


I used ezjail to create the base jails, etc. My ezjail.conf is basically the 'sample' one with one change for the default directory:

```
ezjail_jaildir=/array0/jails
```

the /usr/local/etc/ezjail/cti config file is default.

```
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_cti_hostname="cti"
export jail_cti_ip="10.1.10.50"
export jail_cti_rootdir="/array0/jails/cti"
export jail_cti_exec="/bin/sh /etc/rc"
export jail_cti_mount_enable="YES"
export jail_cti_devfs_enable="YES"
export jail_cti_devfs_ruleset="devfsrules_jail"
export jail_cti_procfs_enable="YES"
export jail_cti_fdescfs_enable="YES"
export jail_cti_image=""
export jail_cti_imagetype=""
export jail_cti_attachparams=""
export jail_cti_attachblocking=""
export jail_cti_forceblocking=""
```


the /array0/jails/cti/etc/rc.conf has:

```
sshd_enable=YES
```

I put the proper DNS name servers in /array0/jails/cti/etc/resolv.conf

ifconfig from inside the jail shows:

```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:24:1d:20:ab:d5
        inet 10.1.10.50 netmask 0xffffffff broadcast 10.1.10.50
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:eb:fe:00:1f:d0
        ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        lladdr 0.eb.fe.c6.0.0.1f.d0.a.2.ff.fe.0.0.0.0
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
```

and inside the jail, netstat -a

```
cti# netstat -a
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0 cti.smtp               *.*                    LISTEN
tcp4       0      0 cti.ssh                *.*                    LISTEN
udp4       0      0 cti.syslog             *.*
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
c6211540 dgram       0      0        0 c5b64c78        0 c62117e0
c5b65540 dgram       0      0        0 c5b65150        0        0
c62117e0 dgram       0      0        0 c5b64c78        0        0
c5b64c78 dgram       0      0 c7de2000        0 c6211540        0 /var/run/logpriv
c5b65150 dgram       0      0 c7df878c        0 c5b65540        0 /var/run/log
```

I can ping the jail's IP from the host machine, and other machines.  I cannot ping out from inside the jail, and when I try to SSH into it, I get either 'connetion refused' or 'broken pipe'.

I've double-checked the config files with the ones from the 'working' jail, but I am at a loss.  I am just starting this project, and if I have to scrap the jail and start over, I'm willing to do so.  Can someone direct me on creating this 'simple' jail?

Thanks


----------



## soylentgreen (Oct 16, 2009)

*[solved]*

Yeah, make sure the IP is available before you assign it to your jail.

It works on an IP that isn't being used.

Sorry to waste your time.


----------

