# No internet connection inside jail



## styko (Sep 6, 2015)

I am currently trying to set up a server on FreeBSD. I want to create jails with ezjails according to the handbook. I am following the example to install BIND inside a jail but I am stuck at the installation step (`make -C /usr/ports/dns/bind99 install clean`).

At first I thought I had a DNS problem (bad /etc/resolv.conf) but it seems that I have simply no internet inside the jail.

On the host: (8.8.178.110 is www.freebsd.org)


```
root@varda:~ # nc -z -w 2 8.8.178.110 80
Connection to 8.8.178.110 80 port [tcp/http] succeeded!
```

Inside the jail:


```
root@dns:~ # nc -z -w 2 8.8.178.110 80; echo $?
1
```

Any idea what is going on? Thanks!

PS: I posted the same on SE without success so far. The post might be interesting if you want to see the results of `ezjail-admin list` and `ifconfig`.


----------



## wblock@ (Sep 6, 2015)

styko said:


> At first I thought I had a DNS problem (bad /etc/resolv.conf) but it seems that I have simply no internet inside the jail.


Your post does not show the error.  Please show that, and the output of `ifconfig`.


----------



## junovitch@ (Sep 6, 2015)

On Stackexchange the `ifconfig` shows ???.???.???.??? for the IP address.  Is that the real public IP address?  If so, is NAT enabled so that the jails with private IP addresses can talk outbound?


----------



## styko (Sep 6, 2015)

junovitch@: sorry about the ???, it is indeed the real public IP address given by the provider (OVH). I chose not to display it.

Yes, the jails have only private IP addresses and this might be the problem. Can you tell me a bit more about NAT (provide a good link on what to do)? I didn't see it in the handbook.

wblock@: I thought that the fact that `nc` fails in the jail (no output and returns 1) and not on the host was indeed a problem. I found the command here. Anyways here is the error with ports:


```
root@dns:~ # make -C /usr/ports/dns/bind99 install clean
===> Building/installing dialog4ports as it is required for the config dialog
===>  Cleaning for dialog4ports-0.1.5_2
===> Skipping 'config' as NO_DIALOG is defined
===>  License BSD2CLAUSE accepted by the user
===>  dialog4ports-0.1.5_2 depends on file: /usr/local/sbin/pkg - not found
===> Skipping 'config' as NO_DIALOG is defined
===>  License BSD2CLAUSE accepted by the user
=> pkg-1.5.6.tar.xz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://files.etoilebsd.net/pkg/pkg-1.5.6.tar.xz
fetch: http://files.etoilebsd.net/pkg/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://mirror.shatow.net/freebsd/pkg/pkg-1.5.6.tar.xz
fetch: http://mirror.shatow.net/freebsd/pkg/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/pkg-1.5.6.tar.xz
fetch: http://distcache.FreeBSD.org/ports-distfiles/pkg-1.5.6.tar.xz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop.
make[5]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[4]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[3]: stopped in /basejail/usr/ports/ports-mgmt/dialog4ports
*** Error code 1

Stop.
make[2]: stopped in /basejail/usr/ports/ports-mgmt/dialog4ports
===> Options unchanged
===>  License ISCL accepted by the user
===>  bind99-9.9.7P3 depends on file: /usr/local/sbin/pkg - not found
===>  License BSD2CLAUSE accepted by the user
=> pkg-1.5.6.tar.xz doesn't seem to exist in /var/ports/distfiles/.
=> Attempting to fetch http://files.etoilebsd.net/pkg/pkg-1.5.6.tar.xz
fetch: http://files.etoilebsd.net/pkg/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.eu.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz
fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/portmgr/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://mirror.shatow.net/freebsd/pkg/pkg-1.5.6.tar.xz
fetch: http://mirror.shatow.net/freebsd/pkg/pkg-1.5.6.tar.xz: No address record
=> Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/pkg-1.5.6.tar.xz
fetch: http://distcache.FreeBSD.org/ports-distfiles/pkg-1.5.6.tar.xz: No address record
=> Couldn't fetch it - please try to retrieve this
=> port manually into /var/ports/distfiles/ and try again.
*** Error code 1

Stop.
make[2]: stopped in /basejail/usr/ports/ports-mgmt/pkg
*** Error code 1

Stop.
make[1]: stopped in /basejail/usr/ports/dns/bind99
*** Error code 1

Stop.
make: stopped in /basejail/usr/ports/dns/bind99
```

A little more information (varda is the host, dns is the jail). It will be a bit long!


```
root@varda:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:22:4d:ad:be:2a
        inet ???.???.???.??? netmask 0xffffff00 broadcast ???.???.???.???
        inet6 fe80::222:4dff:fead:be2a%em0 prefixlen 64 scopeid 0x1
        inet6 2001:41d0:a:f231::1 prefixlen 128
        inet 192.168.4.1 netmask 0xffffffff broadcast 192.168.4.1
        inet 192.168.3.1 netmask 0xffffffff broadcast 192.168.3.1
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.1.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.2.1 netmask 0xffffffff
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
```
Again ???.???.???.??? is the public ip address

```
root@dns:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:22:4d:ad:be:2a
        inet 192.168.3.1 netmask 0xffffffff broadcast 192.168.3.1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.2.1 netmask 0xffffffff
```


```
root@varda:~ # ezjail-admin list
STA JID IP Hostname Root Directory
--- ---- --------------- ------------------------------ ------------------------
DR 2 192.168.4.1 www /home/jails/www
2 lo1|127.0.1.1
DR 3 192.168.3.1 dns /home/jails/dns
3 lo2|127.0.2.1
```

www is another jail in which I have the same problem. I might not have been clever with the IP addresses. Is it better to have www (apache) and dns (bind) on the same looping interface (lo1)?

Content of resolv.conf both on varda and dns

```
# nameserver 213.186.33.99
nameserver 127.0.0.1
options edns0
```


----------



## junovitch@ (Sep 6, 2015)

A look at the firewall chapter of the Handbook is a good start.

For example, for pf(4):
https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

A simplistic /etc/pf.conf might start with this.

```
set skip on lo
nat on em0 from !(em0) to any -> (em0:0)
block all
pass out keep state
```

And it can be enabled with `sysrc pf_enable=YES` and started with `service pf start` (Note: Don't do this if you are logged in remotely. The examples rules above will lock you out permanently.)


----------



## styko (Sep 7, 2015)

I'm reading about PF. In the meanwhile I tried your /etc/pf.conf without the lines that would lock me out (yes, I know this config is unsecure).

```
set skip on lo
nat on em0 from !(em0) to any -> (em0:0)
```


```
# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
nat on em0 from ! (em0) to any -> (em0:0)
```

I also tried to follow this page.

```
IP_PUB="37.187.121.255"
IP_WWW="192.168.4.1"
NET_WWW="192.168.4.0/24"
PORT_WWW="{80,443,4001}"
IP_DNS="192.168.3.1"
NET_DNS="192.168.3.0/24"
PORT_DNS="4002"
scrub in all
nat pass on em0 from $NET_WWW to any -> $IP_PUB
rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_WWW -> $IP_WWW
nat pass on em0 from $NET_DNS to any -> $IP_PUB
rdr pass on em0 proto tcp from any to $IP_PUB port $PORT_DNS -> $IP_DNS
```


```
# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
nat pass on em0 inet from 192.168.4.0/24 to any -> 37.187.121.255
nat pass on em0 inet from 192.168.3.0/24 to any -> 37.187.121.255
rdr pass on em0 inet proto tcp from any to 37.187.121.255 port = http -> 192.168.4.1
rdr pass on em0 inet proto tcp from any to 37.187.121.255 port = https -> 192.168.4.1
rdr pass on em0 inet proto tcp from any to 37.187.121.255 port = 4001 -> 192.168.4.1
rdr pass on em0 inet proto tcp from any to 37.187.121.255 port = 4002 -> 192.168.3.1
```

But I still don't have any internet connection (`nc`, `ssh`, …). Any idea what I am missing?

My /etc/rc.conf:

```
# Lot of default stuff

# For ezjail
cloned_interfaces="${cloned_interfaces} lo1 lo2"
ezjail_enable="YES"
ipv4_addrs_lo1="192.168.4.0/24"
ipv4_addrs_lo2="192.168.3.0/24"

# For pf
pf_enable="YES"
```


----------

