# Ezjail network in aws ec2 instance



## rpaezbas (May 13, 2021)

I am trying to connect a jail to the internet in a aws ec2 instance. I am able to create the jail and execute a console inside, the problem is that the jail does not have any connection to the outside.
This are the steps to create the jail:


```
echo 'cloned_interfaces="lo1"' >> /etc/rc.conf
service netif cloneup
ezjail-admin create jail 'lo1|127.0.1.1,xn0|172.31.36.57'
cp /etc/resolv.conf /usr/jails/jail/etc
ezjail-admin console -f jail
```

After that if I try any installation using pkg:


```
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly, please wait...
pkg: Error fetching http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly/Latest/pkg.txz: No address record
Address resolution failed for http://pkg.FreeBSD.org/FreeBSD:12:amd64/quarterly.
Consider changing PACKAGESITE.
```


See output of the host ifconfig:


```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9001
    options=503<RXCSUM,TXCSUM,TSO4,LRO>
    ether 06:26:aa:da:23:d2
    inet6 fe80::426:aaff:feda:23d2%xn0 prefixlen 64 scopeid 0x2
    inet 172.31.36.56 netmask 0xfffff000 broadcast 172.31.47.255
    inet 172.31.36.57 netmask 0xffffffff broadcast 172.31.36.57
    media: Ethernet manual
    status: active
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 fe80::1%lo1 prefixlen 64 scopeid 0x3
    inet 127.0.1.1 netmask 0xffffffff
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```


I think the second IP i give to the interface is not valid.
Do you know what would be the way to get connectivity from the jail?


----------



## SirDice (May 13, 2021)

"No address record" means your /etc/resolv.conf is likely wrong in the jail. So there's a problem with DNS resolving.


----------



## rpaezbas (May 13, 2021)

Ok but /etc/resolv.conf is the same as it is in the host, and it works there, seems like the nameserver cannot be reached, but I dont know the reason


----------



## SirDice (May 13, 2021)

Can you actually just add an IP address to an AWS instance? It's been a while since I last played with AWS. The new address might be blocked by AWS. On a regular LAN just adding an unused IP address (in the same subnet) shouldn't be a problem. But I know AWS does quite a few things differently.


----------



## rpaezbas (May 13, 2021)

SirDice said:


> On a regular LAN just adding an unused IP address (in the same subnet) shouldn't be a problem.


 
You are right it works on a regular LAN.

One more thing, when I try 


```
root@hw:~ # resolvconf -l xn0
No resolv.conf for interface xn0
```

That means no DNS is configured in the jail. So I would say that is the problem....


----------



## SirDice (May 13, 2021)

You copied it?


rpaezbas said:


> ```
> cp /etc/resolv.conf /usr/jails/jail/etc
> ```


----------



## rpaezbas (May 13, 2021)

SirDice said:


> You copied it?


Yes, the file is there.


----------



## SirDice (May 13, 2021)

Then DNS is configured in the jail.


----------



## rpaezbas (May 14, 2021)

I managed to get connectivity from the jail by using pf configuration:

`ext_if="xn0"
jail_net="127.0.1.1"
nat pass on $ext_if from $jail_net to any -> $ext_if
pass out
pass in`


----------



## kjpetrie (Jul 23, 2021)

I recently changed my VirtualBox FreeBSD VMs to use vtnet0 instead of em0 and forgot to update /etc/pf.conf. I hit the same problem with trying to upgrade packages in jails in those VMs and your post helped me identify the problem.


----------

