# vnet jail - ping: permission denied



## Logik (Jan 6, 2015)

Hi,
I'm pretty new with FreeBSD and I have issues with jail and networking. I try to create a vnet jail and even when I allow raw sockets, `ping` from jail doesn't work. jail.conf is below - is something wrong there?

The `ping` is not the only thing that is wrong, no networking in jail is working (e.g. drill, netcat, etc...). Putting firewall on host down makes no difference. Please, can you kick me where I do the mistake?

Thanks,
Logik

ERROR:

```
[root@dhcp /]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied


[root@dhcp /]# netstat -rn
Routing tables
Internet:
Destination  Gateway  Flags  Netif Expire
default  192.168.6.1  UGS  epair210
127.0.0.1  link#1  UH  lo0
192.168.6.0/24  link#2  U  epair210
192.168.6.210  link#2  UHS  lo0

Internet6:
Destination  Gateway  Flags  Netif Expire
::/96  ::1  UGRS  lo0
::1  link#1  UH  lo0
::ffff:0.0.0.0/96  ::1  UGRS  lo0
fe80::/10  ::1  UGRS  lo0
fe80::%lo0/64  link#1  U  lo0
fe80::1%lo0  link#1  UHS  lo0
fe80::%epair210b/64  link#2  U  epair210
fe80::ff:60ff:fe00:70b%epair210b  link#2  UHS  lo0
ff01::%lo0/32  ::1  U  lo0
ff01::%epair210b/32  fe80::ff:60ff:fe00:70b%epair210b U  epair210
ff02::/16  ::1  UGRS  lo0
ff02::%lo0/32  ::1  U  lo0
ff02::%epair210b/32  fe80::ff:60ff:fe00:70b%epair210b U  epair210

[root@dhcp /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair210b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=8<VLAN_MTU>
  ether 02:ff:60:00:07:0b
  inet6 fe80::ff:60ff:fe00:70b%epair210b prefixlen 64 tentative scopeid 0x2
  inet 192.168.6.210 netmask 0xffffff00 broadcast 192.168.6.255
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
  status: active
```

jail.conf:

```
*  {
  exec.start  =  "/bin/bash /etc/rc";
  exec.stop  =  "/bin/bash /etc/rc.shutdown";
  exec.consolelog  =  "/var/log/jail/$name";
  path  =  "/usr/jails/$name";
  mount.fstab  =  "/etc/jail.fstab/$name";
  host.hostname  =  "$name.dionyska.cz";
  devfs_ruleset  =  "4";
  mount.devfs;
  mount.fdescfs;
  $ip_addr = "192.168.6.${ip}" ;
}

dhcp  {
  $ip = "210" ;
  $ip_route = "192.168.6.1" ;

  vnet;
  vnet.interface = "epair${ip}b";

  #When the jail configuration was faulty, this interface sometimes survive the jail, so try to destroy
  exec.prestart = "ifconfig epair${ip}a destroy 2>/dev/null || true";
  exec.prestart += "ifconfig epair$ip create up";
  exec.prestart += "ifconfig bridge0 addm epair${ip}a";

  exec.start = "/sbin/ifconfig lo0 127.0.0.1 up";
  exec.start += "/sbin/ifconfig epair210b inet  $ip_addr up" ;
  exec.start += "/sbin/route add default $ip_route " ;
  exec.start += "/bin/sh /etc/rc";

  exec.poststop = "ifconfig bridge0 delem epair${ip}";
  exec.poststop = "ifconfig epair${ip}a destroy " ;

  persist;

  devfs_ruleset=5 ;
  allow.raw_sockets=1 ;
  allow.socket_af = 1;
}
```


----------



## bthomson (Jan 7, 2015)

Usually `ping: sendto: Permission denied` is what I see when a firewall blocked the ping. For connection problems there are different errors.

You say you have stopped the firewall on the host, but any chance you have a firewall running in the jail?

Output from `jls -v` would also be helpful.


----------



## Logik (Jan 7, 2015)

Hi,
Thanks for aid. There is no firewall in the jail (well, at least I can't find any )...

```
[root@dhcp /]# ps axu | egrep '(ipfw|pf)'
root 13883  0.0  0.0 14708 2092  0  R+J  9:13PM 0:00.02 egrep (ipfw|pf)
[root@dhcp /]# service ipfw stop
Cannot 'stop' ipfw. Set firewall_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.
[root@dhcp /]# service pf stop
Cannot 'stop' pf. Set pf_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.
[root@dhcp /]#
```
Requested output:

```
[root@platys ~]# jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
    30  dhcp dionyska cz              /usr/jails/dhcp
        dhcp                          ACTIVE
        2
[root@platys ~]#
```
Thanks,
Logik

PS: Edit - prettier output of jls


----------



## TheHolm (Jan 18, 2020)

It is not how you test presence of FW in the jail.

```
# sysctl -a | grep net.inet.ip.fw.enable
net.inet.ip.fw.enable: 1
// IPFW enabled
# ipfstat
open(IPSTATE_NAME): No such file or directory
// IPF  not enabled ( should be better way to check it)
```


----------



## rf10 (Jan 30, 2020)

Yes, check the firewall. If you are using IPFW, stopping it on a host wouldn't automatically stop it in a jail.


----------



## Lamia (Jan 30, 2020)

1)
#Set the below in host /etc/sysctl.conf to allow icmp commands in jails
security.jail.allow_raw_sockets=1

2)
#Set in jail.conf 
JAIL_NAME {
......
......
allow.raw_sockets=1;
.......
}

It looks like you already have done the second.


----------



## genneko (Jan 31, 2020)

Hello Logik,
Is the jail's default gateway (192.168.6.1) the host itself?
   (the host acts as a router for the jail)

Or is it (192.168.6.1) a common gateway for both the jail and the host?
   (the host just bridges packets between the jail's epair210b interface and the host's external interface)

I guess it's the latter because you use bridge0. If so, the host's `ifconfig bridge0` would help.


----------



## genneko (Jan 31, 2020)

Sorry. I had been misunderstood your problem. I just noticed yours is this one.


> ping: sendto: Permission denied



Besides, it's quite old...
So my previous post doesn't seem relevant here.


----------

