# Jail with no internet access



## eatonphil (Dec 7, 2015)

I am trying to create a jail on a VPS following this guide on networked jails with a single ip. However, I have no internet access within the jail. Though I do have internet access on the host.

Here is my ifconfig(8) from the host:


```
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 56:00:00:18:fa:73
        inet6 fe80::5400:ff:fe18:fa73%vtnet0 prefixlen 64 scopeid 0x1
        inet6 2001:19f0:0:2067:5400:ff:fe18:fa73 prefixlen 64 autoconf
        inet X1.X2.X3.92 netmask 0xfffffe00 broadcast X1.X2.X3.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 5a:00:00:18:fa:73
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.0.1 netmask 0xfffffff8
...
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```

Here is the relevant section of rc.conf on the host:


```
cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-254/29"
ezjail_enable="YES"

# PF
pf_enable="YES"
pf_flag=""
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_flags=""
gateway_enable="YES"
```

Here is my pf.conf on the host:


```
IP_PUB="X1.X2.X3.92"
IP_JAIL="192.168.0.2"
NET_JAIL="192.168.0.0/24"
scrub in all
nat pass on vrtnet0 from $NET_JAIL to any -> $IP_PUB
```

And running `pfctl -sn` on the host gives this:


```
No ALTQ support in kernel
ALTQ related functions disabled
nat pass on vrtnet0 inet from 192.168.0.0/24 to any -> X1.X2.X3.92
```

I am using Google's nameservers inside the jail:


```
nameserver 8.8.8.8
nameserver 8.8.4.4
```

And here is the ifconfig(8) output from within the jail:


```
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 56:00:00:18:fa:73
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 5a:00:00:18:fa:73
        media: Ethernet 10Gbase-T <full-duplex>
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.0.2 netmask 0xffffffff
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
```

Finally, when I try to `drill google.com` within the jail I get a timeout:


```
Error: error sending query: Could not send or receive, because of network error
```

Any suggestions? I've read previously that setting jail addresses on the loopback device will result in no internet connection. But, again (according to this guide that I was following for setting up jails with a single IP) it appears to be possible.


----------



## SirDice (Dec 7, 2015)

There's a typo in your pf.conf, vrtnet0 should be vtnet0.


----------



## eatonphil (Dec 7, 2015)

The best kind of error. I was knocking my head over this one. Thanks!

`drill google.com` within the jail:


```
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 13260
;; flags: qr rd ra ; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.  IN      A

;; ANSWER SECTION:
google.com.     299     IN      A       173.194.123.64
google.com.     299     IN      A       173.194.123.65
google.com.     299     IN      A       173.194.123.78
google.com.     299     IN      A       173.194.123.72
google.com.     299     IN      A       173.194.123.68
google.com.     299     IN      A       173.194.123.69
google.com.     299     IN      A       173.194.123.73
google.com.     299     IN      A       173.194.123.66
google.com.     299     IN      A       173.194.123.70
google.com.     299     IN      A       173.194.123.67
google.com.     299     IN      A       173.194.123.71

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 33 msec
;; SERVER: 8.8.4.4
;; WHEN: Mon Dec  7 14:42:23 2015
;; MSG SIZE  rcvd: 204
```


----------



## sidetone (Dec 7, 2015)

There's a configuration file for ezjails to access the internet. It's in /usr/local/etc/ezjail/, and the configuration file is the name of your jail.


----------



## eatonphil (Dec 7, 2015)

What do you mean by that, sidetone?

Here is the file for my jail:


```
export jail_my_jail_hostname="my-jail"
export jail_my_jail_ip="lo1|192.168.0.2"
export jail_my_jail_rootdir="/usr/jails/my-jail"
export jail_my_jail_exec_start="/bin/sh /etc/rc"
export jail_my_jail_exec_stop=""
export jail_my_jail_mount_enable="YES"
export jail_my_jail_devfs_enable="YES"
export jail_my_jail_devfs_ruleset="devfsrules_jail"
export jail_my_jail_procfs_enable="YES"
export jail_my_jail_fdescfs_enable="YES"
export jail_my_jail_image=""
export jail_my_jail_imagetype=""
export jail_my_jail_attachparams=""
export jail_my_jail_attachblocking=""
export jail_my_jail_forceblocking=""
export jail_my_jail_zfs_datasets=""
export jail_my_jail_cpuset=""
export jail_my_jail_fib=""
export jail_my_jail_parentzfs=""
export jail_my_jail_parameters=""
export jail_my_jail_post_start_script=""
export jail_my_jail_retention_policy=""
```

I'm new to this. What exactly are you saying I could do in this file that I shouldn't do elsewhere? Thanks!


----------



## sidetone (Dec 7, 2015)

That's the file.

```
export jail_my_jail_hostname="my-jail" # this needs to match
export jail_my_jail_ip="lo1|192.168.0.2" # needs to match your alias ip or network name from rc.conf
export jail_my_jail_parameters="[b]1[/b]" # will allow pings from the jail
```

My rc.conf normally has an alias ip for jails.

```
ifconfig_$interface_alias0="inet ...
```
The example you have for rc.conf gives a cloned interface for loopback, which is right.

Loopback ips are regularly numbered from 127.0.0.1 not 192.168... .

Your jail ip, and your alias or network should be the same, comparing /etc/rc.conf and your jail configuration file. The jail argument from your ezjail-conf file is supposed to be the interface for connecting to the internet. I'm not familiar with loopback being the connection to the internet, but it looks like the guide you used did it differently.


----------



## SirDice (Dec 7, 2015)

You don't need to set an alias address beforehand. If it's not there it will be added automatically when the jail starts (and removed when it's stopped). That's why he has "lo1|192.168.0.2".


----------



## sidetone (Dec 7, 2015)

Is the difference between using lo and an alias, having a jail's own dedicated external ip address? Does lo mirror the internet connection into a filtered local one?


----------



## SirDice (Dec 7, 2015)

Some people only have one single internet IP address. If you need to run multiple jails you can bind the jails to lo1 and use NAT. If you have multiple internet IP addresses you could do the same or you could bind the jails to the external interface and IP addresses directly.

Note that lo1 is just a name, it has no relation to lo0 besides both being an internal interface that's available on the host.


----------

