# ezjail says IP is not configured on a local interface



## japoc (Nov 18, 2015)

Hi,

I have trouble understanding the reason of these warning messages.
When I try to create a jail with this command:

`$ sudo ezjail-admin create myjail 10.0.0.4`

I get the warnings:


```
Warning: IP 10.0.0.4 not configured on a local interface.
Warning: Some services already seem to be listening on IP 10.0.0.4
  This may cause some confusion, here they are:
root  ntpd  681  26 udp4  10.0.0.4:123  *:*
Warning: Some services already seem to be listening on all IP, (including 10.0.0.4)
  This may cause some confusion, here they are:
root  natd  1177  3  div4  *:8668  *:*
root  ntpd  681  20 udp6  *:123  *:*
root  ntpd  681  21 udp4  *:123  *:*
root  syslogd  595  6  udp6  *:514  *:*
root  syslogd  595  7  udp4  *:514  *:*
```

I am very surprised by the first warning: Warning: IP 10.0.0.4 not configured on a local interface

Here's the result of `$ ifconfig lo1`:


```
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
   options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
   inet 10.0.0.4 netmask 0xff000000
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```

So it seems the IP is configured on a local interface. Or isn't it?

Here is my /etc/rc.conf:


```
hostname="myhostname"
ifconfig_re0="DHCP"
ntpd_enable="YES"
ntpd_sync_on_start="YES"
sshd_enable="YES"
ezjail_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
cloned_interfaces="lo1"
firewall_logging="YES"
ifconfig_lo1_alias0="inet 10.0.0.4 netmask 255.0.0.0"
gateway_enable="YES"
natd_enable="YES"
natd_interface="re0"
natd_flags="-f /etc/natd.conf"
```

So, what am I doing wrong here?

Thanks for your help.


----------



## wblock@ (Nov 18, 2015)

The lo interfaces are for loopback.  Don't use them for general-purpose IP addresses.


----------



## kpa (Nov 18, 2015)

It is  ok to use a cloned lo(4) interface for a jail but maybe sysutils/ezjail just doesn't support such configuration?


----------



## SirDice (Nov 18, 2015)

Unless something changed very recently it should be fine to use lo1:

```
dice@armitage:~ % cat /usr/local/etc/ezjail/mail
# To specify the start up order of your ezjails, use these lines to
# create a Jail dependency tree. See rcorder(8) for more details.
#
# PROVIDE: standard_ezjail
# REQUIRE:
# BEFORE:
#

export jail_mail_hostname="*******removed*********"
export jail_mail_ip="lo1|192.168.21.4/24"
export jail_mail_rootdir="/jails/mail"
export jail_mail_exec_start="/bin/sh /etc/rc"
export jail_mail_exec_stop=""
export jail_mail_mount_enable="YES"
export jail_mail_devfs_enable="YES"
export jail_mail_devfs_ruleset="devfsrules_jail"
export jail_mail_procfs_enable="YES"
export jail_mail_fdescfs_enable="YES"
export jail_mail_image=""
export jail_mail_imagetype="zfs"
export jail_mail_attachparams=""
export jail_mail_attachblocking=""
export jail_mail_forceblocking=""
export jail_mail_zfs_datasets=""
export jail_mail_cpuset=""
export jail_mail_fib=""
export jail_mail_parentzfs="zroot/EZJAIL"
export jail_mail_parameters=""
export jail_mail_post_start_script=""
export jail_mail_retention_policy=""
```


```
dice@armitage:~ % ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 192.168.21.3 netmask 0xffffff00
        inet 192.168.21.10 netmask 0xffffff00
        inet 192.168.21.4 netmask 0xffffff00
        inet 192.168.21.20 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
```


----------



## japoc (Nov 18, 2015)

Thanks for your replies.

Actually , the first warning Warning: IP 10.0.0.4 not configured on a local interface was a firewall issue.
It seems ezjail sends some icmp packets from 127.0.0.1 to the ip of the jail in order to check if the ip is configured. And my firewall was blocking them.
I deleted the jail, and added the following rule to my firewall:


```
$cmd 000195 allow icmp from 127.0.0.1 to 10.0.0.4
```

Now I no longer have the first warning when creating a jail with this ip.

Now I have to deal with the other warnings.

```
Warning: Some services already seem to be listening on IP 10.0.0.4
This may cause some confusion, here they are:
root ntpd 681 26 udp4 10.0.0.4:123 *:*
Warning: Some services already seem to be listening on all IP, (including 10.0.0.4)
This may cause some confusion, here they are:
root natd 1177 3 div4 *:8668 *:*
root ntpd 681 20 udp6 *:123 *:*
root ntpd 681 21 udp4 *:123 *:*
root syslogd 595 6 udp6 *:514 *:*
root syslogd 595 7 udp4 *:514 *:*
```

I guess I can configure syslog and ntpd to ony listen on the localhost addresses (I am not sure how that would impact ntpd, though).
As for natd, I have no idea what I should do. Should it listen to all adresses or not? And what does div4 means?


----------



## SirDice (Nov 18, 2015)

For syslogd(8) add this to rc.conf:

```
syslogd_flags="-ss"
```

That will prevent it from attaching to any kind of network socket. Unless you use it to send or receive messages over the network there should be no need for it.

NTP should probably be bound to 127.0.0.1 and the host's IP address. That's assuming you want to sync other clients with this NTP service. If not, you could bind it to 127.0.0.1 or configure it not to use any network socket at all.


----------



## japoc (Nov 18, 2015)

Thanks, that helps a lot.


----------

