# Cannot connect to internet from jail



## jtcox (Jul 19, 2009)

I am running 7.2-release and would like to run apache in a jail. I've made a jail with ezjail and despite trying to follow many of the tutorials on the web I cannot access the internet from inside the jail (ping returns nothing), and so can't even think about installing apache in it. I would appreciate any help in resolving the basic problem of connecting to the internet from inside the jail. (For what it's worth, I can ssh into the jail from the host, even back into the host from the jail.)

The host connects directly to the internet with IP address XXX.YYY.ZZZ.WWW and adaptor bge0. I want to assign the jail the address 10.0.0.3. I have copied /etc/resolv.conf into the jail. Here is one of the variations I have tried.

```
--- HOST rc.conf ---
  defaultrouter="XXX.YYY.ZZZ.1"
  ifconfig_bge0="inet XXX.YYY.ZZZ.WWW  netmask 255.255.255.0"
  ifconfig_bge0_alias1="inet 10.0.0.3 netmask 255.255.255.255"
  inetd_enable="NO"
  pf_enable="YES"
  gateway_enable="YES"


--- HOST pf.conf ---
ext_if="bge0"
all_if="{bge0, lo0}"
myjail="10.0.0.3"
rdr on $all_if proto tcp from any to bge0 port 80 -> $myjail port 80
nat on $ext_if from $myjail to any -> bge0


--- HOST sysctl.conf ---
  security.jail.allow_raw_sockets=1

--- JAIL rc.conf ---
  rpc_bind_enable="NO"
  sshd_enable="YES"
  sendmail_enable="NO"
  network_interfaces=""
  defaultrouter="XXX.YYY.ZZZ.1"
  early_late_divider="NETWORKING"

--- JAIL /etc/hosts ---
  127.0.0.1               myjail myjail.com
  10.0.0.3                myjail myjail.com
```


----------



## DutchDaemon (Jul 20, 2009)

Not using jails, but wasn't ping impossible from a jail anyway due to socket restrictions? Ping is an overrated diagnostic tool anyway.


----------



## SirDice (Jul 20, 2009)

Normally a ping won't work but the OP has security.jail.allow_raw_sockets enabled. This is theory _should_ make ping work. I've never tried it though.


----------



## jtcox (Jul 20, 2009)

Thanks, but it's not just ping. For example, from inside the jail  I cannot "pkg_add -r" and I cannot ssh to any machine that is not the host.


----------



## DutchDaemon (Jul 20, 2009)

Can you try this?


```
nat on $ext_if from $myjail to any -> bge0:0
```


----------



## jtcox (Jul 22, 2009)

*Solved*

thanks for the suggestion to
nat on $ext_if from $myjail to any -> bge0:0

but it didn't work. However, from the command line:

ifconfig bge0 10.0.0.3 netmask 255.255.255.255 alias

To my surprise ping from inside the jail started to work, and I could add software packages via pkg_add -r.  The next step was to run sshd in the jail, redirecting host port to it. This also works, but logins are incredibly slow.

Is there any well known reason for sshd in a jail to be slow to respond to logins?


----------



## DutchDaemon (Jul 22, 2009)

Slow ssh logins are usually down to resolver issues. Try setting sshd to not resolve incoming connections.


----------



## klash (Apr 29, 2010)

*can't connect to internet from jail*

hi
i am newbie to freebsd.
i want to connect to internet from my jail. (my host is connect to internet)
i had read handbook, but i don't have any idea about what i shoud do!!
can anyone help?
and i have another question:
if i connect to internet from my jail, then will my jail ip, my host ip??

Regards


----------



## fbsd1 (May 3, 2010)

Yea ezjail man pages are very poorly documented. There are 3 things your jail has to have to be accessable from the public network. 1. a copy of the hosts /etc/resolv.conf  2, The ezjail-admin create must use the public ip address.  3. the /etc/rc.conf must contain the same ifconfig_xxx="DHCP" statements as used in the host to connect to the public network.

Then pkg_add -r will work. But ping is restricted from working inside of any jail by design. I use whois or dig commands to test for network access in place of ping.

Here are my versions of the ezjail man pages I wrote for my own use. You may find them helpfull.


----------



## MG (May 3, 2010)

Just curious: Why do you set a default gateway inside your jail?
If security.jail.allow_raw_sockets is enabled I can ping here without setting a gateway ip in the jail. The jail seems to use the hosts route by default. Is this a security issue?


----------



## klash (May 3, 2010)

fbsd1 said:
			
		

> Yea ezjail man pages are very poorly documented. There are 3 things your jail has to have to be accessable from the public network. 1. a copy of the hosts /etc/resolv.conf  2, The ezjail-admin create must use the public ip address.  3. the /etc/rc.conf must contain the same ifconfig_xxx="DHCP" statements as used in the host to connect to the public network.
> 
> Then pkg_add -r will work. But ping is restricted from working inside of any jail by design. I use whois or dig commands to test for network access in place of ping.
> 
> Here are my versions of the ezjail man pages I wrote for my own use. You may find them helpfull.



thanks for your help, but I didn't know about ezjail before your message. I want to connect to internet whitout using ezjail, is it possible?
how?


----------



## halplus (Jan 18, 2012)

I am having a similiar issue here

This is my pf configuration (just built to test the jail connectivity and discard other problems)



```
ext_if = "re0"
webjail="10.0.0.1"
nat on $ext_if from $webjail to any -> ($ext_if)
```

now from the jail:


```
www# jexec 9 /bin/sh
```


```
# pkg_add -r links
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.2-
release/Latest/links.tbz: Operation timed out
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages
-8.2-release/Latest/links.tbz' by URL
```

and then from within the jail too :S


```
# ping www.yahoo.com
PING eu-fp3.wa1.b.yahoo.com (87.248.112.181): 56 data bytes
^C
--- eu-fp3.wa1.b.yahoo.com ping statistics ---
86 packets transmitted, 0 packets received, 100.0% packet loss
# ^C
# ping 87.248.112.181
PING 87.248.112.181 (87.248.112.181): 56 data bytes
64 bytes from 87.248.112.181: icmp_seq=0 ttl=57 time=20.038 ms
64 bytes from 87.248.112.181: icmp_seq=1 ttl=57 time=16.841 ms
64 bytes from 87.248.112.181: icmp_seq=2 ttl=57 time=16.770 ms
64 bytes from 87.248.112.181: icmp_seq=3 ttl=57 time=18.648 ms
64 bytes from 87.248.112.181: icmp_seq=4 ttl=56 time=14.461 ms
64 bytes from 87.248.112.181: icmp_seq=5 ttl=57 time=16.715 ms
^C
--- 87.248.112.181 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 14.461/17.245/20.038/1.741 ms
#
```

and my /etc/resolv.conf in the jail is ok with proper nameservers configured (just like in the host)!

Now what?


----------



## halplus (Jan 18, 2012)

Maybe this helps as well:

 from the jail


```
# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:16:3e:85:6e:7d
        inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.1 netmask 0xffffff00
#
```


----------



## halplus (Jan 18, 2012)

and the host (real IP numbers replaced with X1.X2.X3 in both IP number and broadcast addresses):


```
www# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:16:3e:85:6e:7d
        inet X1.X2.X3.40 netmask 0xffffff00 broadcast X1.X2.X3.255
        inet 192.168.0.2 netmask 0xffffffff broadcast 192.168.0.2
        inet 10.0.0.1 netmask 0xffffffff broadcast 10.0.0.1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.1 netmask 0xffffff00
www#
```


----------



## SirDice (Jan 18, 2012)

10.0.0.1 is bound to both re0 _and_ lo1. Use one or the other, not both.


----------



## halplus (Jan 19, 2012)

Hi SirDice, thanks but I did what you said:


```
$ ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:16:3e:85:6e:7d
        inet X1.X2.X3.40 netmask 0xffffff00 broadcast X1.X2.X3.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 10.0.0.1 netmask 0xffffff00
$
```

unfortunately things are still the same .

Is sort like if TCP gets blocked or something. I can ping therefore ICMP is reaching the internet and I can resolve names therefore UDP is reaching it too. Now when I telnet yahoo  google or some of the internet monsters it just stays there like forever as if packets where being dropped at the firewall. I can connect to services in the host, like ssh and mysql. From the host I can connect to the sendmail running inside the jail. Could be another firewall at the datacenter blocking my jail traffic? Maybe TCP packets have an strange tag or something. I don't know just wandering. I wish I don't have to end up deploying a sniffer there . From the behavior no ICMP is being sent back as something is blocked but simply swallowed. Hmm could it be the routing? I don't think so. UDP and ICMP requires that to work. Really lost in here.


----------



## vand777 (Jan 19, 2012)

SirDice said:
			
		

> Normally a ping won't work but the OP has security.jail.allow_raw_sockets enabled. This is theory _should_ make ping work. I've never tried it though.



Yes, ping should work if security.jail.allow_raw_sockets is enabled. Tried this in the past (however, I never enable it now).


----------



## halplus (Jan 20, 2012)

I actually do have connectivity from the jail is just incredibly slow to the point it times out constantly:


```
# telnet www.google.com 80
Trying 173.194.65.104...
telnet: connect to address 173.194.65.104: Operation timed out
Trying 173.194.65.99...
Connected to www.l.google.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 302 Found
Location: http://www.google.co.uk/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=3d1104d390fadca1:FF=0:TM=1327073628:LM=1327073628:S=PxV5CWoo
gIlF_H9s; expires=Sun, 19-Jan-2014 15:33:48 GMT; path=/; domain=.google.com
Date: Fri, 20 Jan 2012 15:33:48 GMT
Server: gws
Content-Length: 221
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.co.uk/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
#
```

Any ideas?


----------



## halplus (Jan 20, 2012)

I rebooted the server, all fixed now. Weird thought.


----------



## fbsd1 (Jan 21, 2012)

There is a new system utility in the ports called qjail that automates all the problems of creating jails using the manual commands.


----------

