# Jails: Host should ignore IPs of Jails



## Thorny (Feb 17, 2012)

Hello,

*I* have some problems with my jail configuration. I have multiple IPs, where every IP is dedicated to a jail, except the one for the host. My /etc/rc.conf would look like this:

```
############
# networks #
############

  ########
  # IPv4 #
  ########

  ifconfig_re0="DHCP media 100baseTX mediaopt full-duplex"
  ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.224"
  ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.248"

#########
# jails #
#########

jail_enable="YES"
jail_list="example"      # Space separated list of names of jails

jail_sysvipc_allow="YES" # needed to allow postgresql

jail_example_rootdir="/usr/local/jail/example"
jail_example_hostname="example.de"
jail_example_ip="176.xxx.xxx.xx2"
jail_example_exec="/bin/sh /etc/rc"
jail_example_devfs_enable="YES"
jail_example_mount_enable="NO"
```

Now *I* have a webserver installed in the jail, which listens to 176.xxx.xxx.xx2. I also have a webserver in the host, listening to 176.xxx.xxx.xx1. The problem: the webserver of the host-system anwsers all requests! This is not limited to the webserver, it is the same for all applications, which are the same in host and jail. The host accepts all requests for the jails and anwsers it, even if it is to the wrong IP.

Is there a possibility to stop this behavior? How can *I* configure the host to just accept requests at its own IP?

Thank you for every hint!

Greetings from Germany,
Torsten


----------



## ecazamir (Feb 17, 2012)

Instruct the host httpd process to listen only to specific IPs. Use multiple 
	
	



```
Listen 1.2.3.4:80
```
 for all intended IP addresses instead of 
	
	



```
Listen 80
```
 in jail's /usr/local/etc/apache22/httpd.conf.


----------



## Thorny (Feb 17, 2012)

First: *I* use nginx  Second: *I* have already done this - it doesn't work. Not sure if it's a bug in nginx. Third: this problem exists for all applications: nginx, postfix, svnserve etc. *It* will check, if the listen-address solution works for the other applications.


----------



## gkontos (Feb 17, 2012)

The first thing that I notice is that you are assigning a wrong netmask to your aliased interfaces:


```
ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.[B]255[/B]"
ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.[B]255[/B]"
```

After fixing this, you have to make sure that all your daemons in the host are binding only to re0. Use:

[CMD=""]# sockstat -46[/CMD]

Regards,


----------



## kpa (Feb 17, 2012)

I think the first alias address should have the proper netmask if the first alias address is not in same network as the main address of the interface. All the following addresses should have netmask 255.255.255.255 as long as they are in the same subnet as the first address.


```
ifconfig_re0_alias0="inet 176.xxx.xxx.xx1 netmask 255.255.255.224"
ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.255"
```


----------



## anomie (Feb 17, 2012)

kpa said:
			
		

> I think the first alias address should have the proper netmask if the first alias address is not in same network as the main address of the interface. All the following addresses should have netmask 255.255.255.255 as long as they are in the same subnet as the first address.



Right-o. And it's documented as such in ifconfig(8).

@Thorny: normally you put _all_ your end-user services inside jails. The host system (in general) should be running an ssh daemon, an NTP daemon, and little or nothing else, IMO.


----------



## SirDice (Feb 18, 2012)

Thorny said:
			
		

> ```
> ifconfig_re0_alias1="inet 176.xxx.xxx.xx2 netmask 255.255.255.248"
> 
> jail_example_ip="176.xxx.xxx.xx2"
> ```



You can remove the ifconfig_re0_alias1, jail_example_ip will create the alias automatically when the jail starts. You may need to add a specific interface:

```
jail_example_interface="re0"
```

Normally services will 'grab' all available addresses and listen on all of them. When dealing with jails this will lead to unexpected side effects, as you already noticed. You will need to configure all of them, inside the jails _and_ on the host, to use a specific IP address.


----------



## Thorny (Feb 21, 2012)

gkontos said:
			
		

> The first thing that I notice is that you are assigning a wrong netmask to your aliased interfaces:



I must learn more about networks. The configuration *I* posted was an example; the live configuration uses the correct netmask.


----------



## Thorny (Feb 21, 2012)

anomie said:
			
		

> @Thorny: normally you put _all_ your end-user services inside jails. The host system (in general) should be running an ssh daemon, an NTP daemon, and little or nothing else, IMO.



You're right. Normally I do so. But in this case I just have a very limited number of IPv4-addresses (4 - what a coincidence  ) and this very specific scenario. I try to make the best out of it.


----------



## Thorny (Feb 21, 2012)

SirDice said:
			
		

> Normally services will 'grab' all available addresses and listen on all of them. When dealing with jails this will lead to unexpected side effects, as you already noticed. You will need to configure all of them, inside the jails _and_ on the host, to use a specific IP address.



My aim is, that every jail has exact one IP-address. The jails should be completly seperated.


----------



## Thorny (Feb 21, 2012)

At the very least I'm two steps further. nginx now listen to the correct IP-address and ignores all others. In my first try I forgot to set this configuration to one VHost, so it handles all requests of the jails with this VHost. -.-

The svnserve configuration was very easy. My last step is to configure postfix.


----------



## razrx (Feb 21, 2012)

anomie said:
			
		

> The host system (in general) should be running an ssh daemon, an NTP daemon, and little or nothing else, IMO.



The little should be at least a packet filter like pf(4)() IMO


----------



## ecazamir (Feb 22, 2012)

Thorny said:
			
		

> My last step is to configure postfix.



Postfix default configuration uses in main.cf


```
inet_interfaces = all
```

Change (or set) this parameter according to your needs

```
inet_interfaces = 127.0.0.1, 192.168.1.2
```


----------

