# concern about jails on loopback interface



## kriscom (Jul 28, 2011)

Hi,

im playing around with jails.

The first thing I did was to setup some jails attached to aliases on a real network interface(not loopback). Everything was working fine, I could connect from a jail on one machine to a service running withing a jail on another machine. I can manage the configuration steeps needed to achieve that.

What I disliked about it was, that I had to mount /dev/mem and /dev/kmem within jails, to enable routing. And I guess that could be one of the reasons why people do use NAT for jails.

So now Im trying to setup some jails with NAT. Therefore I use aliases on the loopback interface. Im able to connect from one jail to a service running in another jail on the same machine. That works even without NAT, just by using the assigned (loopback) aliases.

Now I was into setup natd+ipfw. Lets try first with the outgoing traffic. For what I have read about jails and NAT, I understand that the main issue is to translate the network address through natd which is called by ipfw. I was playing around and I did tcdump on both the rl0 and the lo0 interfaces. All outgoing traffic occures only in the lo0 tcpdump and I am asking myself what I need to do to make it visible on the rl0 interface. 

Should I not use lo0 for jails at all, but rl0 instead with some "loopback alike IP" aliases?

Thanks in advance!


----------



## SirDice (Jul 28, 2011)

kriscom said:
			
		

> What I disliked about it was, that I had to mount /dev/mem and /dev/kmem within jails, to enable routing. And I guess that could be one of the reasons why people do use NAT for jails.


Routing should be configured on the host, not the jail. Same for NAT'ing a lo0 clone.


----------



## kriscom (Jul 28, 2011)

What I meant by saying "to enable routing" was... without binding /dev/mem and /dev/kmem network was not working. 

Without mounting them I cannot even telnet to my host from within a jail and I got no clue why.

/etc/rc.conf

```
ifconfig_rl0="inet 192.168.2.4 netmask 255.255.255.0"
defaultrouter="192.168.2.1"
...
ifconfig_rl0_alias0="inet 192.168.2.10 netmask 255.255.255.255"
...
jail_test1_ip="192.168.2.10"
```

`netstat -r` 

```
Destination        Gateway            Flags    Refs      Use  Netif Expire
localhost          localhost          UH          0        0    lo0
192.168.2.0        link#1             UC          0        0    rl0
192.168.2.1        some mac           UHLW        1       29    rl0    396
192.168.2.3        some mac           UHLW        1       85    rl0   1167
192.168.2.4        some mac           UHLW        1        1    lo0
192.168.2.10       some mac           UHLW        1       68    lo0 =>
192.168.2.10/32    link#1             UC          0        0    rl0
```

From within a jail I get

```
test1# telnet 192.168.2.4 25
Trying 192.168.2.4...
telnet: connect to address 192.168.2.4: Connection refused
telnet: Unable to connect to remote host
```
for the host machine (lo0)

and 

```
test1# telnet 192.168.2.3 25
Trying 192.168.2.3...
telnet: connect to address 192.168.2.3: Operation timed out
telnet: Unable to connect to remote host
```
for a machine on the network (rl0)

Is there something wrong with the routes?


----------



## kriscom (Jul 29, 2011)

Shame on me!

It was a firewall on my proxy running on another machine...

It helped me to write my problem down...

Thanks and sorry...


----------



## SirDice (Jul 29, 2011)

kriscom said:
			
		

> What I meant by saying "to enable routing" was... without binding /dev/mem and /dev/kmem network was not working.


These shouldn't be needed and should be removed too. Allowing access to those devices could potentially be a security risk as applications will have access to the entire (physical) memory, including the memory used by the host and other jails.


----------

