Re: two NIC's in a jail

From: Joerg Surmann <joerg_surmann_at_elektropost.org> Date: Fri, 23 Mar 2018 16:53:28 +0100 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:15 UTC

Thanks for replay.

netstat -an | egrep 'tcp4.*80 .*LISTEN'
say:
netstat: kvm not available: /dev/mem No such file or directory <- is
inside a jail.
tcp4    0        0 *.80        *.*        LISTEN

grep -i Listen /usr/local/etc/apache24/httpd.conf

Listen 80
Listen 443

From the internal IP is no Problem.
You are right. I'm not sure on wich IP's Apache is listening.

I have change the Listen directive to the external IP in httpd.conf
Listen 213.70.80.92:80

netstat -an | egrep 'tcp4.*80 .*LISTEN'
now say:
tcp4    0        0  213.70.80.92:80        *.*        LISTEN

But apache is not availble from Internet.
From Intranet... no Problem.

When i use tcpdump on Host i can see Traffic.

Whats wrong?

Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
> Joerg Surmann wrote on 2018/03/23 13:49:
>> Hi all,
>>
>> I have a Problem to understund how to manage 2 Networks inside a Jail.
>>
>> i have create a jail (using ezjail) with a alias IP.
>> in rc.conf (on Host):
>>
>> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0"
>> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"  <- this
>> is the jail ip
>>
>> Inside the jail running apachhe24.
>>
>> Now i add a new NIC to the System.
>> in rc.conf (on Host):
>> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"
>>
>> in /usr/local/etc/ezjail/myjail.conf:
>> i add the new ip
>> export jail_myjail_ip="192.168.100.2,213.70.80.92"
>>
>> Restart the jail and ifconfig looks fine.
>> vmx0 -> inet 192.168.100.2
>> em0  -> inet 213.70.80.92
>>
>> Apache Listen on all NIC's (<VirtualHost *:80>)
>> But i can see my Website only via 192.168.100.2 from intern Network.
>>
>> The Host is behind a Firewall.
>> The IP  213.70.80.92 is enabled for incomming Traffic.
>>
>> When i give the Hostname in a Browser i become "connection Timeout".
>>
>> What is to do that the Host is accessable from Inet?
>
> Are you sure Apache is listening on both IPs?
>
> What netstat says?
>
> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>
> Also check what you have in httpd.conf for Listen directive
>
> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>
> I am not using ezjail, I am using jail.conf
>
> costa {
>         host.hostname   = "costa.example.com";
>         ip4.addr        = AA.BB.CCC.DDD;
>         ip4.addr       += 192.168.222.57;
> }
>
> Real IP was replaced with AA.BB.CCC.DDD
>
> And it works. Services inside jail must be listening on both IPs or
> wildcard * (0.0.0.0)
>
> And be sure to disable hosts services to listen on IPs and ports you
> want to be served from jail.
>
> Miroslav Lachman