Re: two NIC's in a jail

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: two NIC's in a jail

Miroslav Lachman
Joerg Surmann wrote on 2018/03/23 16:45:

> Thanks for replay.
>
> netstat -an | egrep 'tcp4.*80 .*LISTEN'
> say:
> netstat: kvm not available: /dev/mem No such file or directory <- is
> inside a jail.
> tcp4    0        0 *.80        *.*        LISTEN
>
> grep -i Listen /usr/local/etc/apache24/httpd.conf
>
> Listen 80
> Listen 443
>
>  From the internal IP is no Problem.
> You are right. I'm not sure on wich IP's Apache is listening.
>
> I have change the Listen directive to the external IP in httpd.conf
> Listen 213.70.80.92:80
>
> netstat -an | egrep 'tcp4.*80 .*LISTEN'
> now say:
> tcp4    0        0  213.70.80.92:80        *.*        LISTEN
>
> But apache is not availble from Internet.
>  From Intranet... no Problem.
>
> When i use tcpdump on Host i can see Traffic.
>
> Whats wrong?

That's strange.

Listen 80 and Listen 443 is OK, it is the same as
   Listen *:80
   Listen *:443
and as you see with netstat, Apache was listening on both IPs:
  *.80        *.*        LISTEN

Do you have something listening on port 80 in the Host?

What netstat shows in the host?

Also check Apache log files. If you didn't configure virtual host, then
you have just these two log files:
/var/log/httpd-access.log
/var/log/httpd-error.log

Use tail and then try to access your website from the internet

# tail -f /var/log/httpd-*.log

Please send what "jls -v" in the Host will show you. (there should be 2
IPs for your jail) or "jls -s"  (replace any sensitive informations if
you want)

And move this discussion to proper mailing list:
  [hidden email]

Miroslav Lachman


> Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
>> Joerg Surmann wrote on 2018/03/23 13:49:
>>> Hi all,
>>>
>>> I have a Problem to understund how to manage 2 Networks inside a Jail.
>>>
>>> i have create a jail (using ezjail) with a alias IP.
>>> in rc.conf (on Host):
>>>
>>> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0"
>>> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"  <- this
>>> is the jail ip
>>>
>>> Inside the jail running apachhe24.
>>>
>>> Now i add a new NIC to the System.
>>> in rc.conf (on Host):
>>> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"
>>>
>>> in /usr/local/etc/ezjail/myjail.conf:
>>> i add the new ip
>>> export jail_myjail_ip="192.168.100.2,213.70.80.92"
>>>
>>> Restart the jail and ifconfig looks fine.
>>> vmx0 -> inet 192.168.100.2
>>> em0  -> inet 213.70.80.92
>>>
>>> Apache Listen on all NIC's (<VirtualHost *:80>)
>>> But i can see my Website only via 192.168.100.2 from intern Network.
>>>
>>> The Host is behind a Firewall.
>>> The IP  213.70.80.92 is enabled for incomming Traffic.
>>>
>>> When i give the Hostname in a Browser i become "connection Timeout".
>>>
>>> What is to do that the Host is accessable from Inet?
>>
>> Are you sure Apache is listening on both IPs?
>>
>> What netstat says?
>>
>> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>
>> Also check what you have in httpd.conf for Listen directive
>>
>> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>>
>> I am not using ezjail, I am using jail.conf
>>
>> costa {
>>          host.hostname   = "costa.example.com";
>>          ip4.addr        = AA.BB.CCC.DDD;
>>          ip4.addr       += 192.168.222.57;
>> }
>>
>> Real IP was replaced with AA.BB.CCC.DDD
>>
>> And it works. Services inside jail must be listening on both IPs or
>> wildcard * (0.0.0.0)
>>
>> And be sure to disable hosts services to listen on IPs and ports you
>> want to be served from jail.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: two NIC's in a jail

Joerg Surmann-2
tail -f /var/log/httpd-access.log
192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 -
192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209
213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 -
213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209

tail -f /var/log/httpd-error.log
[Fri Mar 23 12:08:18.142835 2018] [mpm_prefork:notice] [pid 18904]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 12:08:18.142925 2018] [core:notice] [pid 18904] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Fri Mar 23 12:30:19.005654 2018] [mpm_prefork:notice] [pid 18904]
AH00169: caught SIGTERM, shutting down
[Fri Mar 23 12:31:11.111900 2018] [ssl:warn] [pid 2542] AH01873: Init:
Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 23 12:31:11.847515 2018] [mpm_prefork:notice] [pid 2542]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 12:31:11.847589 2018] [core:notice] [pid 2542] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
[Fri Mar 23 15:32:08.238227 2018] [mpm_prefork:notice] [pid 2542]
AH00169: caught SIGTERM, shutting down
[Fri Mar 23 15:32:08.414689 2018] [ssl:warn] [pid 40920] AH01873: Init:
Session Cache is not configured [hint: SSLSessionCache]
[Fri Mar 23 15:32:08.716943 2018] [mpm_prefork:notice] [pid 40920]
AH00163: Apache/2.4.29 (FreeBSD) OpenSSL/1.0.2k-freebsd PHP/7.1.15
configured -- resuming normal operations
[Fri Mar 23 15:32:08.717018 2018] [core:notice] [pid 40920] AH00094:
Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT

jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
    
     2  apache24                      /usr/jails/apache24
        apache24                      ACTIVE
        3
        192.168.100.2
        213.70.80.92


jls -s

devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2
name=apache24 osreldate=1101001 osrelease=11.1-RELEASE
path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable
sysvsem=disable sysvshm=disable allow.nochflags allow.mount
allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs
allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs
allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets
allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0
host.domainname="" host.hostid=0 host.hostname=apache24
host.hostuuid=00000000-0000-0000-0000-000000000000

Am 23.03.2018 um 16:58 schrieb Miroslav Lachman:

> Joerg Surmann wrote on 2018/03/23 16:45:
>> Thanks for replay.
>>
>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>> say:
>> netstat: kvm not available: /dev/mem No such file or directory <- is
>> inside a jail.
>> tcp4    0        0 *.80        *.*        LISTEN
>>
>> grep -i Listen /usr/local/etc/apache24/httpd.conf
>>
>> Listen 80
>> Listen 443
>>
>>  From the internal IP is no Problem.
>> You are right. I'm not sure on wich IP's Apache is listening.
>>
>> I have change the Listen directive to the external IP in httpd.conf
>> Listen 213.70.80.92:80
>>
>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>> now say:
>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN
>>
>> But apache is not availble from Internet.
>>  From Intranet... no Problem.
>>
>> When i use tcpdump on Host i can see Traffic.
>>
>> Whats wrong?
>
> That's strange.
>
> Listen 80 and Listen 443 is OK, it is the same as
>   Listen *:80
>   Listen *:443
> and as you see with netstat, Apache was listening on both IPs:
>  *.80        *.*        LISTEN
>
> Do you have something listening on port 80 in the Host?
>
> What netstat shows in the host?
>
> Also check Apache log files. If you didn't configure virtual host,
> then you have just these two log files:
> /var/log/httpd-access.log
> /var/log/httpd-error.log
>
> Use tail and then try to access your website from the internet
>
> # tail -f /var/log/httpd-*.log
>
> Please send what "jls -v" in the Host will show you. (there should be
> 2 IPs for your jail) or "jls -s"  (replace any sensitive informations
> if you want)
>
> And move this discussion to proper mailing list:
>  [hidden email]
>
> Miroslav Lachman
>
>
>> Am 23.03.2018 um 16:07 schrieb Miroslav Lachman:
>>> Joerg Surmann wrote on 2018/03/23 13:49:
>>>> Hi all,
>>>>
>>>> I have a Problem to understund how to manage 2 Networks inside a Jail.
>>>>
>>>> i have create a jail (using ezjail) with a alias IP.
>>>> in rc.conf (on Host):
>>>>
>>>> ifconfig_vmx0="inet 192.168.100.1 netmask 255.255.255.0"
>>>> ifconfig_vmx0_alias0="inet 192.168.100.2 netmask 255.255.255.0"  <-
>>>> this
>>>> is the jail ip
>>>>
>>>> Inside the jail running apachhe24.
>>>>
>>>> Now i add a new NIC to the System.
>>>> in rc.conf (on Host):
>>>> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"
>>>>
>>>> in /usr/local/etc/ezjail/myjail.conf:
>>>> i add the new ip
>>>> export jail_myjail_ip="192.168.100.2,213.70.80.92"
>>>>
>>>> Restart the jail and ifconfig looks fine.
>>>> vmx0 -> inet 192.168.100.2
>>>> em0  -> inet 213.70.80.92
>>>>
>>>> Apache Listen on all NIC's (<VirtualHost *:80>)
>>>> But i can see my Website only via 192.168.100.2 from intern Network.
>>>>
>>>> The Host is behind a Firewall.
>>>> The IP  213.70.80.92 is enabled for incomming Traffic.
>>>>
>>>> When i give the Hostname in a Browser i become "connection Timeout".
>>>>
>>>> What is to do that the Host is accessable from Inet?
>>>
>>> Are you sure Apache is listening on both IPs?
>>>
>>> What netstat says?
>>>
>>> # netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>
>>> Also check what you have in httpd.conf for Listen directive
>>>
>>> # grep -i Listen /usr/local/etc/apache24/httpd.conf
>>>
>>> I am not using ezjail, I am using jail.conf
>>>
>>> costa {
>>>          host.hostname   = "costa.example.com";
>>>          ip4.addr        = AA.BB.CCC.DDD;
>>>          ip4.addr       += 192.168.222.57;
>>> }
>>>
>>> Real IP was replaced with AA.BB.CCC.DDD
>>>
>>> And it works. Services inside jail must be listening on both IPs or
>>> wildcard * (0.0.0.0)
>>>
>>> And be sure to disable hosts services to listen on IPs and ports you
>>> want to be served from jail.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: two NIC's in a jail

Miroslav Lachman
Joerg Surmann wrote on 2018/03/23 17:14:

> tail -f /var/log/httpd-access.log
> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0" 200 -
> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209
> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 -
> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209

How did you do the request from 213.70.80.92? It was made from localhost
where Apache runs?

> jls -v
>     JID  Hostname                      Path
>          Name                          State
>          CPUSetID
>          IP Address(es)
>
>       2  apache24                      /usr/jails/apache24
>          apache24                      ACTIVE
>          3
>          192.168.100.2
>          213.70.80.92

Looks good

> jls -s
>
> devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable jid=2
> name=apache24 osreldate=1101001 osrelease=11.1-RELEASE
> path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable
> sysvsem=disable sysvshm=disable allow.nochflags allow.mount
> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs
> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs
> allow.mount.notmpfs allow.mount.nozfs allow.noquotas allow.raw_sockets
> allow.noset_hostname allow.nosocket_af allow.nosysvipc children.max=0
> host.domainname="" host.hostid=0 host.hostname=apache24
> host.hostuuid=00000000-0000-0000-0000-000000000000

This is strange. You have ip4=disable ip6=disable. My jails have
"ip4=new ip6=disable"
And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for example

Miroslav Lachman


> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman:
>> Joerg Surmann wrote on 2018/03/23 16:45:
>>> Thanks for replay.
>>>
>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>> say:
>>> netstat: kvm not available: /dev/mem No such file or directory <- is
>>> inside a jail.
>>> tcp4    0        0 *.80        *.*        LISTEN
>>>
>>> grep -i Listen /usr/local/etc/apache24/httpd.conf
>>>
>>> Listen 80
>>> Listen 443
>>>
>>>  From the internal IP is no Problem.
>>> You are right. I'm not sure on wich IP's Apache is listening.
>>>
>>> I have change the Listen directive to the external IP in httpd.conf
>>> Listen 213.70.80.92:80
>>>
>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>> now say:
>>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN
>>>
>>> But apache is not availble from Internet.
>>>  From Intranet... no Problem.
>>>
>>> When i use tcpdump on Host i can see Traffic.
>>>
>>> Whats wrong?
>>
>> That's strange.
>>
>> Listen 80 and Listen 443 is OK, it is the same as
>>   Listen *:80
>>   Listen *:443
>> and as you see with netstat, Apache was listening on both IPs:
>>  *.80        *.*        LISTEN
>>
>> Do you have something listening on port 80 in the Host?
>>
>> What netstat shows in the host?
>>
>> Also check Apache log files. If you didn't configure virtual host,
>> then you have just these two log files:
>> /var/log/httpd-access.log
>> /var/log/httpd-error.log
>>
>> Use tail and then try to access your website from the internet
>>
>> # tail -f /var/log/httpd-*.log
>>
>> Please send what "jls -v" in the Host will show you. (there should be
>> 2 IPs for your jail) or "jls -s"  (replace any sensitive informations
>> if you want)
>>
>> And move this discussion to proper mailing list:
>> [hidden email]
>>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: two NIC's in a jail

Joerg Surmann-2
Hi,

thanks for yor help.

I can't find a solution.

But i have find a starnge ip config.

in rc.conf on Host(not jail)

ifconfig_vmx0_alias1="inet 192.168.100.2  netmask 255.255.255.0"
ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"

ifconfig on host say:
inet 213.70.80.92 netmask 0xffffffff broadcast 213.70.80.92
inet 192.168.100.2  netmask 0xffffffff broadcast 192.168.100.2

ifconfig say to both ip's /32.

Maby that's the reason for unavailable the apache.

ifconfig iside the jail say the same.

I'm a little bit confused.

Am 23.03.2018 um 17:41 schrieb Miroslav Lachman:

> Joerg Surmann wrote on 2018/03/23 17:14:
>> tail -f /var/log/httpd-access.log
>> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0"
>> 200 -
>> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0"
>> 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209
>> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 -
>> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209
>
> How did you do the request from 213.70.80.92? It was made from
> localhost where Apache runs?
>
>> jls -v
>>     JID  Hostname                      Path
>>          Name                          State
>>          CPUSetID
>>          IP Address(es)
>>
>>       2  apache24                      /usr/jails/apache24
>>          apache24                      ACTIVE
>>          3
>>          192.168.100.2
>>          213.70.80.92
>
> Looks good
>
>> jls -s
>>
>> devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable
>> jid=2 name=apache24 osreldate=1101001 osrelease=11.1-RELEASE
>> path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable
>> sysvsem=disable sysvshm=disable allow.nochflags allow.mount
>> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs
>> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs
>> allow.mount.notmpfs allow.mount.nozfs allow.noquotas
>> allow.raw_sockets allow.noset_hostname allow.nosocket_af
>> allow.nosysvipc children.max=0 host.domainname="" host.hostid=0
>> host.hostname=apache24
>> host.hostuuid=00000000-0000-0000-0000-000000000000
>
> This is strange. You have ip4=disable ip6=disable. My jails have
> "ip4=new ip6=disable"
> And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for
> example
>
> Miroslav Lachman
>
>
>> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman:
>>> Joerg Surmann wrote on 2018/03/23 16:45:
>>>> Thanks for replay.
>>>>
>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>> say:
>>>> netstat: kvm not available: /dev/mem No such file or directory <- is
>>>> inside a jail.
>>>> tcp4    0        0 *.80        *.*        LISTEN
>>>>
>>>> grep -i Listen /usr/local/etc/apache24/httpd.conf
>>>>
>>>> Listen 80
>>>> Listen 443
>>>>
>>>>  From the internal IP is no Problem.
>>>> You are right. I'm not sure on wich IP's Apache is listening.
>>>>
>>>> I have change the Listen directive to the external IP in httpd.conf
>>>> Listen 213.70.80.92:80
>>>>
>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>> now say:
>>>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN
>>>>
>>>> But apache is not availble from Internet.
>>>>  From Intranet... no Problem.
>>>>
>>>> When i use tcpdump on Host i can see Traffic.
>>>>
>>>> Whats wrong?
>>>
>>> That's strange.
>>>
>>> Listen 80 and Listen 443 is OK, it is the same as
>>>   Listen *:80
>>>   Listen *:443
>>> and as you see with netstat, Apache was listening on both IPs:
>>>  *.80        *.*        LISTEN
>>>
>>> Do you have something listening on port 80 in the Host?
>>>
>>> What netstat shows in the host?
>>>
>>> Also check Apache log files. If you didn't configure virtual host,
>>> then you have just these two log files:
>>> /var/log/httpd-access.log
>>> /var/log/httpd-error.log
>>>
>>> Use tail and then try to access your website from the internet
>>>
>>> # tail -f /var/log/httpd-*.log
>>>
>>> Please send what "jls -v" in the Host will show you. (there should
>>> be 2 IPs for your jail) or "jls -s"  (replace any sensitive
>>> informations if you want)
>>>
>>> And move this discussion to proper mailing list:
>>> [hidden email]
>>>


signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: two NIC's in a jail

Miroslav Lachman
joerg_surmann wrote on 2018/03/23 20:12:

> Hi,
>
> thanks for yor help.
>
> I can't find a solution.
>
> But i have find a starnge ip config.
>
> in rc.conf on Host(not jail)
>
> ifconfig_vmx0_alias1="inet 192.168.100.2  netmask 255.255.255.0"
> ifconfig_em0="inet 213.70.80.92 netmask 255.255.255.0"
>
> ifconfig on host say:
> inet 213.70.80.92 netmask 0xffffffff broadcast 213.70.80.92
> inet 192.168.100.2  netmask 0xffffffff broadcast 192.168.100.2
>
> ifconfig say to both ip's /32.
>
> Maby that's the reason for unavailable the apache.
>
> ifconfig iside the jail say the same.
>
> I'm a little bit confused.

I think it can be a problem with your configuration of ezjail. I am not
sure but if I remember it well if you set IP for jail in ezjail
configuration it will be added to network interface on startup nad
removed on stop of the jail.
So when you start the host you will have 192.168.100.2/24 but after jail
start you will end up with 192.168.100.2/32.
Can you confirm this? (reboot the machine with ezjail disabled in rc.conf)

You need to configure ezjail to not manage IPs on interfaces.

Please post content of ezjail.conf and full conf of your jail.



> Am 23.03.2018 um 17:41 schrieb Miroslav Lachman:
>> Joerg Surmann wrote on 2018/03/23 17:14:
>>> tail -f /var/log/httpd-access.log
>>> 192.168.100.2 - - [23/Mar/2018:13:12:10 +0000] "OPTIONS * HTTP/1.0"
>>> 200 -
>>> 192.168.100.2 - - [23/Mar/2018:15:12:02 +0000] "OPTIONS * HTTP/1.0"
>>> 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:33:07 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:33:08 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:33:09 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:35:37 +0000] "GET / HTTP/1.1" 302 209
>>> 213.70.80.92 - - [23/Mar/2018:15:35:44 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:35:45 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:35:46 +0000] "OPTIONS * HTTP/1.0" 200 -
>>> 213.70.80.92 - - [23/Mar/2018:15:58:05 +0000] "GET / HTTP/1.1" 302 209
>>
>> How did you do the request from 213.70.80.92? It was made from
>> localhost where Apache runs?
>>
>>> jls -v
>>>      JID  Hostname                      Path
>>>           Name                          State
>>>           CPUSetID
>>>           IP Address(es)
>>>
>>>        2  apache24                      /usr/jails/apache24
>>>           apache24                      ACTIVE
>>>           3
>>>           192.168.100.2
>>>           213.70.80.92
>>
>> Looks good
>>
>>> jls -s
>>>
>>> devfs_ruleset=0 enforce_statfs=2 host=new ip4=disable ip6=disable
>>> jid=2 name=apache24 osreldate=1101001 osrelease=11.1-RELEASE
>>> path=/usr/jails/apache24 nopersist securelevel=-1 sysvmsg=disable
>>> sysvsem=disable sysvshm=disable allow.nochflags allow.mount
>>> allow.mount.nodevfs allow.mount.nofdescfs allow.mount.nolinprocfs
>>> allow.mount.nolinsysfs allow.mount.nonullfs allow.mount.noprocfs
>>> allow.mount.notmpfs allow.mount.nozfs allow.noquotas
>>> allow.raw_sockets allow.noset_hostname allow.nosocket_af
>>> allow.nosysvipc children.max=0 host.domainname="" host.hostid=0
>>> host.hostname=apache24
>>> host.hostuuid=00000000-0000-0000-0000-000000000000
>>
>> This is strange. You have ip4=disable ip6=disable. My jails have
>> "ip4=new ip6=disable"
>> And you don't have ip4.addr at all. I have ip4.addr=172.16.16.2 for
>> example
>>
>> Miroslav Lachman
>>
>>
>>> Am 23.03.2018 um 16:58 schrieb Miroslav Lachman:
>>>> Joerg Surmann wrote on 2018/03/23 16:45:
>>>>> Thanks for replay.
>>>>>
>>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>>> say:
>>>>> netstat: kvm not available: /dev/mem No such file or directory <- is
>>>>> inside a jail.
>>>>> tcp4    0        0 *.80        *.*        LISTEN
>>>>>
>>>>> grep -i Listen /usr/local/etc/apache24/httpd.conf
>>>>>
>>>>> Listen 80
>>>>> Listen 443
>>>>>
>>>>>   From the internal IP is no Problem.
>>>>> You are right. I'm not sure on wich IP's Apache is listening.
>>>>>
>>>>> I have change the Listen directive to the external IP in httpd.conf
>>>>> Listen 213.70.80.92:80
>>>>>
>>>>> netstat -an | egrep 'tcp4.*80 .*LISTEN'
>>>>> now say:
>>>>> tcp4    0        0  213.70.80.92:80        *.*        LISTEN
>>>>>
>>>>> But apache is not availble from Internet.
>>>>>   From Intranet... no Problem.
>>>>>
>>>>> When i use tcpdump on Host i can see Traffic.
>>>>>
>>>>> Whats wrong?
>>>>
>>>> That's strange.
>>>>
>>>> Listen 80 and Listen 443 is OK, it is the same as
>>>>    Listen *:80
>>>>    Listen *:443
>>>> and as you see with netstat, Apache was listening on both IPs:
>>>>   *.80        *.*        LISTEN
>>>>
>>>> Do you have something listening on port 80 in the Host?
>>>>
>>>> What netstat shows in the host?
>>>>
>>>> Also check Apache log files. If you didn't configure virtual host,
>>>> then you have just these two log files:
>>>> /var/log/httpd-access.log
>>>> /var/log/httpd-error.log
>>>>
>>>> Use tail and then try to access your website from the internet
>>>>
>>>> # tail -f /var/log/httpd-*.log
>>>>
>>>> Please send what "jls -v" in the Host will show you. (there should
>>>> be 2 IPs for your jail) or "jls -s"  (replace any sensitive
>>>> informations if you want)
>>>>
>>>> And move this discussion to proper mailing list:
>>>> [hidden email]
>>>>
>
>

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"