[ismet] jail nem lat kifele

FreeBSD-all

Sziasztok!

Megint van egy kis problemam: nem tudok egy jail-al fellepni a netre.
A kovetkezo beallitasok vannak:
host /etc/rc.conf:

ifconfig_vr0="DHCP"
ifconfig_vr0_alias0="inet 10.0.0.20 netmask 255.255.255.255"
jail_set_hostname_allow="NO"
jail_enable="YES"
jail_list="test"
jail_test_hostname="testjail.hu"
jail_test_ip="10.0.0.20"
jail_test_rootdir="/home/Jail/Jail_i386"
jail_test_devfs_enable="YES"

A jail rendben elindul bootkor, es kivulrol tudok ssh-val kapcsolodni hozza. Viszont kifele nem latok mar, ftp es ssh-t probaltam es mindketto a "hostname nor servname provided, or not known" hibat adja. A PF tuzfalat mar leallitottam kinomban de nem segitett semmit.

update:
Mostmar a jail-bol latok kifele, de a port atiranyitas nem akar mukodni. lsd. lentebb.

  • 1667 megtekintés

( Zahy v | 2009. 05. 18., h – 22:02 )

Hova akarsz kilátni? A jailből a hostba, vagy a hoston kívülre? Névvel, vagy IP-vel akarsz kilátni? Van-e aki nevet szolgáltat a jail-nek?

( ScOut3R | 2009. 05. 19., k – 08:30 )

Ha csak egy halokartya van a gepben es az 1db publikus/belso ip-vel rendelkezik, akkor a jail interface-t a lo-ra vedd fel, mondjuk 127.0.0.2-es ip-vel. Utana a pf-ben allitsd be a natot erre a cimre. Igy mennie kell es kulturaltnak is nevezheto a megoldas.

Igazabol azert irtam, mert latom, hogy a kulso interface-re veszi fel a jail alias-t, azonban a halokartya dhcp-vel kap valamilyen cimet, O meg beallit a jail alias-nak egy fixet. Szerintem az alias-nak kiosztott cim nem a dhcp altal kiosztott tartomanybol van, igy celszeru lenne a jail-t a lo-ra tenni.

Amennyiben nem ez az eset van, vagyis a jail alias olyan cimet kapott, ami resze a belso halozatuknak, ugy viszont egyertelmuen beallitasi problemaval allunk szemben, ami viszont nem jail specifikus.

Megprobaltam a fentieknek megfeleloen atirni a dolgokat:
host rc.conf:

ifconfig_vr0="DHCP"
ifconfig_lo0="inet 10.0.0.20 netmask 255.255.255.255"
jail_enable="YES"
jail_set_hostname_allow="NO"
jail_interface="lo0"
jail_list="test"
jail_test_hostname="testjail.hu"
jail_test_ip="10.0.0.20"
jail_test_rootdir="/home/Jail/Jail_i386"
jail_test_devfs_enable="YES"

Kicsit atszabtam a pf.conf-ot ennek mar jonak kellene lennie, de meg mindig ugyanaz a hiba, es mar kivulrol sem tudom elerni a jail-t.

extif = "vr0"
intif = "lo0"
natone = "10.0.0.20"

nat on $extif from $intif:network to any -> ($extif)

#HTTP, HTTPS
rdr on $extif proto tcp from any to any port 80 -> $natone
rdr on $extif proto tcp from any to any port 443 -> $natone

#SSH
rdr on $extif proto tcp from any to any port 22 -> $natone

( arkhein | 2009. 05. 19., k – 14:25 )

Koszonom a segitseget, megoldodott a problema.
Nem a tuzfal hanem a ipnat volt rosszul beallitva.

Nem volt turermem tovabb szoszolni vele :-)

Viszont most megint nekialltam. Szoval odaig mar eljutottam, hogy a jail-bol latok kifelel, mostmar csak a portatiranyitast kellene valalhgy beallitani, sshd futattok az egyik jail-ban a ami a 22-es porton figyel es szeretnem ha kivulrol is el tudnak erni: Idemasolom a host pf.conf-jat:

Ext = "vr0" # Kifelé nézõ felület
Loop = "lo0" # Loopback interface
IntNet1="10.0.0.20" # Jail 1
IntNet2="10.0.0.40" # Jail 2 ezen futattom az sshd-t

NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"

InServicesTCP = "{ ssh, http, https }"

OutServicesTCP = "{ http, https, whois, domain, ssh, ftp, ftp-data, nntp, 1863, 8880 }"
OutServicesUDP = "{ ntp, domain }"

NowDeny = "{ 445, 67, 68 }"

X11 = "{ 6010, 5900}"

Timeserver = "{ 148.6.0.1 }"

CVSupServers = "{ 212.19.57.134 }"
CVSupPorts = "{ 5999 }"

DynDNSServer = "{ 63.208.196.94 }"
DynDNSPorts = "{ 8245 }"

scrub in on $Ext all

altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

nat on $Ext from $IntNet1 to any -> ($Ext)
nat on $Ext from $IntNet2 to any -> ($Ext)
rdr on $Ext proto tcp from any to any port 5859 -> $IntNet2 port 22

block in quick on $Ext proto { tcp, udp} from any to any port $NowDeny

block out log on $Ext all
block in log on $Ext all
block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA

block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

block in quick on $Ext from any to 255.255.255.255

pass in quick on $Ext proto tcp from any to $IntNet2 port 8022 keep state

pass in quick on $Loop all
pass out quick on $Loop all

pass out quick on $Ext inet proto tcp from any to any port > 1024 flags S/SA keep state

pass out quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
pass in log quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SA keep state

pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP flags S/SA modulate state

pass out quick on $Ext inet proto tcp from any to $CVSupServers port $CVSupPorts flags S/SA modulate state

pass out quick on $Ext inet proto tcp from any to $Timeserver port time flags S/SA modulate state

pass out quick on $Ext inet proto tcp from any to any port { 6880><6889, 6969 } flags S/SAFR keep state
pass in quick on $Ext inet proto tcp from any to any port 6880><6889 flags S/SAFR keep state

anchor passin

Az ssh -l user 10.0.0.40 jol mukodik, viszont a ssh -vv -p 5859 -l user luk1814.no-ip.org ezt adja:
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to luk1814.no-ip.org [84.3.27.205] port 5859.
debug1: connect to address 84.3.27.205 port 5859: Connection refused
ssh: connect to host luk1814.no-ip.org port 5859: Connection refused

A pfctr -sn kimenete:
nat on vr0 inet from 10.0.0.20 to any -> (vr0) round-robin
nat on vr0 inet from 10.0.0.40 to any -> (vr0) round-robin
rdr on vr0 inet proto tcp from any to any port = 5859 -> 10.0.0.40 port 22