Hi, i've set the outside ip for the jail..It works.. When i try to ssh to jail'ed system from the main system (in which is created jail) the connection is successful, but when i try to connect to jailed system from anywhere else i get this message: ssh: connect to host IP_NUMBER port 22: Operation timed out What can be wrong here? How to solve this problem? _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: roam@ringlet.net (Peter Pentchev), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 18:08:57 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail --ibvzjYYg+QDzMCy1 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > jail'ed system from the main system (in which is created jail) the > connection is successful, but when i try to connect to jailed system from > anywhere else i get this message: > ssh: connect to host IP_NUMBER port 22: Operation timed out > What can be wrong here? How to solve this problem? Are you running some sort of firewall on the main system? You might have to add additional rules allowing SSH into the jailed one... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --ibvzjYYg+QDzMCy1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4N47Ri2jRYZRVMRArBCAKCU9DJkQGOr6/qZIPuXYPeitTRW4QCgtpgo mfEI/5GEkJ+cCESyLc7Y18Y= =WdBg -----END PGP SIGNATURE----- --ibvzjYYg+QDzMCy1-- > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt, 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 18:18:36 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > jail'ed system from the main system (in which is created jail) the > connection is successful, but when i try to connect to jailed system from > anywhere else i get this message: > ssh: connect to host IP_NUMBER port 22: Operation timed out > What can be wrong here? How to solve this problem? >>Are you running some sort of firewall on the main system? You might >>have to add additional rules allowing SSH into the jailed one... >>G'luck, >>Peter I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's not firewall's fault, about connecting to jail'ed system from outside. Here are the lines: ipfw add 50 allow ip from any to any via lo0 ipfw add 51 allow ip from any to any via rl0 _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: roam@ringlet.net (Peter Pentchev), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 17:51:34 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail --eWbcAUUbgrfSEG1c Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 01:20:23PM -0000, stakys@punktas.lt wrote: > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh = to > > jail'ed system from the main system (in which is created jail) the > > connection is successful, but when i try to connect to jailed system fr= om > > anywhere else i get this message: > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > What can be wrong here? How to solve this problem? >=20 > >>Are you running some sort of firewall on the main system? You might > >>have to add additional rules allowing SSH into the jailed one... >=20 > >>G'luck, > >>Peter >=20 > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > not firewall's fault, about connecting to jail'ed system from outside. > Here are the lines: > ipfw add 50 allow ip from any to any via lo0 > ipfw add 51 allow ip from any to any via rl0 If it would not be a great security risk, could you post the whole set of ipfw rules that you are using? Alternatively, could you add a 'log' clause to all the 'deny' rules, and then watch for denied packets in the syslog? As another alternative, you could 'ipfw -f' for the duration of the test... Sorry if I seem fixated on ipfw, but in my limited experience, it is the single most common reason for jail network connectivity problems :) Closely followed by missing /etc/resolv.conf files in jail/chroot filesystems, but that's another story... G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it. --eWbcAUUbgrfSEG1c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4i07Ri2jRYZRVMRAmsFAKCEOZFUxXDrpO9xUBdml2ThTAzhLgCgrTo1 LP34wMzB493b7nXGrwED3RU= =sWL5 -----END PGP SIGNATURE----- --eWbcAUUbgrfSEG1c-- > -------------------------------------------------------------------------- < 發信人: roam@ringlet.net (Peter Pentchev), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 17:51:34 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail --Nj4mAaUCx+wbOcQD Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 01:36:36PM +0300, Peter Pentchev wrote: > On Tue, Aug 05, 2003 at 01:20:23PM -0000, stakys@punktas.lt wrote: > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ss= h to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system = =66rom > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > >=20 > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > >=20 > > >>G'luck, > > >>Peter > >=20 > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that i= t's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 >=20 > If it would not be a great security risk, could you post the whole > set of ipfw rules that you are using? Alternatively, could you add a > 'log' clause to all the 'deny' rules, and then watch for denied packets > in the syslog? As another alternative, you could 'ipfw -f' for the > duration of the test... *THWAP*... Of course I meant 'ipfw flush' :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on --Nj4mAaUCx+wbOcQD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L4lX7Ri2jRYZRVMRAtAJAKCSGatl9fvE/VqWMD1BIcKLYMGDXQCeOdm5 mzzsAawR0rI+Lpww654iF74= =RnPa -----END PGP SIGNATURE----- --Nj4mAaUCx+wbOcQD-- > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt ("stakys"), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 19:49:12 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail sockstat -4l | grep sshd root sshd 76407 3 tcp4 Jailed_system_outside_ip:22 *:* root sshd 111 4 tcp4 *:22 *:* I get this... Btw: i have just that firewall rules for testing if it's not ipfw fault. Also as i see for now i need to set for my main system and for jail'ed system to ListenAddress options yes? Ok i tried to do so, and changed ListenAddress parameter in jail'ed and main system sshd_config, the sockstat shows: root sshd 294 3 tcp4 Jailed_system_outside_ip:22 *:* root sshd 111 3 tcp4 Main_system_outside_ip:22 *:* But when i tried to connect to the jail'ed system from outside i get the message of connection timed out. > ----- Original Message ----- > From: "Sander de Leeuw" <sander@delete-it.nl> > To: <stakys@punktas.lt> > Sent: Tuesday, August 05, 2003 1:22 PM > Subject: RE: Problems with JAIL in 4.8R > > > > > > Hi, > > > > I'm not really sure about this, just writing what comes up in my mind. I > > also have running jails in FreeBSD 4.8, and one is running sshd without > > problems. First of all, I assume that you followed the procedure > > explained in 'man jail'. It is important to be sure that if you run some > > sort of daemon in a jail, while running the same daemon in you're host > > environment, they do NOT bind on the same TCP socket. So, doing a > > 'sockstat -4l | grep sshd' should return something like this: > > > > root sshd 19906 3 tcp4 192.168.25.16:22 *:* > > root sshd 116 3 tcp4 192.168.25.1:22 *:* > > > > AND NOT: > > > > root sshd 19906 3 tcp4 192.168.25.16:22 *:* > > root sshd 116 3 tcp4 *:22 *:* > > > > In this case you should set the ListenAddress parameter in you're > > /etc/ssh/sshd_config file. > > > > I hope you can do something with it, good luck. > > Sander de Leeuw > > sander@delete-it.nl > > > > > > -----Oorspronkelijk bericht----- > > Van: owner-freebsd-security@freebsd.org > > [mailto:owner-freebsd-security@freebsd.org] Namens stakys@punktas.lt > > Verzonden: dinsdag 5 augustus 2003 14:57 > > Aan: freebsd-security@freebsd.org > > Onderwerp: Problems with JAIL in 4.8R > > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh > > to > > jail'ed system from the main system (in which is created jail) the > > connection is successful, but when i try to connect to jailed system > > from > > anywhere else i get this message: > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > What can be wrong here? How to solve this problem? > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt ("stakys"), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 21:39:46 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail Didn't help. Any more suggesstions about solving this problem? ----- Original Message ----- From: "Konstantin M Volevatch" <cox@rosnet.ru> To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 3:31 PM Subject: Re: Problems with JAIL in 4.8R > Try this: > ipfw add 52 allow ip from any to me via rl0 > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system from > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > > > > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > > >> > > >>G'luck, > > >>Peter > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Konstantin M. Volevatch <cox@rosnet.ru> > Internet Service Division, RosNet JSC, Moscow > (095) 7813332 [local:4341] > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: loman@cluj.astral.ro (Emilian Ursu), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 21:53:46 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail I suppose it would be silly to ask if you're trying to connect to private ips (rfc1928) from "outside". On Tue, 5 Aug 2003, stakys wrote: > Didn't help. Any more suggesstions about solving this problem? > ----- Original Message ----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt ("stakys"), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 21:53:46 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail Mayby i have to add some rules to ipfw to that rl0 alias somehow? I dont know how to add rule for rl0 alias, to allow all traffic. Because if just adding rules for rl0 it do not helps. ----- Original Message ----- From: "Konstantin M Volevatch" <cox@rosnet.ru> To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 3:31 PM Subject: Re: Problems with JAIL in 4.8R > Try this: > ipfw add 52 allow ip from any to me via rl0 > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh to > > > jail'ed system from the main system (in which is created jail) the > > > connection is successful, but when i try to connect to jailed system from > > > anywhere else i get this message: > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > What can be wrong here? How to solve this problem? > > > > > >>Are you running some sort of firewall on the main system? You might > > >>have to add additional rules allowing SSH into the jailed one... > > >> > > >>G'luck, > > >>Peter > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that it's > > not firewall's fault, about connecting to jail'ed system from outside. > > Here are the lines: > > ipfw add 50 allow ip from any to any via lo0 > > ipfw add 51 allow ip from any to any via rl0 > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > Konstantin M. Volevatch <cox@rosnet.ru> > Internet Service Division, RosNet JSC, Moscow > (095) 7813332 [local:4341] > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: hnunez@vianetworks.com.ar (Hernan Nunez), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 21:53:46 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, setting up ListenAddress jail.ip.addr in your sshd_config .,., Tip: If you are using , in your jail, an ip addr (alias address) from the same network than outside you must use a host mask 255.255.255.255 in your alias addrs.,., Hernan ----- Original Message ----- From: "stakys" <stakys@punktas.lt> To: "Konstantin M Volevatch" <cox@rosnet.ru>; <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 10:45 AM Subject: Re: Problems with JAIL in 4.8R > Didn't help. Any more suggesstions about solving this problem? > ----- Original Message ----- > From: "Konstantin M Volevatch" <cox@rosnet.ru> > To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> > Sent: Tuesday, August 05, 2003 3:31 PM > Subject: Re: Problems with JAIL in 4.8R > > > > Try this: > > ipfw add 52 allow ip from any to me via rl0 > > > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > Hi, i've set the outside ip for the jail..It works.. When i try to ssh > to > > > > jail'ed system from the main system (in which is created jail) the > > > > connection is successful, but when i try to connect to jailed system > from > > > > anywhere else i get this message: > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > What can be wrong here? How to solve this problem? > > > > > > > >>Are you running some sort of firewall on the main system? You might > > > >>have to add additional rules allowing SSH into the jailed one... > > > >> > > > >>G'luck, > > > >>Peter > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that > it's > > > not firewall's fault, about connecting to jail'ed system from outside. > > > Here are the lines: > > > ipfw add 50 allow ip from any to any via lo0 > > > ipfw add 51 allow ip from any to any via rl0 > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > -- > > Konstantin M. Volevatch <cox@rosnet.ru> > > Internet Service Division, RosNet JSC, Moscow > > (095) 7813332 [local:4341] > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt ("stakys"), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 23:35:51 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail I've tried in debug mode but do not gives any error when i get the timeout, also my netmask set as you said. Any ideas how to solve it? ----- Original Message ----- From: "Hernan Nunez" <hnunez@vianetworks.com.ar> To: <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 5:48 PM Subject: Re: Problems with JAIL in 4.8R > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > Tip: > If you are using , in your jail, an ip addr (alias address) from the same > network than outside you must use a host mask 255.255.255.255 in your alias > addrs.,., > > Hernan > > > ----- Original Message ----- > From: "stakys" <stakys@punktas.lt> > To: "Konstantin M Volevatch" <cox@rosnet.ru>; <freebsd-security@freebsd.org> > Sent: Tuesday, August 05, 2003 10:45 AM > Subject: Re: Problems with JAIL in 4.8R > > > > Didn't help. Any more suggesstions about solving this problem? > > ----- Original Message ----- > > From: "Konstantin M Volevatch" <cox@rosnet.ru> > > To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> > > Sent: Tuesday, August 05, 2003 3:31 PM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Try this: > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > Hi, i've set the outside ip for the jail..It works.. When i try to > ssh > > to > > > > > jail'ed system from the main system (in which is created jail) the > > > > > connection is successful, but when i try to connect to jailed system > > from > > > > > anywhere else i get this message: > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > >>Are you running some sort of firewall on the main system? You might > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > >> > > > > >>G'luck, > > > > >>Peter > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure that > > it's > > > > not firewall's fault, about connecting to jail'ed system from outside. > > > > Here are the lines: > > > > ipfw add 50 allow ip from any to any via lo0 > > > > ipfw add 51 allow ip from any to any via rl0 > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > -- > > > Konstantin M. Volevatch <cox@rosnet.ru> > > > Internet Service Division, RosNet JSC, Moscow > > > (095) 7813332 [local:4341] > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: hnunez@vianetworks.com.ar (Hernan Nunez), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 23:35:51 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail Do you have configured your /etc/resolv.conf and /etc/hosts ?? Do you use /etc/hosts.allow ?? ----- Original Message ----- From: "stakys" <stakys@punktas.lt> To: <hnunez@vianetworks.com.ar>; <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 12:41 PM Subject: Re: Problems with JAIL in 4.8R > I've tried in debug mode but do not gives any error when i get the timeout, > also my netmask set as you said. Any ideas how to solve it? > ----- Original Message ----- > From: "Hernan Nunez" <hnunez@vianetworks.com.ar> > To: <freebsd-security@freebsd.org> > Sent: Tuesday, August 05, 2003 5:48 PM > Subject: Re: Problems with JAIL in 4.8R > > > > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > > > Tip: > > If you are using , in your jail, an ip addr (alias address) from the same > > network than outside you must use a host mask 255.255.255.255 in your > alias > > addrs.,., > > > > Hernan > > > > > > ----- Original Message ----- > > From: "stakys" <stakys@punktas.lt> > > To: "Konstantin M Volevatch" <cox@rosnet.ru>; > <freebsd-security@freebsd.org> > > Sent: Tuesday, August 05, 2003 10:45 AM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Didn't help. Any more suggesstions about solving this problem? > > > ----- Original Message ----- > > > From: "Konstantin M Volevatch" <cox@rosnet.ru> > > > To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> > > > Sent: Tuesday, August 05, 2003 3:31 PM > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > Try this: > > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > > Hi, i've set the outside ip for the jail..It works.. When i try to > > ssh > > > to > > > > > > jail'ed system from the main system (in which is created jail) the > > > > > > connection is successful, but when i try to connect to jailed > system > > > from > > > > > > anywhere else i get this message: > > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > > > >>Are you running some sort of firewall on the main system? You > might > > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > > >> > > > > > >>G'luck, > > > > > >>Peter > > > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure > that > > > it's > > > > > not firewall's fault, about connecting to jail'ed system from > outside. > > > > > Here are the lines: > > > > > ipfw add 50 allow ip from any to any via lo0 > > > > > ipfw add 51 allow ip from any to any via rl0 > > > > > _______________________________________________ > > > > > freebsd-security@freebsd.org mailing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > -- > > > > Konstantin M. Volevatch <cox@rosnet.ru> > > > > Internet Service Division, RosNet JSC, Moscow > > > > (095) 7813332 [local:4341] > > > > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: stakys@punktas.lt ("stakys"), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Tue Aug 5 23:35:51 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail I've set in my resolv.conf the same nameservers as in main system, and in jailed system /etc/hosts file i've set this: JAILED_OUTSIDE_IP clnt.xxx.com clnt Also file hosts.allow i do not use. ----- Original Message ----- From: "Hernan Nunez" <hnunez@vianetworks.com.ar> To: "stakys" <stakys@punktas.lt>; <freebsd-security@freebsd.org> Sent: Tuesday, August 05, 2003 6:48 PM Subject: Re: Problems with JAIL in 4.8R > Do you have configured your /etc/resolv.conf and /etc/hosts ?? > Do you use /etc/hosts.allow ?? > > ----- Original Message ----- > From: "stakys" <stakys@punktas.lt> > To: <hnunez@vianetworks.com.ar>; <freebsd-security@freebsd.org> > Sent: Tuesday, August 05, 2003 12:41 PM > Subject: Re: Problems with JAIL in 4.8R > > > > I've tried in debug mode but do not gives any error when i get the > timeout, > > also my netmask set as you said. Any ideas how to solve it? > > ----- Original Message ----- > > From: "Hernan Nunez" <hnunez@vianetworks.com.ar> > > To: <freebsd-security@freebsd.org> > > Sent: Tuesday, August 05, 2003 5:48 PM > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > Try using sshd in debug mode [SSHD(8)]. Inside the jail run sshd -ddd, > > > setting up ListenAddress jail.ip.addr in your sshd_config .,., > > > > > > Tip: > > > If you are using , in your jail, an ip addr (alias address) from the > same > > > network than outside you must use a host mask 255.255.255.255 in your > > alias > > > addrs.,., > > > > > > Hernan > > > > > > > > > ----- Original Message ----- > > > From: "stakys" <stakys@punktas.lt> > > > To: "Konstantin M Volevatch" <cox@rosnet.ru>; > > <freebsd-security@freebsd.org> > > > Sent: Tuesday, August 05, 2003 10:45 AM > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > Didn't help. Any more suggesstions about solving this problem? > > > > ----- Original Message ----- > > > > From: "Konstantin M Volevatch" <cox@rosnet.ru> > > > > To: <stakys@punktas.lt>; <freebsd-security@freebsd.org> > > > > Sent: Tuesday, August 05, 2003 3:31 PM > > > > Subject: Re: Problems with JAIL in 4.8R > > > > > > > > > > > > > Try this: > > > > > ipfw add 52 allow ip from any to me via rl0 > > > > > > > > > > 衃狟暙恌줠珆 5 戧ベ衲 2003 17:20 stakys@punktas.lt 恔倅蚆찺 > > > > > > On Tue, Aug 05, 2003 at 12:56:36PM -0000, stakys@punktas.lt wrote: > > > > > > > Hi, i've set the outside ip for the jail..It works.. When i try > to > > > ssh > > > > to > > > > > > > jail'ed system from the main system (in which is created jail) > the > > > > > > > connection is successful, but when i try to connect to jailed > > system > > > > from > > > > > > > anywhere else i get this message: > > > > > > > ssh: connect to host IP_NUMBER port 22: Operation timed out > > > > > > > What can be wrong here? How to solve this problem? > > > > > > > > > > > > > >>Are you running some sort of firewall on the main system? You > > might > > > > > > >>have to add additional rules allowing SSH into the jailed one... > > > > > > >> > > > > > > >>G'luck, > > > > > > >>Peter > > > > > > > > > > > > I'm running IPFW but i put such a lines to ipfw.rules to be sure > > that > > > > it's > > > > > > not firewall's fault, about connecting to jail'ed system from > > outside. > > > > > > Here are the lines: > > > > > > ipfw add 50 allow ip from any to any via lo0 > > > > > > ipfw add 51 allow ip from any to any via rl0 > > > > > > _______________________________________________ > > > > > > freebsd-security@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > > > To unsubscribe, send any mail to > > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > > -- > > > > > Konstantin M. Volevatch <cox@rosnet.ru> > > > > > Internet Service Division, RosNet JSC, Moscow > > > > > (095) 7813332 [local:4341] > > > > > > > > > > > > > _______________________________________________ > > > > freebsd-security@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -------------------------------------------------------------------------- < 發信人: roam@ringlet.net (Peter Pentchev), 看板: FB_security 標 題: Re: Problems with JAIL in 4.8R 發信站: NCTU CSIE FreeBSD Server (Wed Aug 6 00:03:44 2003) 轉信站: ptt!FreeBSD.csie.NCTU!not-for-mail --FJ0JV+AOCbvjFtNn Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 05, 2003 at 06:41:47PM +0300, stakys wrote: > I've tried in debug mode but do not gives any error when i get the timeou= t, > also my netmask set as you said. Any ideas how to solve it? I would *still* bet on the firewall. Could you add a 'log' keyword to all the 'deny' rules in your ipfw ruleset (if you think that there are none, please double-check to make sure that there really are none; does ipfw list really not show any of them?), and see in your syslog if something is being denied? Also, it might be the firewall on the machine that you are trying to connect *from* - the machine that you are running the SSH client on. Are you sure it will not block an attempt to connect to the jail's IP address on port 22? A third option would be any devices between the two machines: routers, cable modem gateways, other computers acting as gateways.. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence would be seven words long if it were six words shorter. --FJ0JV+AOCbvjFtNn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/L9T+7Ri2jRYZRVMRAkqoAJ4gnIntM9GQ393brPI3qaJVos8+2ACgka7g m3Jq7VZZNxMchJ7euuvCIeQ= =mTve -----END PGP SIGNATURE----- --FJ0JV+AOCbvjFtNn--