Jaily a jedna IP [delsi mail]
Miroslav Prýmek
m.prymek at gmail.com
Thu Jan 28 21:37:06 CET 2010
On 28.1.2010, at 19:40, Miroslav Lachman wrote:
> Miroslav Prýmek wrote:
>
> [...]
>
>> Jenom pripominam, ze jsem mluvil o spojeni. ktere pochazi Z JAILU, takze
>> by melo prvne projit tap0 a potom fxp0 (kde se natuje).
>
> V zaslanych pravidlech se neNATuje.
Omlovam se, vypadl mi tam jeden radek:
nat on $ext_if from !($ext_if) -> ($ext_if:0)
Kazdopadne teda po trose laborovani:
[test:~]# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
block drop log all
pass in on fxp0 proto udp from any to any port = bootps keep state
pass in on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state
pass out log on fxp0 all flags S/SA keep state
block drop log on lo1 all <------- abych si byl uplne jistej... je to zbytecny, vim
[test:~]# pfctl -sInterfaces -v
No ALTQ support in kernel
ALTQ related functions disabled
all
fxp0
fxp1
lo
lo0
lo1
pflog
pflog0
[test:~]# uname -a
FreeBSD test.dom 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Fri May 1 08:49:13 UTC 2009 root na walker.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
Uz jsem z toho uplne blazen :)
********************* V JAILU:
[www-master:~]# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether XXXXXXXX
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo1: flags=8149<UP,LOOPBACK,RUNNING,PROMISC,MULTICAST> metric 0 mtu 16384
inet 10.0.1.2 netmask 0xffffffff
[www-master:~]# telnet 74.125.87.99 80
Trying 74.125.87.99...
Connected to hb-in-f99.1e100.net. <-------------- pripojeno, prestoze lo1 je blokovany!
[www-master:~]# nc -kl 10.0.1.2 5555 <-------------- vyzkousim spojeni opacnym smerem...
********************* a potom z "HLAVNI ZONY" (ne-jailu):
[test:~]# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=2009<RXCSUM,VLAN_MTU,WOL_MAGIC>
ether X
inet 192.168.2.13 netmask 0xffffff00 broadcast 192.168.2.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet 10.0.1.254 netmask 0xffffffff
inet 10.0.1.1 netmask 0xffffffff
inet 10.0.1.2 netmask 0xffffffff
inet 10.0.1.3 netmask 0xffffffff
[test:~]# telnet 10.0.1.2 5555 <-------------- zkusim se pripojit na ten poslouchajici netcat...
Trying 10.0.1.2...
telnet: connect to address 10.0.1.2: Operation not permitted
telnet: Unable to connect to remote host
To je v poradku, protoze vsechno na lo1 je blokovany, v logu se spravne objevi:
000884 rule 4/0(match): block out on lo1: 10.0.1.2.54472 > 10.0.1.2.5555: tcp 40 [bad hdr length 0 - too short, < 20]
Jenze z jailu jsem ven mohl! A kdyz dam (mimo jail):
[test:~]# tcpdump -i lo1
...a v jailu:
[www-master:~]# telnet 74.125.87.99 80
Trying 74.125.87.99...
Connected to hb-in-f99.1e100.net.
...tak tcpdump nezobrazi VUBEC NIC. Znamena to teda, je jail PRICHOZI spojeni jdou skutecne pres lo1, ale ODCHOZI pres fxp0
- teda stejne jako mimo-jail?! (takze nejde odlisit - pokud natuju - jestli ODCHOZI spojeni pochazi z jailu nebo z ne-jailu?!)
Takze fakt asi tomu fungovani network stacku nerozumim a proste je to takhle...
Sorry za dlouhej mail, fakt me to dostalo :)
Kazdopadne diky za pripadne jakykoli reakce a potvrzeni tohodle chovani z vasi strany,
zajimalo by me, proc to funguje takhle divne!
mejte se
Mirek
P.S. jeste posledni doplneni - kdyz vypnu natovani, tak tcpdump odchyti na fxp0 spravne IP adresu jailu:
22:28:13.781048 IP 10.0.1.2.59316 > hb-in-f99.1e100.net.http: S 863008844:863008844(0) win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 5534975 0>
a na lo1 porad nic :)
More information about the Users-l
mailing list