EZJAIL and ping on FreeBSD-11.

Grouchy Sysadmin sysadmin at grouchysysadmin.com
Thu Feb 1 16:13:49 UTC 2018 


On 02/01/2018 09:23 AM, James B. Byrne via freebsd-questions wrote:
> I have read the various 'howtos' respecting this issue and I cannot
> see where I have failed to properly follow the instructions. But
> clearly I have not done it right.
>
> I have setup a jail named hll124.  it is configured and running.  It
> can connect to the network and the Internet without issue. DNS
> resolution works fine using local_unbound.
>
> In /etc/sysctl.conf on the host I have this:
>
> # $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
> #
> #  This file is read when going to multi-user and its contents piped thru
> #  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for
> details.
> #
>
> # Uncomment this to prevent users from seeing information about
> processes that
> # are being run under another UID.
> #security.bsd.see_other_uids=0
> security.bsd.see_other_uids=0
> security.bsd.see_other_gids=0
> security.bsd.unprivileged_read_msgbuf=0
> security.bsd.unprivileged_proc_debug=0
> security.bsd.stack_guard_page=1
>
> # Required for Chrome/Chromium
> kern.ipc.shm_allow_removed=1
>
> # Add to allow jails to create sockets - 2018-01-31 JBB
> security.jail.allow_raw_sockets=1
>
>
> The host system shows this:
>
> $ sudo sysctl security.jail.allow_raw_sockets
> security.jail.allow_raw_sockets: 1
>
>
> In the ezjail configuration file I have this:
>
> # Allow ping, traceroute and other things 2018-01-31 JBB
> export jail_hll124_allow_raw_sockets="YES"
>
>
> When I connect to the ezjail instance with ezjail-admin console and
> run ping then I see this:
>
> # ping 192.168.71.44
> ping: ssend socket: Operation not permitted
>
> What else am I missing?
>

You don't need to allow raw sockets globally. I'd leave it set as, 
"security.jail.allow_raw_sockets=0".

Then allow raw sockets on a per jail basis by changing the parameters in 
the ezjail configuration. For example, add this to the 
/usr/local/etc/ezjail/hll124 file.

export jail_hll124_parameters="allow.raw_sockets=1"

Stop the jail, and then start it for the setting to take effect.

More information about the freebsd-questions mailing list