23 Lis
2016
23 Lis
'16
23:00
Dobry den,
pokousim se rozbehnout knot-2.3.1 (kompilace z ports) na jailu na FreeBSD 11
Problem je v tom, ze knot neodpovida na udp portu a to i kdyz to zkousim
primo v jailu.
Jine porty napr. smtp primo z jailu funguji, mozna je to jenom nejaka
chyba v nastaveni
knot-2.3.1
Toto vsechno jsem zkousel:
* netcat z jailu na stejny jail udp port 53 - funguje
* netcat z hostu do jailu udp 53 - funguje
* netcat z jineho hostu na host kde bezi jail udp 53 - funguje
Takto to dopadne primo z jailu ale i z jineho hosta:
# kdig liguros.net aaaa @ns1.liguros.net
;; WARNING: response timeout for 2001:470:cadd:1::5@53(UDP)
;; WARNING: response timeout for 5.135.156.9@53(UDP)
;; WARNING: response timeout for 2001:470:cadd:1::5@53(UDP)
;; WARNING: response timeout for 5.135.156.9@53(UDP)
;; WARNING: response timeout for 2001:470:cadd:1::5@53(UDP)
;; WARNING: response timeout for 5.135.156.9@53(UDP)
;; WARNING: failed to query server ns1.liguros.net@53(UDP)
Toto vidim v pfctl -s states
all udp 2001:470:cadd:1::5[53] <- 2001:470:cadd:2::53[60288]
NO_TRAFFIC:SINGLE
all udp 2001:470:cadd:1::5[53] <- 2001:470:cadd:2::53[40209]
NO_TRAFFIC:SINGLE
relevantni rules
pass in inet6 proto tcp from any to 2001:470:cadd:1::5 port = domain
flags S/SA keep state
pass in inet6 proto udp from any to 2001:470:cadd:1::5 port = domain
keep state
takto jsou jeste nastavene rdr na ip4 adresu jailu:
rdr pass on em0 inet proto tcp from any to any port = domain -> 10.0.0.5
rdr pass on em0 inet proto udp from any to any port = domain -> 10.0.0.5
rdr pass on lo1 inet proto tcp from any to any port = domain -> 10.0.0.5
rdr pass on lo1 inet proto udp from any to any port = domain -> 10.0.0.5
i kdyz nemyslim si, ze je to pf vina, protoze se do jailu napr. pomoci
netcat "dostanu"
ns jail:
ns:/usr/ports/dns/knot2@[22:44] # sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root knotd 1650 7 dgram -> /var/run/logpriv
root knotd 1650 8 udp4 10.0.0.5:53 *:*
root knotd 1650 9 tcp4 10.0.0.5:53 *:*
root knotd 1650 10 udp6 2001:470:cadd:1::5:53 *:*
root knotd 1650 11 tcp6 2001:470:cadd:1::5:53 *:*
root knotd 1650 15 stream /var/run/knot/knot.sock
Poradte mi prosim, jak danou vec dale debugovat.
Predem mockrat dekuji.
Pavol
###############################################
English follows
###############################################
I am trying to get knot 2.3.1 (from ports) working in a jail, but I am
unable to connect to the udp port even when trying directly from jail.
Using netcat from within jail and also from other machines gets through
into the jail. I don't think it is pf's fault.
How can I debug this a bit more?
Thank you for your help
Pavol
--
Email encryption for everyone via @fsf
https://u.fsf.org/zb