2

I have a FreeBSD DigitalOcean droplet in which I followed this guide exactly for setting up a jail. The problem is I cannot get reliable network connectivity inside the jail. Doing curl https://www.google.com/ I get a ~1 minute delay when trying to connect to the server:

curl failure

After the second asterisk the connection was established very, very quickly. With ping I get 100% packet loss, and occasionally I cannot resolve hostnames. It won't work during one command, but then it will after a short delay before I try the next.

I tried ssh -T git@github.com to see if SSH works reliably and I seem to be able to always get a connection (when hostname lookup works).

I only have these issues in the jail, not on the host.

Lander
  • 151
  • 6

2 Answers2

0

Well, you can't ping from a jail unless you allow it specifically. This is so by default because it triggers security problems. You can allow a jail to ping, but you should only do this if you really don't have any other solution. More about it there.

Now, instead of using ping, you could use host to check if the network connection is fine:

# host google.com

As for the curl question: in pf.conf, you should enable tcp and udp in and out for port http (and maybe https too, if you need it) but also enable udp for port dns. Something like:

pass in on $ext_if proto { tcp, udp } from any to $ext_if port $webports
pass out on $ext_if proto { tcp, udp } from $ext_if to any port $webports 

pass out on $ext_if proto udp from $ext_if to any port $dns_port

Where you should have defined webports and dns_port to fit your needs.

Also, when you followed the guide, you made a copy of your hosts' /etc/resolv.conf. Maybe check what's in it, depending on your hosts' configuration in some cases it may not work in jails.

PS: as of the gethostbyname failure, it's written in your title but not mentionned in your post. This could relate to /etc/hosts configuration, but can't say more.

zezollo
  • 430
  • 1
  • 4
  • 10
  • Sorry, I should have followed up with this post. It's apparently a networking issue with DigitalOcean. Some others on Twitter reported the same issue. I used the same exact setup on AWS and everything worked 100% fine. – Lander Feb 29 '16 at 21:09
0

The issue lies somewhere in DigitalOcean's networking. Some others on Twitter reported the same issue and migrating to AWS with the same exact setup works 100% fine.

Lander
  • 151
  • 6