Monthly Archives: April 2021

VNET Jail HowTo Part 2: Networking

As always, Dan has been tweeting about VNET Jail issues, which means it’s time for another VNET Jail post.

This post assumes that you’ve read the original post on VNET Jail HowTo.

In Part two we will discuss Networking.

We will use PF as a firewall to do things like NAT.

If you need more help please check the FreeBSD Handbook: Chapter – Firewalls or send me an email/tweet.

At this point (from the last post) we were able to ping from the Jail to the Host.

root@www:/ # ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=0.087 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.087/0.087/0.087/0.000 ms

Now we will setup PF on the host by adding the following to /etc/pf.conf


nat pass on $ext_if inet from $jailnet to any -> ($ext_if)

set   skip on { lo0, bridge0 }
pass  inet proto icmp
pass  out all keep state

We also need to enable IP Forwarding in the kernel

Add the following in /etc/sysctl.conf


And now execute

sysctl -f /etc/sysctl.conf
service pf restart

That should be it, now your Jail should be able to ping the outside world

root@zvartnots:~ # jexec -l www
You have mail.
root@www:~ # ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=61 time=2.566 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.566/2.566/2.566/0.000 ms
root@www:~ # 

If you setup a resolver, you should also be able to ping domain names as well.

root@www:~ # echo 'nameserver' > /etc/resolv.conf 
root@www:~ # ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=53 time=133.851 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 133.851/133.851/133.851/0.000 ms

Now, for a more complicated setup that assumes no firewalls and multiple IP addresses, where each Jail has its own IP address. I have a similar setup at home where my ZNC server Jail has its own IP address by connecting the physical NIC to the same bridge as the ZNC Jail.

In my rc.conf on the host

ifconfig_em0="inet netmask"

ifconfig_bridge0="addm em0"

Here’s an example with jail.conf

znc {
	$id		= "52";
	$addr		= "";
	$mask		= "";
	$gw		= "";
	vnet.interface	= "epair${id}b";

	exec.prestart	= "ifconfig epair${id} create up";
	exec.prestart	+= "ifconfig epair${id}a up descr vnet-${name}";
	exec.prestart	+= "ifconfig bridge0 addm epair${id}a up";

	exec.start	= "/sbin/ifconfig lo0 up";
	exec.start	+= "/sbin/ifconfig epair${id}b ${addr} netmask ${mask} up";
	exec.start	+= "/sbin/route add default ${gw}";
	exec.start	+= "/bin/sh /etc/rc";

	exec.poststop   = "ifconfig bridge0 deletem epair${id}a";
	exec.poststop  += "ifconfig epair${id}a destroy";

	host.hostname = "${name}";
	path = "/usr/local/jails/${name}";
 	exec.consolelog = "/var/log/jail-${name}.log";

And that’s pretty much it!

That’s all folks.

Migrating home-servers

As I have mentioned before, I want to blog more, so here it goes.

I’ve been struggling financially lately, with COVID and then the war I’ve thrown away almost all of my savings. One of the decisions that I had to make was moving back to my old place. No one lives here anymore, my parents got their own house, which means I can live with freedom alone and rent-free.

That meant I need to move home servers again. Yes, I’ve always been a home server fan. This blog runs on my home server as well.

While many people argue that running a home server is a complex process compared to the cloud, since you need to pay for electricity and manage hardware, I, however, feel that’s a myth.

My current uptime is

ssh pingvinashen uptime
1:59PM up 48 days, 42 mins, 2 users, load averages: 0.15, 0.18, 0.21

And I only needed to reboot because I had to upgrade since I’m a fan of upgrading whenever there’s a patch to some critical software 🙂

One of the advantages of running a home server in Armenia is the fact that electricity is cheap, so are static IP addresses. I pay 2USD/mo for each IP address and I have many of them.

Usually, I have one static IP per service (Jabber, ZNC, etc.) and one static IP for all web-oriented services such as blogs, websites, etc.

However, norayr also runs a home-server for the community, he runs the Armenian instance of Diaspora*, Mastodon, and SocialHome.

Due to technical limitations at his side of the city, he’s been keeping his home server at my place.

Vartanian LLC, Home-Server as a Service 😛

Anyways, I had to bring his home server to my new/old place as well, which meant that he needs a static IP for his services.

I did not want to call the ISP for a new IP address since the last one I’ve been using was for an Armenian instance of that I deployed for our community. It’s not very active, but you can’t force people to be active in communities and Armenia does not have the concept of “tech communities” like others do in the west.

That meant that I have to remove an IP from a Jail so norayr can use it.

So I had to migrate some things. I had to use my proxy server IP address and reverse_proxy the traffic to the lobsters’ Jail.

Sounds easy, until I remembered that I run Apache on my host.

I’m not very fluent in Apache, I keep doing mistakes, so I wanted to migrate all of my vhosts to Nginx.

You’d think that it would be easy, and yes it was 🙂

So now, norayr runs his home server and I have migrated the webserver to Nginx in an hour.

For some reason, it feels faster, but I’m still not sure why. I probably had to optimize Apache back in the day, but Nginx’s default configs do seem better.

Now, since many IP addresses have been changed, I have to struggle with SMTP issues. No, SMTP works fine, but Google, just like it keeps breaking the web, it keeps breaking email as well, routing all-good emails to people’s spam folder, eh.

That’s all folks.

* not a footnote but part of the project name.

Blogging Regularly

Ruben blogged recently about blogging regularly and it kind of hit me: Why don’t I blog regularly?

I love blogging. I improved my Armenian by blogging for years, I wanted to be a blogger so bad that I asked my friends to rent me a domain and a hosting service since I didn’t have money when I moved to Armenia after the war.

But yet again, it’s very hard for me to write my thoughts in English. Armenian? Yes, sure, I can write a very complex sentence very easily. English, however, the language that I think in, the language that I grew up having a love&hate relationship with, is not the language that I’m good at writing. I can talk English very well, at least I’ve been told, but writing is not there yet.

There are a lot of points that Ruben made that I love to be more mainstream. Use ANY blogging platform, literally any, as long as they don’t treat you as the product (Medium as an example). Write about anything, everything. I would love to hear about your daily life, how you solve problems, no matter if it’s about that very complex DB issue you’ve been having or the water pipe that has been leaking. They are all interesting.

At the end of the day the internet is the place that allowed everyone to speak. Now we are fighting over who gets to be heard.

But with blogs and RSS, everyone will be.

That’s all folks.