Re: Configuring JAIL to bind on lo0 interface
From: Marton Kenyeres (mkenyeres_at_konvergencia.hu)
To: security@FreeBSD.org Date: Fri, 19 Dec 2003 19:20:39 +0100
On Friday 19 December 2003 17.47, GiZmen wrote:
> > > Can anybody help me with that problem. For now i set it up on external
> > > IP and everythig is okej. But i want to have this jail on diffrent
> > > iface that is not an external iface and is set for example on
> > > 127.0.0.10.
> > You should probably use a real ip for jail, not from 127.0.0.0/8.
> So there is no chance to set it up on 127.0.0.0/8 and have access to
> internet ? I wanted to have some daemons listenig on aliased IP on lo0
> iface. And then set up few rules on firewall to forward traffic from
> external IP to those ip on lo0 interface.
You need to nat and reverse-nat between the external and loopback interface,
something along the lines:
#allow the outside word to connect to named running in the jail
rdr fxp0 x.x.x.x/32 port 53 -> 127.0.0.53 port 1053 tcp/udp
#allow named to talk to the outside word
map fxp0 127.0.0.53/32 -> x.x.x.x/32
Change fxp0 to your network interface, x.x.x.x to your real ip.
If you wan't to use the name server only from your local machine, you don't
need the first rule.
Note that I like to run named as an unpriviledged user (a little more
paranoia :) and let it bound to a high-port (1053 in this case), but that's
not strictly necessary. Consult named.conf(5) and su(1) on how to do this.
Remember: in the case of ipf/ipnat nat-ing hapens _before_ packet filtering,
so allow rules will look something along the lines of:
pass in quick on fxp0 proto tcp from any to 127.0.0.53 port = 1053 flags S
pass in quick on fxp0 proto udp from any to 127.0.0.53 port = 1053 keep state
That might look a bit strange at first, but if you get the nat-ing right, it's
OK. (Someone please correct me ASAP, if it isn't :)
-- Marton Kenyeres - email@example.com KVG Konvergencia Kft. _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "email@example.com"