Re: Configuring JAIL to bind on lo0 interface

From: zk (zk_at_wspim.edu.pl)
Date: 12/21/03

Next message: Dmitry Frolov: "Re: interface bonding"

Previous message: Richard Bejtlich: "Re: interface bonding"
In reply to: GiZmen: "Re: Configuring JAIL to bind on lo0 interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 21 Dec 2003 21:05:19 +0100
To: freebsd-security@freebsd.org

On Sat, Dec 20, 2003 at 02:42:31AM +0100, GiZmen wrote:
> > As i understood your problem you need addition alias on lo0 interface
> > for gateway ip purpose. So you have lo0 interface and lo0_alias0
> > 192.168.1.1 as default gateway for jails. And now you create new jails'
> > ip as aliases on lo0 iface.
> >
> > For example:
> >
> > no jail, only gateway - lo0_alias0 192.168.1.1/24
> >
> > jail1 - lo0_alias1 192.168.1.2/24 - hostname jail1.domain.com
> > in this jail set default gateway to 192.168.1.1
> >
> > jail2 - lo0_alias2 192.168.1.3/24 - hostname jail2.domain.com
> > in this jail set default gateway to 192.168.1.1 also
> >
> > Your host machine have to be gateway enabled.
> >
> > Now if you want to switch on internet access from jail1 you only need to
> > add nat rule to translate jail1's ip to the host primary ip.
> >
> > Alesha.
>
> I dont know how can it work? AFAIK in jail i cant change the default
> gateway.
>

Don't set default gateways in jails.
You can use something like this

ipfw add <no> divert natd all from any to any via <external_iface>
(...) -- rules to allow nated packets

to pass packets from jails.
To allow traffic from outside to your server on private address you can try:

ipfw add <no> fwd <server_addr> <protocol> from any to
<external_iface_addr> <port_no> in recv <external_iface>

or ipfw divert with another natd process.

It's possible to configure lo1, lo2 ... interfaces with diffrent addreses
(with pseudo-device loop <no> in kernel config file).
I've described FreeBSD 4.x.

zk
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Dmitry Frolov: "Re: interface bonding"

Previous message: Richard Bejtlich: "Re: interface bonding"
In reply to: GiZmen: "Re: Configuring JAIL to bind on lo0 interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]