Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Jul 2008 13:44:08 -0700
From:      "David Allen" <the.real.david.allen@gmail.com>
To:        "Wojciech Puchar" <wojtek@wojtek.tensor.gdynia.pl>
Cc:        "Andrew D \(Webzone\)" <andrewd@webzone.net.au>, freebsd-questions@freebsd.org
Subject:   Re: quick question regarding jails.
Message-ID:  <2daa8b4e0807181344tbc82a6dx6f0240743a23c082@mail.gmail.com>
In-Reply-To: <20080718104622.D2365@wojtek.tensor.gdynia.pl>
References:  <48803F1E.7050302@webzone.net.au> <20080718104622.D2365@wojtek.tensor.gdynia.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Jul 18, 2008 at 1:46 AM, Wojciech Puchar
<wojtek@wojtek.tensor.gdynia.pl> wrote:
>>
>> Just wondering if a box has 2 Ethernet cards with each card going to a
>> different gateway/network, is it possible to stick a jail on the machine
>> listening on one network interface and routing data out one
>> card/network/gatway while the rest of the system uses the other port and
>> gateway/network.
>
> yes - no problem

For most values of "yes".  For others, the answer is "It depends."

Yes, you can configure daemons running on the host to bind to one
interface, and configure daemons running on the jail to bind to a
different interface.   However, host <-> jail communications occur over
loopback and "routing data" between the two, if that's the question being
asked, has its limitations.

I brought up this problem just recently.

http://docs.freebsd.org/cgi/getmsg.cgi?fetch=407605+0+archive/2008/freebsd-questions/20080713.freebsd-questions

To sum up, if jail host running at 10.0.0.1 connects to a jail running at
10.0.0.2, the traffic will occur over lo0, and BOTH endpoints of that
connection will use the jail (10.0.0.2) address.  To my mind, that can be
problematic.

You can modify the routing table so that a host -> jail connection exits
an actual interface (and uses that interface's IP address).  However, this
offers limited usefulness as you can't do the same on the jail side
(there's only one routing table to speak of), and return traffic won't be
seen on that interface.

The above applies irrespective of whether the jail host and the jail are
on the same or different network, or on the same or different NICs.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2daa8b4e0807181344tbc82a6dx6f0240743a23c082>