From owner-freebsd-questions@FreeBSD.ORG Mon Oct 18 20:57:56 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B44451065672 for ; Mon, 18 Oct 2010 20:57:56 +0000 (UTC) (envelope-from matt@webcontracts.co.uk) Received: from batfink.vm.bytemark.co.uk (batfink.vm.bytemark.co.uk [80.68.95.231]) by mx1.freebsd.org (Postfix) with ESMTP id 6E3F58FC16 for ; Mon, 18 Oct 2010 20:57:56 +0000 (UTC) Received: from www.webcontracts.co.uk (localhost [127.0.0.1]) by batfink.vm.bytemark.co.uk (Postfix) with ESMTP id 0944864027; Mon, 18 Oct 2010 21:57:54 +0100 (BST) Received: from 212.159.19.37 (SquirrelMail authenticated user mlaw) by www.webcontracts.co.uk with HTTP; Mon, 18 Oct 2010 21:57:55 +0100 Message-ID: <903641d568b60e1b082b793cf1134f7d.squirrel@www.webcontracts.co.uk> In-Reply-To: References: Date: Mon, 18 Oct 2010 21:57:55 +0100 From: "Matthew Law" To: "Ivan Voras" User-Agent: SquirrelMail/1.4.19 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-questions@freebsd.org Subject: Re: Jail question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: matt@webcontracts.co.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Oct 2010 20:57:56 -0000 On Fri, October 15, 2010 2:54 pm, Ivan Voras wrote: > Since jails can do many things there are many "helper" utilities that > can do much to simplify the process. If you can hack python, you can, > for example, modify my script at > http://ivoras.sharanet.org/stuff/mkjails.py which I've used to create a > thousand very light-weight jails which are started and managed using > only standard FreeBSD tools. > > In any case, read rc.conf(5) man page for the jail_* settings. snip > This is the more complex question; I think that everything which needs > direct access to the NIC (i.e. BPF, DHCP, IPFW, etc.) will need to be > run on the host system. TCP services will work inside jails without > problems, but with jails it's almost the same as if they were on another > system. If you do use NAT you will have to configure it on the host. > Instead, you can also use TCP proxies (like bsdproxy). It's up to you > how much complexity do you want in your system, but for simplicity I > would set up a single outward-facing IP address and then proxy TCP > services where I need them. Thanks for the helpful replies. I am experimenting with some ideas on a VM now. It certainly does seem more logical to have the firewall, VPN and NAT rules in the base system and everything else jailed. I can just about get by with Python and your script looks like it could be of use - thanks for sharing it. Matt.