From owner-freebsd-questions@FreeBSD.ORG Thu Feb 6 15:28:29 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1B3E39EF for ; Thu, 6 Feb 2014 15:28:29 +0000 (UTC) Received: from mail-qa0-f48.google.com (mail-qa0-f48.google.com [209.85.216.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C8B0C1286 for ; Thu, 6 Feb 2014 15:28:28 +0000 (UTC) Received: by mail-qa0-f48.google.com with SMTP id f11so2989936qae.35 for ; Thu, 06 Feb 2014 07:28:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=f90PGWrmJcW2FNeas75KVVUM40gZxAotLDgp7ucd7zo=; b=bWcI57pl9awN8y6ij0krUD3vX8MLHb4c/gLTOSl2qRl3eCl03Uj40tlanq5bVCDdXP LpXwiOiBNxr+LsyaxK4k3onvy1CUL8i1One3MMtwf57lObw+OaBhifT4iBiHsdEXDv0N qTsLJQh1b1bA4DBhOBhn5IzxTRTjmxwYI9jARXsiLTOoNbd6tCCfD0yQOvxVav3y6QbH dWTiLVESxjUtYFip/CiKAUpPgC6cKEB/oEZShTKrRGhXR4c8vs3jXHvLcKDy9UTz+jCo UZv0TNWtw1a8t97vqDhIrXkiGik5EKY9NgvMjStZbmTuXzCR1Dv+I5hSyl31gToZHsTn CN3g== X-Gm-Message-State: ALoCoQke4texGpZzbSINEuSnU1LNw97cyqgT3h198H0OeXdrjspph5TKYIYH+rW2D/U6eLy9QtPy X-Received: by 10.224.167.84 with SMTP id p20mr13608052qay.24.1391700198238; Thu, 06 Feb 2014 07:23:18 -0800 (PST) Received: from [192.168.1.3] (pool-96-225-163-50.nrflva.fios.verizon.net. [96.225.163.50]) by mx.google.com with ESMTPSA id 30sm1721800qgt.4.2014.02.06.07.23.17 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Feb 2014 07:23:17 -0800 (PST) Message-ID: <52F3A8B7.3000608@ohlste.in> Date: Thu, 06 Feb 2014 10:22:31 -0500 From: Jim Ohlstein User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Tyler Saylor Subject: Re: pf and jails References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 15:28:29 -0000 Hello, On 2/6/14, 9:34 AM, Tyler Saylor wrote: > Hello, > > I'm running FreeBSD 10-RELEASE on i386. I have setup a few jails for > services such as httpd and postfix using ezjail. The host has one physical > ethernet interface and I have five routeable IPv4 addresses; of the five, > four are assigned to a jail and one is assigned to the host. I have a jail > for mysql that is setup to use a clone of lo and the address "10.1.1.1". > I'm also using pf to filter traffic to each service on the host. > > My question is this: How do I make it so that the other jails that are > bound to routable addresses able to interact with the jail on 10.1.1.1? Is > there some magic pf voodo I'm not understanding, or some mental deficiency > I'm just now being made aware of? I've included my pf.conf and included an > illustration. > > THanks for any help, > //Tyler Saylor > > For illistration: > > Each pipe represents a real, routable ipv4 address assigned to the > respective jail. The star represents the private address of the jail I'd > like to be accesible from the others. > > em0--|--|--|--|--| lo1--* > h w i m s m > o w r a v y > s w c i n s > t l q > l > > pf.conf > > http://pastebin.ca/2630464 Assuming all of your jails are on the same loopback clone, and assuming you have not set "skip-networking" in you rmy.cnf, they should be able to talk to one another using the IP of the jail in question. Have you tried telnet? # telnet 10.1.1.1 3306 That should give a result like: Trying 10.1.1.1... Connected to 10.1.1.1. Escape character is '^]'. N ... In your app, you'll probably need to set the "database host" or similar to the jail IP (10.1.1.1 in this case) rather than to "localhost". -- Jim Ohlstein "Never argue with a fool, onlookers may not be able to tell the difference." - Mark Twain