From owner-freebsd-net@FreeBSD.ORG Thu Apr 24 23:23:18 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 742DD1000 for ; Thu, 24 Apr 2014 23:23:18 +0000 (UTC) Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 36E5F1D1B for ; Thu, 24 Apr 2014 23:23:18 +0000 (UTC) Received: by mail-qg0-f48.google.com with SMTP id q108so3296643qgd.7 for ; Thu, 24 Apr 2014 16:23:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RetQsJzApNVlzgNgez6XmvAnwNXjhC4le24gIzg9XW4=; b=ERdO9V3ybIqmlJXHpjTlA9bXoSWR8tWaz5GSBE5/g0wX3sTPTOk7jl5ZR31Us6Ez+O lMadc6vF9e3aO2APi5UYO2UKCXDCpekGmkXhAyTYmJEnosj1VIvP7JM4ra/pzz+pcBbE BkLa5JNaTSIKshSOmXFu12z8KAccQp8LWVa7qYPZkGdkCzAsuOwBisJYo0LEvxf/85sG ZmumxMm/m9t9Mk8dJSlNKiexuMGwemlDfGRmMi/3l4e1igBvg8cNoIOr9P0dVvAsIwMe wfn/2TOVTR0AkVK/Nhd0hGyJf3hglHUB/9kCCuzc3W2gXSzxkYk6fYGSDE50OTwUZTA8 ErNw== MIME-Version: 1.0 X-Received: by 10.224.13.142 with SMTP id c14mr7194981qaa.76.1398381797395; Thu, 24 Apr 2014 16:23:17 -0700 (PDT) Received: by 10.96.41.70 with HTTP; Thu, 24 Apr 2014 16:23:17 -0700 (PDT) Received: by 10.96.41.70 with HTTP; Thu, 24 Apr 2014 16:23:17 -0700 (PDT) Date: Thu, 24 Apr 2014 18:23:17 -0500 Message-ID: Subject: vnet - using a jail as a default firewall gateway to internet From: Rob J To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 23:23:18 -0000 Hi, I have been playing with vnet jails, and have a configuration working that I thought would not be (based on the docs out there), but it is. I have a box with 3 NICS - hme0, em0 and em1. Basically, with the assumption that the internet facing gateway is potentially a weak point, I set out to configure a jail on the above box to be the gateway, rather than the physical host itself. I recompiled the kernel, with the VIMAGE option, and setup a jail that uses em0 (192.168.x.y) as the lan side and hme0 (public IP a.b.c.d) is the ISP side. On the jail itself, its default route to the internet is public IP a.b.c.e (same network of interface hme0 above). Then I set the rest of my lan to point to 192.168.x.y (interface em0 above) as the default gateway. I have access to the internet with that configuration, routing through the jail (or at least I think so) - everything seems to work. The two errors I get upon starting the jail, are: "sysctl: net.inet.ip.sourceroute not permitted" and "sysctl: net.inet.ip.accept_sourceroute not permitted. Any body knows what may be broken with my configuration? All the docs I read about having a jail route traffic seemed to imply it is undoable. Did I create a glaring whole in my network by having this design as my firewall and router? I also noticed that the physical host is doing all the logging for dmesg and security, when I thought the jail would, but it is beginning to make sense that the kernel is only running on the physical host, and therefore does the logging of all kernel related activities. Any comments or suggestions welcome. Thanks, Robert