From owner-freebsd-security@FreeBSD.ORG Sun Dec 21 12:05:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C442116A4CF for ; Sun, 21 Dec 2003 12:05:33 -0800 (PST) Received: from ip-213-17-211-16.broker.com.pl (ip-213-17-211-16.broker.com.pl [213.17.211.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BC6043D68 for ; Sun, 21 Dec 2003 12:05:24 -0800 (PST) (envelope-from zk@wspim.edu.pl) Received: from hhos.serious.ld (localhost.serious.ld [127.0.0.1]) hBLK5KP1001069 for ; Sun, 21 Dec 2003 21:05:20 +0100 (CET) (envelope-from zk@wspim.edu.pl) Received: (from zk@localhost) by hhos.serious.ld (8.12.9p2/8.12.8/Submit) id hBLK5JOx001068 for freebsd-security@freebsd.org; Sun, 21 Dec 2003 21:05:19 +0100 (CET) Date: Sun, 21 Dec 2003 21:05:19 +0100 From: zk To: freebsd-security@freebsd.org Message-ID: <20031221200519.GD465@hhos.serious.ld> References: <20031219162648.GA76539@blurp.one.pl> <20031219170339.48E40D2@ken.ccs.sut.ru> <20031220014231.GA23229@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031220014231.GA23229@blurp.one.pl> User-Agent: Mutt/1.4.1i Subject: Re: Configuring JAIL to bind on lo0 interface X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2003 20:05:33 -0000 On Sat, Dec 20, 2003 at 02:42:31AM +0100, GiZmen wrote: > > As i understood your problem you need addition alias on lo0 interface > > for gateway ip purpose. So you have lo0 interface and lo0_alias0 > > 192.168.1.1 as default gateway for jails. And now you create new jails' > > ip as aliases on lo0 iface. > > > > For example: > > > > no jail, only gateway - lo0_alias0 192.168.1.1/24 > > > > jail1 - lo0_alias1 192.168.1.2/24 - hostname jail1.domain.com > > in this jail set default gateway to 192.168.1.1 > > > > jail2 - lo0_alias2 192.168.1.3/24 - hostname jail2.domain.com > > in this jail set default gateway to 192.168.1.1 also > > > > Your host machine have to be gateway enabled. > > > > Now if you want to switch on internet access from jail1 you only need to > > add nat rule to translate jail1's ip to the host primary ip. > > > > Alesha. > > I dont know how can it work? AFAIK in jail i cant change the default > gateway. > Don't set default gateways in jails. You can use something like this ipfw add divert natd all from any to any via (...) -- rules to allow nated packets to pass packets from jails. To allow traffic from outside to your server on private address you can try: ipfw add fwd from any to in recv or ipfw divert with another natd process. It's possible to configure lo1, lo2 ... interfaces with diffrent addreses (with pseudo-device loop in kernel config file). I've described FreeBSD 4.x. zk