From owner-freebsd-ipfw@FreeBSD.ORG Sun May 8 06:07:54 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9702E106564A for ; Sun, 8 May 2011 06:07:54 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 6B8208FC0C for ; Sun, 8 May 2011 06:07:54 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id p485ngIi040127 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Sat, 7 May 2011 22:49:47 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <4DC62EF1.6050800@freebsd.org> Date: Sat, 07 May 2011 22:49:37 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Jack Raats References: <80DC3A23AD6C467E8523B68F1F47DC1D@jarasc430> In-Reply-To: <80DC3A23AD6C467E8523B68F1F47DC1D@jarasc430> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Mickey Harvey Subject: Re: run pf or ipfw within a jail? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2011 06:07:54 -0000 On 5/6/11 11:01 PM, Jack Raats wrote: > Normally you run the firewall on the host machine not in the jail. > well that's the whole point of the new virtually networking on jails. each jail has its own networking stack and can have interfaces directly attached that don't come through the "host" machine. for this reason (and many others) it is possible for and often the required behaviour, to run a separate and separate firewall for each jail. ipfw works well though dummynet doesn't yet.. and you need a spaecial version of pf to do it which hasn't been committed yet. So the answer is: "use ipfw within a 'vnet' jail". > > ----- Original Message ----- From: "Mickey Harvey" > To: > Sent: Friday, May 06, 2011 10:29 PM > Subject: run pf or ipfw within a jail? > > >> Is it possible to run pf or ipfw within a jail? I am running 8.2 >> and have >> vimage compiled in the kernel. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to >> "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >