From owner-freebsd-jail@FreeBSD.ORG Sun Apr 28 15:54:50 2013 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6F2FCC40 for ; Sun, 28 Apr 2013 15:54:50 +0000 (UTC) (envelope-from fbsd8@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 5D95F1ABB for ; Sun, 28 Apr 2013 15:54:50 +0000 (UTC) Received: from [10.0.10.1] ([173.88.202.176]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 28 Apr 2013 08:54:51 -0700 Message-ID: <517D464A.7050101@a1poweruser.com> Date: Sun, 28 Apr 2013 11:54:50 -0400 From: Joe User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: zulu Subject: Re: state of the art ? References: <5177B1A4.6060502@free.fr> <1366868448.5178c1e04043f@gpo.cellcontainer.com> In-Reply-To: <1366868448.5178c1e04043f@gpo.cellcontainer.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Apr 2013 15:54:51.0385 (UTC) FILETIME=[B7D45690:01CE4428] X-Sender: fbsd8@a1poweruser.com X-Authenticated-Sender: fbsd8@a1poweruser.com X-EchoSenderHash: [fbsd8]-[a1poweruser*com] Cc: Laurent Alebarde , "freebsd-jail@freebsd.org" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Apr 2013 15:54:50 -0000 zulu wrote: > > Maybe this is what you need http://sourceforge.net/projects/zjails/ , > doesn't require any advanced ZFS or VNET knowledge (just a working ZFS > pool and VIMAGE kernel). > > VNET is supported and there is a "soft" jail restart option which > prevents the "kern/164763: Memory leak in VNET" issue from appearing. > > You can also run non VNET ZFS jails - you can turn on or off VNET by > simply executing "zjail set vnet=off/on myjailname" then restarting > the jail with "zjail restart -c myjailname". > > On FreeBSD 9.1 amd64, pf inside a jail will cause an immediate kernel > panic once you run pfctl in the jail - IPFW works as already stated by > others. > > You can have pf enabled on the host however and have IPFW firewall in > jails. > > Cheers, > > Peter > What exactly do you mean by ipfw will run in a vimage jail? Running a "open" ipfw rule set only proves the the ipfw program will run in a vimage jail. How about the "simple" or "client" types that need the outbound interface device name and use divert / nat?