Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 Dec 2003 21:05:19 +0100
From:      zk <zk@wspim.edu.pl>
To:        freebsd-security@freebsd.org
Subject:   Re: Configuring JAIL to bind on lo0 interface
Message-ID:  <20031221200519.GD465@hhos.serious.ld>
In-Reply-To: <20031220014231.GA23229@blurp.one.pl>
References:  <20031219162648.GA76539@blurp.one.pl> <20031219170339.48E40D2@ken.ccs.sut.ru> <20031220014231.GA23229@blurp.one.pl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Dec 20, 2003 at 02:42:31AM +0100, GiZmen wrote:
> > As i understood your problem you need addition alias on lo0 interface
> > for gateway ip purpose. So you have lo0 interface and lo0_alias0
> > 192.168.1.1 as default gateway for jails. And now you create new jails'
> > ip as aliases on lo0 iface.
> > 
> > For example:
> > 
> > no jail, only gateway - lo0_alias0 192.168.1.1/24
> > 
> > jail1 - lo0_alias1 192.168.1.2/24 - hostname jail1.domain.com
> > in this jail set default gateway to 192.168.1.1
> > 
> > jail2 - lo0_alias2 192.168.1.3/24 - hostname jail2.domain.com
> > in this jail set default gateway to 192.168.1.1 also
> > 
> > Your host machine have to be gateway enabled.
> > 
> > Now if you want to switch on internet access from jail1 you only need to
> > add nat rule to translate jail1's ip to the host primary ip.
> > 
> > Alesha.
> 
> I dont know how can it work? AFAIK in jail i cant change the default
> gateway.
> 

Don't set default gateways in jails.
You can use something like this

ipfw add <no> divert natd all from any to any via <external_iface>
(...) -- rules to allow nated packets

to pass packets from jails.
To allow traffic from outside to your server on private address you can try:

ipfw add <no> fwd <server_addr> <protocol> from any to
		<external_iface_addr> <port_no> in recv <external_iface>

or ipfw divert with another natd process.

It's possible to configure lo1, lo2 ... interfaces with diffrent addreses
(with pseudo-device loop <no> in kernel config file).
I've described FreeBSD 4.x.

zk

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031221200519.GD465>