From owner-freebsd-net@freebsd.org Tue Dec 1 08:21:26 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3C21A3DEE3 for ; Tue, 1 Dec 2015 08:21:26 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv191.fwdcdn.com (frv191.fwdcdn.com [212.42.77.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6DEB51EA5 for ; Tue, 1 Dec 2015 08:21:25 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from [10.10.1.23] (helo=frv199.fwdcdn.com) by frv191.fwdcdn.com with esmtp ID 1a3gBe-0005aw-Kh for freebsd-net@freebsd.org; Tue, 01 Dec 2015 10:21:22 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:To:Subject:From:Date; bh=FcLT0EHbsyFaMXzIVL8LKArVq3oJs6VRa1sx63G/5XI=; b=gmaCZC35eCoL6xLnBUJBLTtJwFZ8lZtGfbavP1+2n2gdWgLH0EkxqUwLCxApqqVyj8KPHw4gtQ6yNvBaYzgOJ0oRQbBGKTmZKYOaLYrjSjYhODFpb1QHat6GIkEA3V3VdY62NGGbEMGIkZQdg5c0kWgryMFduXThUqvBoQyUoMo=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv199.fwdcdn.com with smtp ID 1a3gBV-00057M-Qb for freebsd-net@freebsd.org; Tue, 01 Dec 2015 10:21:13 +0200 Date: Tue, 01 Dec 2015 10:21:13 +0200 From: wishmaster Subject: Re[2]: vimage and jail networking To: freebsd-net@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1448957193.218781171.7af7wapw@frv34.fwdcdn.com> In-Reply-To: <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com> References: <8538858C-BE02-489A-BC1B-2315AC18AD3F@vuid.com> <565D17D2.1090007@freebsd.org> <5101F264-B28E-42D0-8C21-623D6C01DFB6@vuid.com> X-Reply-Action: reply Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 01 Dec 2015 10:21:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Dec 2015 08:21:26 -0000 Hi, Nathan. > Thank you for helping me to understand vimage better Julian! I have read all three links you posted a number of times. > > I use iocage for jail management and it uses epair. From your comments it seems you recommend netgraph? I thing epair is more easy than netgraph for you. So, read manual page for epair and below small example. /etc/rc.conf cloned_interfaces="epair999 epair1 epair2 epair3 epair4" ifconfig_epair999a="inet 192.168.254.253 netmask 255.255.255.252" # this is for "base" jail ifconfig_epair1a="inet 192.168.254.1 netmask 255.255.255.252" ifconfig_epair2a="inet 192.168.254.5 netmask 255.255.255.252" ifconfig_epair3a="inet 192.168.254.9 netmask 255.255.255.252" ifconfig_epair4a="inet 192.168.254.13 netmask 255.255.255.252" ifconfig_epair5a="inet 192.168.254.17 netmask 255.255.255.252" /etc/jail.conf must have configuration for each jail, below one example cctv { host.hostname = cctv; jid = 5; name = cctv; path = "/home/jails/cctv"; mount.fstab = "/etc/fstab.${name}"; vnet; vnet.interface = "epair5b"; exec.start = "/bin/sh /etc/rc"; exec.prestop = ""; exec.stop = "/bin/sh /etc/rc.shutdown"; securelevel = 2; devfs_ruleset = 4; mount.devfs; persist; #allowed allow.set_hostname = "false"; allow.sysvipc = "false"; allow.raw_sockets = "false"; allow.chflags = "false"; allow.mount = "false"; allow.mount.devfs = "false"; allow.mount.nullfs = "false"; allow.mount.procfs = "false"; allow.mount.zfs = "false"; allow.quotas = "false"; allow.socket_af = "false"; } IPFW disabled in jails. All filtering, port forwarding and NAT performs in the base system as with normal computer in your LAN. Very interesting concept of one base jail (base system and software) and number of "light" jails (running services and configurations). This is very convenient, but complex enough. You may try, at first, with standard jail described in the handbook. -- Cheers, Vitaliy