Date: Mon, 14 Dec 2009 02:20:27 -0600 From: Paul Procacci <pprocacci@datapipe.com> To: Jack Raats <jack@jarasoft.net> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Jails and IPFW Message-ID: <4B25F54B.3000601@datapipe.com> In-Reply-To: <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430> References: <07A054B7DD6A4672AC48684DEAB31697@jarasc430> <4B25CE1C.8030305@datapipe.com> <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430>
next in thread | previous in thread | raw e-mail | index | archive | help
I hope I'm not misinterpreting your response. Given what you stated, then I perceive what you stated is correct. Just a thought, but it might make sense for you to specify -J <name> (man jail) via jail_<jname>_flags via rc.conf for each of your configured jails. Perhaps this would be easier on _you_ for future and current administration of your firewall. This would allow you to add a tad of logic to your firewall script that grab a specific jail id and use it instead. Also, this allows you to move ip's without much trouble if you ever plan on doing so. Here is an example that I have for a jail that I've got trimmed to hopefully make it easy on the eyes: ############################################### rc.conf -------------------- jail_xxx_flags=3D"-J /var/jail/xxxx" ipfw.conf -------------------------- $cmd=3D"ipfw -q" $pif=3D"bge0" $xxx_id=3D`cut -f1 < /var/jail/xxx` <snip> $cmd 506 allow tcp from any to me 22,80,443 in via $pif setup jail $xxx_id limit src-addr 6 <snip> ############################################### Hope this gives ya some insight and/or potentially will make things easier for ya. ~Paul One suggestion however would be to use different rule numbers for these rules as it could be a slight pain to modify later. Jack Raats wrote: > Hi Paul, > > I'll understand, but I want to run apache and ssh on both jails using the= ir > standard configs. > (So they listen to every ip address and interface). > > From your answer I learn than ipfw has to run on the host machine like: > $IPF 6000 pass tcp from any to $jail1 22,80 in > $IPF 6000 pass tcp from any to $jail2 22,80 in > > Jack > > ----- Original Message ----- > From: "Paul Procacci" <pprocacci@datapipe.com> > To: "Jack Raats" <jack@jarasoft.net> > Cc: <freebsd-stable@freebsd.org> > Sent: Monday, December 14, 2009 6:33 AM > Subject: Re: Jails and IPFW > > > If you are asking whether the root user of the jail can implement their > own firewall, then no that is not possible. > If you are asking whether you can use ipfw along side jails, then yes > you can. The administration of said firewall doesn't change one bit due > to the introduction of a jail. > So, if it's information pertaining to ipfw that you need then `man ipfw` > is what you seek. > > ~Paul > > > Jack Raats wrote: > >> Hi, >> >> I'm looking for a good manual how to implement ipfw in and with jails. >> Google doesn't give anything usefull >> >> Thanks for your time >> >> Jack >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org= " >> >> > > > This message may contain confidential or privileged information. If you = are > not the intended recipient, please advise us immediately and delete this > message. See http://www.datapipe.com/emaildisclaimer.aspx for further > information on confidentiality and the risks of non-secure electronic > communication. If you cannot access these links, please notify us by repl= y > message and we will send the contents to you. > > This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B25F54B.3000601>