Date: Mon, 14 Dec 2009 02:20:27 -0600 From: Paul Procacci <pprocacci@datapipe.com> To: Jack Raats <jack@jarasoft.net> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@freebsd.org> Subject: Re: Jails and IPFW Message-ID: <4B25F54B.3000601@datapipe.com> In-Reply-To: <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430> References: <07A054B7DD6A4672AC48684DEAB31697@jarasc430> <4B25CE1C.8030305@datapipe.com> <2E2F1B2A67C84F5AAD96D20E72897EF6@jarasc430>
next in thread | previous in thread | raw e-mail | index | archive | help
I hope I'm not misinterpreting your response. Given what you stated, then I perceive what you stated is correct. Just a thought, but it might make sense for you to specify -J <name> (man jail) via jail_<jname>_flags via rc.conf for each of your configured jails. Perhaps this would be easier on _you_ for future and current administration of your firewall. This would allow you to add a tad of logic to your firewall script that grab a specific jail id and use it instead. Also, this allows you to move ip's without much trouble if you ever plan on doing so. Here is an example that I have for a jail that I've got trimmed to hopefully make it easy on the eyes: ############################################### rc.conf -------------------- jail_xxx_flags="-J /var/jail/xxxx" ipfw.conf -------------------------- $cmd="ipfw -q" $pif="bge0" $xxx_id=`cut -f1 < /var/jail/xxx` <snip> $cmd 506 allow tcp from any to me 22,80,443 in via $pif setup jail $xxx_id limit src-addr 6 <snip> ############################################### Hope this gives ya some insight and/or potentially will make things easier for ya. ~Paul One suggestion however would be to use different rule numbers for these rules as it could be a slight pain to modify later. Jack Raats wrote: > Hi Paul, > > I'll understand, but I want to run apache and ssh on both jails using their > standard configs. > (So they listen to every ip address and interface). > > From your answer I learn than ipfw has to run on the host machine like: > $IPF 6000 pass tcp from any to $jail1 22,80 in > $IPF 6000 pass tcp from any to $jail2 22,80 in > > Jack > > ----- Original Message ----- > From: "Paul Procacci" <pprocacci@datapipe.com> > To: "Jack Raats" <jack@jarasoft.net> > Cc: <freebsd-stable@freebsd.org> > Sent: Monday, December 14, 2009 6:33 AM > Subject: Re: Jails and IPFW > > > If you are asking whether the root user of the jail can implement their > own firewall, then no that is not possible. > If you are asking whether you can use ipfw along side jails, then yes > you can. The administration of said firewall doesn't change one bit due > to the introduction of a jail. > So, if it's information pertaining to ipfw that you need then `man ipfw` > is what you seek. > > ~Paul > > > Jack Raats wrote: > >> Hi, >> >> I'm looking for a good manual how to implement ipfw in and with jails. >> Google doesn't give anything usefull >> >> Thanks for your time >> >> Jack >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >> >> > > > This message may contain confidential or privileged information. If you are > not the intended recipient, please advise us immediately and delete this > message. See http://www.datapipe.com/emaildisclaimer.aspx for further > information on confidentiality and the risks of non-secure electronic > communication. If you cannot access these links, please notify us by reply > message and we will send the contents to you. > > This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B25F54B.3000601>